CertNanny takes care of all your bratty keystores...

About CertNanny

CertNanny is a client-side program that allows fully automatic renewal of certificates using the SCEP protocol.

The basic idea is to have a number of local keystores that are monitored for expiring certificates. If a certificate is about to expire, the program automatically creates a new certificate request with the existing certificate data, enrolls the request with the configured CA and polls the CA for the issued certificate. Once the certificate is ready, a new keystore with the new certificate is composed and replaces the old keystore.

Confused? Watch the movie! Quicktime

CertNanny development is now hosted on: https://github.com/certnanny/certnanny.

You will find the Git repository and issue tracker.


Clients running CertNanny will need Perl 5.6.1 or higher installed. In addition an OpenSSL executable and the sscep tool program is required on the client.

On the CA side a SCEP server is required. If the SCEP server supports automatic approval (which is done by signing the certificate request with the existing old certificate on the client side) the CertNanny agent can perform in-place keystore replacement without operator interaction. Using hook functions CertNanny can also reload/restart applications after successful renewal.

Platform and keystore support matrix

CertNanny is designed to run on a large number of platforms. In addition client applications using certificates use lots of different keystore formats.

The following matrix indicates which platforms and keystores are supported by particular CertNanny release versions.

Version numbers in green fields indicate the minimum CertNanny version for this keystore/operating system combination.

Unix* Windows Tandem NonStop
(via OSS)
z/OS (via USS)
OpenSSL (PEM/DER) 0.6 0.7 0.7 -
PKCS #8 (PEM/DER) 0.7 0.7 0.7 -
PKCS #12 0.10 0.10 0.10 -
Java Keystore (JKS) 0.8 0.8 0.8 -
IBM GSKit Keystore (CMS) 0.6 0.10 n/a -
Windows Certificate Store n/a 0.8 n/a n/a
RACF n/a n/a n/a -
Top Secret n/a n/a n/a -

*) Supported/tested: Linux, AIX, Solaris, Darwin (Mac OS X)


Last update: 2007-06-19

Version Status Comments
CertNanny 0.11 no release date yet Currently under development
CertNanny 0.10 released 2007-06-19 Latest stable release
CertNanny 0.9 released 2006-08-09
CertNanny 0.8 released 2006-06-12
CertNanny 0.7 released 2006-02-10
CertNanny 0.6 released 2005-12-23