About CertNanny

CertNanny is a client-side program that allows fully automatic renewal of certificates using the SCEP protocol.

The basic idea is to have a number of local keystores that are monitored for expiring certificates. If a certificate is about to expire, the program automatically creates a new certificate request with the existing certificate data, enrolls the request with the configured CA and polls the CA for the issued certificate. Once the certificate is ready, a new keystore with the new certificate is composed and replaces the old keystore.

Confused? Watch the movie!

CertNanny development is hosted at SourceForge.net.

You will find the SVN repository, mailing lists, a bug tracker and official releases there.

Requirements

Clients running CertNanny will need Perl 5.6.1 or higher installed. In addition an OpenSSL executable and the sscep tool program is required on the client.

On the CA side a SCEP server is required. If the SCEP server supports automatic approval (which is done by signing the certificate request with the existing old certificate on the client side) the CertNanny agent can perform in-place keystore replacement without operator interaction. Using hook functions CertNanny can also reload/restart applications after successful renewal.

Platform and keystore support matrix

CertNanny is designed to run on a large number of platforms. In addition client applications using certificates use lots of different keystore formats.

The following matrix indicates which platforms and keystores are supported by particular CertNanny release versions.

Version numbers in green fields indicate the minimum CertNanny version for this keystore/operating system combination.

*) Supported/tested: Linux, AIX, Solaris, Darwin (Mac OS X)

Roadmap/History

Last update: 2007-06-19