Certboy is a Rust CLI for managing a local PKI:

• Root CA (self-signed)
• Intermediate CA (issued by a Root CA)
• TLS/server certificates (issued by Root CA or ICA)

This project is just a POC for my personal study and homelab. DO NOT SUGGEST USING FOR PRODUCTION. certboy stores everything in a single “context” directory and provides utilities for creating, inspecting, exporting, importing, renewing, and revoking certificates.

• Default: ~/.local/state/certboy (or $XDG_STATE_HOME/certboy)
• Override: --context <path>
• Env override: CERTBOY_CONTEXT

• Root CA key algorithm defaults to ECDSA P-256.
• The algorithm is written to meta.json and all ICAs/TLS certificates under that Root CA inherit it.

Build from source:

cargo build --release
sudo cp target/release/certboy /usr/local/bin/

./scripts/quickstart.sh

Initialize a Root CA:

certboy --domain example.com --cn ExampleOrg --root-ca

Initialize a Root CA with RSA:

certboy --domain example.com --cn ExampleOrg --root-ca --key-algorithm rsa

Create an Intermediate CA:

certboy --domain ops.example.com --ca example.com --cn Ops.ExampleOrg

Issue a TLS certificate (single domain):

certboy --ca example.com -d auth.example.com

Issue a TLS certificate with multiple SANs (positional args are merged with -d/--domain):

certboy --ca ops.example.com docs.ops.example.com docs1.ops.example.com '*.ops.example.com' 127.0.0.1

Check certificates:

certboy check
certboy check --detail
certboy check --renew

• LOGLEVEL: default log level (trace|debug|info|warn|error)
• CERTBOY_CONTEXT: default context path (equivalent to --context)

Full documentation available at: https://audricsun.github.io/certboy/

cargo fmt
cargo test

Releases are automated. To trigger a release:

# Update VERSION to release version (e.g., 2026.4.1)
# The ci-bumpversion workflow auto-bumps dev versions
# The ci-git-tag workflow creates the git tag
# The ci-build workflow builds multi-platform binaries
# The ci-publish workflow creates GitHub Release and publishes to crates.io

• Rust - Language
• OpenSSL - Cryptography (vendored)
• clap - CLI argument parsing
• tokio - Async runtime
• tracing - Structured logging
• serde - Serialization
• chrono - Date/time

• cargo-nextest - Test runner
• cargo-llvm-cov - Code coverage
• cargo-audit - Security auditing
• git-cliff - Changelog generation
• bumpver - Version bumping
• zensical - Documentation generator
• cross - Cross-compilation