CLI reference
Reference for the certswap command line. Migrated from the
README; consult the README for narrative context and the
CHANGELOG for version history.
Commands
certswap inspect <bundle> # show bundle contents (key optional)
certswap plan local <bundle> --dest <dir>
certswap apply local <bundle> --dest <dir>
certswap verify local --dest <dir>
certswap plan ssh <bundle> --host <h> --cert-dest /etc/nginx/tls/x.pem --key-dest /etc/nginx/tls/x.key
certswap apply ssh <bundle> --host <h> --cert-dest ... --key-dest ... --reload "nginx -s reload"
certswap plan k8s <bundle> --namespace ns --secret tls --context homelab --ingress app
certswap apply k8s <bundle> --namespace ns --secret tls --argocd-app my-app
certswap apply k8s <bundle> --namespace ns --secret tls --ingress app --ingress-host www.example.org --argocd-app my-app
certswap apply proxmox <bundle> --host pve-node
certswap upcoming --within-days 60
Top-level commands:
inspect— show bundle contents (a private key is optional;inspectalso accepts cert-only CA deliveries).plan <driver>— validate a swap without applying it.apply <driver>— perform the swap and write an evidence directory.verify <driver>— check the target after an apply.upcoming— list tracked deployments approaching expiry.
Global options:
--version— print the version and exit.
Drivers
local, ssh, k8s (with optional ArgoCD coordination), and proxmox. Each
driver is available under plan and apply; verify supports local.
Input formats
inspect and the deployment commands normalise the following to one canonical
bundle:
- PFX / PKCS#12 (including Sectigo's RC2-40-CBC legacy MAC, via
openssl pkcs12 -legacy) - PEM bundles
- PKCS#7
- zip / tar archives
- separate-file layouts (cert, key, chain)
Leaf-only bundles can be AIA-walked into a complete chain with
inspect --fetch-intermediates. Deployment commands always require the private
key.
Output and state
- All commands accept
--jsonfor machine-readable output. applywrites an evidence directory under~/.certswap/evidence/, containing bothevidence.json(pydantic-modeled) andevidence.md(human-readable).- Deployments are tracked in
~/.certswap/state.json, whichupcomingreads.
Exit codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 10 | Validation failed (plan blocked, host/key mismatch) |
| 30 | Ingest failed (bad format, wrong password) |
| 50 | Apply failed mid-flight (incl. remote unreachable during apply) |
| 60 | Verify failed post-apply (incl. target drift) |