descriptionFedora's certmaster ( with multiple CA support
ownerJude N
last changeFri, 16 Oct 2015 05:21:43 +0000 (01:21 -0400)

certmaster -- it hands out SSL certs!

read more at:

Original Fedora Project Page

Original Fedora Repo

About this fork

certmaster -- it hands out SSL certs from multiple CAs !!!

Multiple CA support

This certmaster fork introduces a new '--ca' argument for specifying an alternative certificate authority.

This allows one certmaster instance to supply certs from multiple authorities instead of having a separate certmaster instance for each certificate authority you are using.

If you don't want to use multiple CA's, this fork should act just like the parent certmaster project from Fedora - you should be able to upgrade your existing certmaster to this version, and it will continue to server your existing certs.

If you want to add additional certificate authorities, include a section to your certmaster.conf file as per below for each CA, using a different name and set of directories for each CA.

autosign = yes_or_no
cadir = /path/to/cadir
cert_dir = /path/to/cert_dir
certroot = /path/to/certroot
csrroot = /path/to/csrroot

Then to use the new CA, include the argument '--ca=name' in your list of certmaster-ca arguments to use the 'name' CA.

Likewise, when requesting certs from the new CA, include a section of the following form in your minion.conf file:

cert_dir = /path/to/cert_dir

Then include the argument '--ca=name' in your certmaster-request commands to request a cert from the 'name' CA.

If the '--ca' argument is not given, then the default CA, as defined by the autosign, cadir, cert_dir, certroot, and csrroot options from the main section of certmaster.conf or minion.conf is used.

Functional Tests

This fork introduces some functional tests using the shUnit2 framework.


The tests overwrite the /etc/certmaster/certmaster.conf and /etc/certmaster/minion.conf files, and delete the cert data directories, so only run these tests on a test server / VM / docker image, not on your live production certmaster instance.

Misc Changes

2015-10-16 Jude Nagurneybumping version to 0.29-1 master v0.29
2015-10-16 Jude Nagurneygithub-1: support for hashing functions other than...
2015-10-11 Jude Nagurneysha1 supprt checkpoint
2015-05-17 Jude Nagurneyfixing some typos / removing comments
2015-03-28 Jude NMention tests in the
2015-03-28 Jude N(messing with post-receive hook)
2015-03-28 Jude N(messing with markdown)
2015-03-28 Jude N(messing with post-receive hook)
2015-03-28 Jude NFleshing out
2015-03-22 Jude NAdding unknown ca tests
2015-03-22 Jude NBATS fell down pushing a process into the background...
2015-03-11 Jude NBATS is pretty sweet. Fixes for autoloading / unexpect...
2015-03-06 Jude NagurneyLooks like certmaster-request and certmaster-ca are...
2015-03-02 Jude Nagurney(Not working yet, but the changeset was getting too...
2011-09-05 Greg SwiftConsolidated definitions in logrotate file using glob.
2011-06-02 Todd Zullingerturn off auto-starting certmaster
4 years ago v0.29
8 years ago v0.28
10 years ago v0.25 rev to 0.25
10 years ago v0.24 v0.24
11 years ago v0.20 This is 0.20 (RC)
11 years ago v0.19 This is 0.19
4 years ago master