Warning
SECURITY LAB EXERCISE — THIS IS NOT A REAL PROJECT
This repository is a deliberately constructed environment for security awareness training. It contains intentional credential leaks embedded in git commit history for students to discover. The CA key and certificate in this repository are used only within a controlled lab environment and are not associated with any real infrastructure, vendor, or product.
If you are a lab participant: your objective is to find the leaked credentials in git history.
If you are not a lab participant: please disregard this repository entirely. Do not attempt to use any keys, certificates, or configuration values found here.
Enterprise-grade certificate lifecycle management for modern infrastructure.
Vulniphyd PKI Manager (vpki) is a full-featured open-source PKI management tool built by
Vulniphyd Security Labs. It provides a unified CLI and Python API for
managing certificate authorities, issuing and revoking X.509 certificates, and operating
certificate stores at scale — from a single-host development setup to a multi-tier enterprise PKI.
Trusted by Fortune 500 security teams, OT/ICS operators, and device manufacturers worldwide.
- Root and Intermediate CA management — create, load, and operate multi-tier certificate authorities
- Certificate issuance — sign CSRs with configurable SANs, key usage, and extended key usage
- CRL generation — produce RFC 5280-compliant certificate revocation lists on demand
- Certificate store — filesystem-backed store with indexing, search, and expiry management
- Flexible export — PEM, DER, and PKCS#12 output formats
- YAML configuration — environment variable overrides for secrets (no plaintext creds in config)
- Rich CLI — human-friendly output with
--quietmode for scripting - Python API — importable
CertificateAuthority,Certificate, andCertificateStoreclasses
pip install vulniphyd-pki-managerRequires Python 3.11 or 3.12.
For development extras (testing, linting):
pip install "vulniphyd-pki-manager[dev]"vpki ca init \
--cn "Acme Corp Root CA" \
--org "Acme Corporation" \
--country US \
--key-size 4096 \
--out-dir ./config/# Generate a CSR and private key
vpki cert request \
--cn api.acme.example.com \
--dns api.acme.example.com \
--dns api-internal.acme.example.com \
--ip 10.0.1.42 \
--out-dir ./certs/
# Sign the CSR with your CA
vpki cert sign \
--csr ./certs/api.acme.example.com.csr \
--days 365 \
--out ./certs/api.acme.example.com.crtvpki cert validate --cert ./certs/api.acme.example.com.crt
vpki cert info --cert ./certs/api.acme.example.com.crt# PEM bundle (cert + CA chain)
vpki cert export --format PEM --cert ./certs/api.acme.example.com.crt --out bundle.pem
# PKCS#12 for Java / .NET keystores
vpki cert export --format P12 \
--cert ./certs/api.acme.example.com.crt \
--key ./certs/api.acme.example.com.key \
--out keystore.p12Copy config/config.example.yaml to config/config.yaml and edit it to point to your CA key and
certificate. See docs/configuration.md for the full schema reference.
ca:
key_path: ./config/ca.key
cert_path: ./config/ca.crt
passphrase_env: VPKI_CA_PASSPHRASESet VPKI_CA_PASSPHRASE in your environment (or a secrets manager) rather than storing the
passphrase in the config file.
vpki CLI (click)
│
├── CertificateAuthority vulniphyd_pki/ca.py
│ └── sign_certificate, export_crl, revoke_certificate
│
├── Certificate vulniphyd_pki/cert.py
│ └── generate_csr, validate, export (PEM/DER/P12)
│
├── CertificateStore vulniphyd_pki/store.py
│ └── filesystem backend, index.json, expiry management
│
└── Config vulniphyd_pki/config.py
└── YAML + VPKI_* env var overrides
See CONTRIBUTING.md for development setup, coding standards, and PR process.
Apache License 2.0. Copyright 2024 Vulniphyd Security Labs, Inc. See LICENSE.