CATool

A self-hosted web app for managing OpenSSL Certificate Authorities without touching the command line.

PythonFlaskDockerOpenSSLPKISelf-Hosted

Why This Exists

If you've ever had to manage an internal Certificate Authority, you know how painful OpenSSL commands are. Every time I needed to issue a cert, I'd end up googling the same commands, copy-pasting config snippets, and praying I didn't mess up the extensions. And when someone on the team needed a certificate? Good luck explaining how to generate a CSR from the terminal.

CATool was born out of that frustration. I wanted a simple web UI where I could create CAs, issue certificates, sign CSRs, revoke stuff — all without ever opening a terminal. And since this is for internal infrastructure, it had to be self-hosted with zero external dependencies.

What It Does

You spin it up with Docker, log in with a shared secret, and from there you can manage multiple Certificate Authorities. Each CA can issue all kinds of certificates — standard TLS, client certs, LDAPS certs for Active Directory domain controllers, code signing, S/MIME, or fully custom ones. You can also upload external CSRs and sign them with any of your CAs.

The export options are pretty comprehensive. You can download certs as PEM, DER, P7B, PFX/PKCS#12, full-chain PEM, or a ZIP bundle with everything. One feature I'm particularly happy with is the one-time download links — you generate a URL that expires after 30 minutes and can only be used once. Super handy when you need to get a cert to a server without giving someone access to the whole UI.

No Database, Just Files

One design decision I made early on was to skip the database entirely. All state is stored as files in a data directory — the CA keys, issued certs, serial numbers, everything. This makes backups trivial (just tar the directory), and you can actually inspect the state by just looking at the filesystem. No migrations, no schema changes, no ORM headaches.

Certificate Types

  • TLS Server — standard web server certificates with SANs
  • Client — for mutual TLS authentication
  • LDAPS / Domain Controller — specifically for AD environments
  • Code Signing — sign your binaries and scripts
  • S/MIME — email encryption and signing
  • Intermediate CA — chain your CAs properly
  • Custom — define your own key usage and EKU OIDs

Tech Stack

It's a Python Flask app running in Docker. Nothing fancy — the whole point was to keep it simple. The UI has a dark theme because honestly, every tool I build ends up with a dark theme. It does what it needs to do without overcomplicating things.

Setup is literally copying the example env file, setting a password, and running docker compose up. Five minutes and you have a working CA infrastructure.