devca is a keytool frontend for development, because I can't be bothered to remember keytool's arcane syntax.

devca allows you to quickly create a self-signed JKS certificate authority keystore and sub-keystores/truststores for development without remembering the moon runes necessary to get keytool to do what you want. Do not use this in any production scenario.

The default password on all keystores/truststores is password. This can be changed with the --password flag.

The default CN on all keystores is the name given. This can be changed with the --cn flag.

The default certificate expiry is 90 days. This can be changed with the --expiry_days and --expiry_seconds flags.

devca operates in your current directory by default. This can be changed with the --root flag.

The raw keystore commands can be printed with --verbose if you want to see them.

Python 3.10+ is required to use devca. Copy it to any directory in $PATH and give it executable permission. Alternatively, on Linux, you can

sudo make install

This will install it to /usr/local/bin. You can uninstall it with

sudo make uninstall

Create a new root keystore called ca.jks in the current directory.

devca new root ca

Create a new root keystore called ca.jks with CN=big bad root cert.

devca new root ca --cn="big bad root cert"

Create a child of ca.jks called server.jks with CN=localhost.

devca new child server ca --cn=localhost

Create a child of ca.jks called client.jks expiring in 30 seconds.

devca new child client ca --expiry_seconds=30 

Create a truststore called client.truststore.jks trusting ca.jks and ca2.jks.

devca new truststore client.truststore ca ca2

Trust ca2.jks in server.jks. Note: this does not sign server.jks with ca2.jks.

devca trust server ca2

Wipe out all keystores/truststores in the current directory.

devca nuke