Skip to main content

CertNanny

CertNanny

Decentralised certificate lifecycle management – automated, cross-platform and without central management components.

CertNanny is a lean software agent that handles the complete lifecycle management of X.509v3 certificates directly on the end system – from initial request through automatic renewal to revocation. A single, dependency-free executable completely replaces the error-prone, manual process of key generation, CSR creation and certificate renewal.

CertNanny supports servers, workstations and IoT devices equally – whether in the corporate data centre, in manufacturing or on embedded systems in the field.

Request information

CertNanny: Highlights

Fully automatic renewal: CertNanny monitors installed certificates and renews them in good time before expiry – completely automatically, without manual intervention.

Single binary, no dependencies: A single program without external runtime dependencies greatly simplifies distribution and operation – on Linux, Windows, macOS and many other platforms.

No incoming connections: CertNanny communicates exclusively outbound with the CA backend. No listener, no open ports, no central management agent required.

Features

  • Initial request and renewal – Creation of PKCS#10 requests with x509v3 extensions such as Subject Alternative Names or Certificate Templates. Requests can be created template-based; authentication is either via static challenge password or HMAC function. Expiring certificates are automatically renewed via Proof-of-Possession (Certificate Re-Keying).

  • Registrar function – Authentication of requests via client certificate (Enrollment on Behalf) and processing of externally created PKCS#10 files. Certificate revocation is integrated.

  • Multi-platform support – Available for Linux (x86_64, ARM, others), Windows, macOS as well as AIX, Solaris and various BSD derivatives. A lean embedded variant is available for resource-constrained embedded systems.

  • Flexible keystore support – Native keystore management for OpenSSL/PEM and PKCS#12 format; additional formats (Java Keystore, Windows Certificate Store) can be connected via script hooks.

  • Modular enrollment protocols – Support for SCEP, EST and the OpenXPKI-native RPC protocol. An external mode is also available where CSR and certificate are handed over manually or by a local script.

  • Trust anchor and CA rollover management – CertNanny manages CA certificate chains and root certificates and supports fully automatic root CA rollover.

  • Monitoring integration – Any external monitoring and alerting systems can be connected via configurable state-change hooks. Notifications for failed renewals or imminently expiring certificates are thus easily realisable.

  • Multi-level configuration system – YAML-based configuration with defined priority levels: existing certificate, local configuration file, environment variables, command-line arguments, backend parameters and system environment. Settings can be flexibly overridden.

Use Cases

  • Servers and workstations in the company – CertNanny is set up as a systemd timer or cron job and automatically renews TLS certificates for web servers, mail servers and other services before expiry. Script hooks ensure that applications are automatically reloaded after a renewal. No central agent, no incoming connections – ideal for restrictive network segments.

  • IoT and embedded systems – The CertNanny Embedded variant enables secure certificate provisioning of field devices with minimal resource requirements. Minimal program code with embedded configuration, no external dependencies and support for various hardware and software platforms make CertNanny the ideal solution for IoT deployments. Integration of cryptographic hardware such as TPMs is possible; customer-specific hardware adaptations are available on request.

  • OpenXPKI Enterprise Edition – Together with OpenXPKI Enterprise Edition, CertNanny forms a decentralised Certificate Lifecycle Management system with powerful extension functions. In addition to standard enrollment protocols, additional authentication methods (HMAC, challenge-based) as well as workflow-supported approval processes are available. Certificate revocation on renewal, transaction IDs and multi-level approval workflows are fully integrated.

  • Existing CA infrastructure – CertNanny can be connected to virtually any CA product via SCEP and EST and augments existing PKI infrastructures with automated, decentralised lifecycle management on end systems – independent of the CA software used.

  • Mass rollout / batch operation – Via the registrar function, certificates can be applied for on behalf of other target systems (Enrollment on Behalf).

Details

Deployment – CertNanny is delivered as a single, statically linked binary without external runtime dependencies. Pre-built packages are available for Linux (RPM, DEB package) and Windows (installer); a ready binary is provided for macOS. Integration as a systemd timer is recommended for Linux systems.

Operating model – CertNanny runs in "one-shot" mode: the program is called periodically (e.g. via cron or systemd timer), checks the state of all configured keystores and performs any necessary actions. No persistent processes or incoming network connections are required. Operation as a non-privileged user is recommended.

Key generation and CSR – CertNanny generates key material (RSA, NIST elliptic curves) and creates Certificate Signing Requests (CSR) in accordance with PKCS#10. Subject, SAN entries can be taken from the existing certificate; extensions such as certificateTemplate or challengePassword can be controlled via configuration file or command-line options. Connection of TPMs and comparable cryptographic hardware is possible.

Certificate installation and format conversion – Keys and certificates can optionally be converted to PKCS#12, Java Keystore or other formats. Integration of the full certificate chain (with or without root certificate) is possible.

State management and hooks – CertNanny manages an internal state for each configured keystore. External programs or scripts can be called for any state transitions (state-change hooks). These receive context information via command-line parameters or environment variables and enable integration into monitoring, deployment and automation systems.

Licensing – CertNanny is available in various variants: the Enterprise Edition includes the full feature set (all enrollment protocols, all keystore types, full configuration flexibility). The Basic variant is limited to OpenSSL keystore and the OpenXPKI RPC protocol. The Embedded variant is optimised for resource-constrained embedded systems. Time-limited evaluation licences are available on request.

Licence

  • Subscription: tiered by certificate volumes and number of supported platforms. We are happy to inform you about our current pricing tiers.

Additional Options

  • Extension module "Workflow" for complex, non-linear process control
  • Extension module "Telemetry" collects data from your certificates and transmits it to a central server

Maintenance and Support

Support

Would you like to learn more about our products
or request a demo?

Get in touch

PKI

Infrastructure

Use-Cases

Contact

  • Werner-Heisenberg-Str. 8
  • 85254 Sulzemoos, Germany
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • +49 8135 314 000-0
© Whiterabbitsecurity