InfoRelay·NetGuard
v0.1 · Windows AD CS · multi-domain · ships offline

The cert tool built for the Microsoft CA reality.

Generate keys + CSRs locally. Convert between every common cert format (PEM, DER, PKCS#7, PFX/PKCS#12). Inspect any cert / CSR / key file. Talk to your Microsoft Issuing CAs across multiple domains — even when they sit under one offline root. Built because certsrv in a modern browser stopped working, and openssl alone doesn't know how to talk to AD CS.

⬇ Download CertGuard See features
Local crypto · no telemetry Multi-domain AD CS inventory Single-binary install · 19 MB
certguard — build a CSR for a Web Server template
$ certguard
InfoRelay CertGuard 0.1.0 · GUI window opening
Generate keypair → RSA 2048 (encrypted with passphrase)
Build CSR:
CN=ica-nmc-01.nmc.example.com
O=Outlaw Holdings · OU=NetGuard · C=US
SAN: DNS:ica-nmc-01.nmc.example.com, DNS:nmc01, IP:10.50.0.12
EKU: serverAuth, clientAuth
Template hint: WebServer
CSR built · signature valid · 1131 bytes PEM
Submit to ICA-NMC (NTLM auth, NMC\scan-user)
Cert issued · serial 7a3c9... · valid 2 years
Bundle into PFX with chain → OCA-SBX root + ICA-NMC + leaf + key
Saved: ica-nmc-01.pfx
What it does

Every cert operation an admin actually does, in one tool.

No more openssl one-liners + IIS GUI + multiple template-page round-trips. CertGuard handles the whole CSR-to-PFX lifecycle and talks AD CS HTTP natively.

🔑

Generate keys

RSA 2048/3072/4096, ECDSA P-256/P-384/P-521, Ed25519. Optional AES-256 passphrase. PKCS#8 PEM by default. Crypto runs in-process.

📝

Build CSRs

Full Subject DN, SAN list (DNS / IP / email / URI / UPN), EKU checklist, AD CS template hint embedded as the Microsoft template-name extension. SHA-256/384/512 signatures.

🔁

Convert any format

Auto-detect PEM / DER / PKCS#7 / PFX/PKCS#12 input. Output to any of the same. Attach or strip keys. Bundle chain certs. Set new PFX passphrases.

🔍

Inspect anything

Drop in a cert / CSR / chain / key. Get subject, issuer, validity, SANs, EKUs, key usage, CA flag, fingerprints, days-to-expire — without typing a single openssl x509 command.

🏛

Multi-domain CA inventory

Configure each issuing CA you care about. Per-CA: hostname, domain, auth type (NTLM / Kerberos / Basic), default template. Topology-aware — knows offline-root vs issuing.

📤

AD CS HTTP submission v0.2

POST CSR + template to https://<ica>/certsrv/certfnsh.asp with NTLM auth, poll certnew.cer, handle pending-approval state. Auto-chain into PFX.

🔒

Keys never leave the box

Private keys are generated and shown once. They aren't logged, persisted server-side, or transmitted anywhere. Bring an existing key file or generate one in-flight — your choice.

🖥

Native desktop app

Single binary. Double-click → real window via Edge WebView2 / WKWebView / WebKitGtk. No Python runtime. No browser tab. CLI still available for scripted use.

🧭

Same suite, different tool

Built alongside NetGuard Audit — same brand, same install pattern, separate trust model. Run both at once on different ports. Single suite, focused tools.

📦

Zero installer · SWAB-friendly

No MSI. No service. No registry edits. No admin rights. No patches. The binary's SHA-256 is your entire Software Approval Baseline artifact — drop it on disk, run, done. When the new version ships, swap the .exe.

Why we built it

Modern browsers + Microsoft certsrv = pain.

Edge and Chrome dropped the ActiveX controls that certsrv's original page depended on. certreq.exe works but only on a domain-joined Windows host. openssl is great for the crypto but has no idea what an AD CS template is, no NTLM client, no clue about CES/CEP, and no notion of how to keep certs from two different ICAs across two different domains organized.

CertGuard plugs that gap. It does the openssl-equivalent operations locally (no shell-outs, no native libs to bundle), and it knows how to talk AD CS HTTP enrollment across multiple domains under one umbrella root — the topology DoD and regulated shops actually run.

Reference topology supported out of the box
OCA-SBX (offline root, never reached over the network) │ ├── ICA-NMC domain: NMC │ └── templates: WebServer, User, DomainController, … │ └── ICA-IESS domain: IESS └── templates: WebServer, User, DomainController, …

CertGuard seeds this on first run so the CA inventory page renders something sensible. Adjust the hostnames + domains to match your environment and you're configured.

End-to-end

From subject DN to deployed PFX.

1

Build CSR

Subject DN + SANs + EKUs. Generate a key in-flight or bring your own.

2

Submit to ICA

Pick the issuing CA, pick the template. NTLM / Kerberos / Basic auth. (v0.2)

3

Bundle the chain

OCA-SBX root + ICA leaf + your issued cert + key → PFX in one click.

4

Deploy

Or convert to whatever format your target needs. Inspect to verify.

Get CertGuard

Download v0.1 · Free for evaluation

Single-binary build per platform. ~19 MB. No Python install required on the target.

🪟 Windows
10/11 x64 · Edge WebView2
certguard-0.1-windows-x64.zip
🍎 macOS
Apple Silicon · 13+
certguard-0.1-macos-arm64.zip
🐧 Linux
x86_64 · GTK + WebKit2
certguard-0.1-linux-x86_64.zip

Installing on Windows

  1. Download certguard-0.1-windows-x64.zip.
  2. Right-click the zip → Extract All…
  3. Right-click certguard-0.1-windows-x64.exeProperties → tick UnblockOK.
  4. Double-click the .exe. Windows SmartScreen will warn (unsigned in v0.1). Click More info → Run anyway.
  5. CertGuard opens in its own desktop window on 127.0.0.1:9988.

Need NetGuard Audit at the same time? They run on different ports (NetGuard 9999, CertGuard 9988). Both can be open simultaneously.

Already have Python? pip install inforelay-certguard, then certguard for the native window.
FAQ

The questions Windows-CA admins ask first.

Does CertGuard need access to the offline root?
No. CertGuard talks only to the issuing CAs you configure. The offline root (in Chris's reference topology, OCA-SBX) is captured in the CA inventory so its public cert can be bundled into PFX/PKCS#12 chain outputs, but no traffic is sent to it.
How does it authenticate to AD CS?
v0.2 ships NTLM (the most common AD CS deployment), Kerberos (where AD is reachable), and HTTP Basic (for lab CAs). Per-CA auth choice. Credentials live in memory only for the duration of one request — never written to disk.
What about multiple domains?
CertGuard's CA inventory captures a per-CA domain field that becomes the NTLM realm. You can have ICA-NMC on NMC\scan-user and ICA-IESS on IESS\scan-user side by side in the same CertGuard install.
Can I use it without ever talking to a CA?
Yes — the local-crypto operations (keygen, CSR build, format convert, inspect) work fully offline. The CA inventory is optional. CertGuard is a useful local cert toolkit even if you never configure an issuing CA.
What formats does the converter support?
Input is auto-detected from: PEM (.pem / .crt / .cer), DER, PKCS#7 (.p7b / .p7c, PEM or DER), PKCS#12 (.pfx / .p12). Output is operator-selected from the same set. Keys can be included or stripped per-conversion. Chain certs can be attached on output.
Will CertGuard ever be signed?
v1.0 ships EV-Authenticode signed alongside NetGuard. Until then, v0.x binaries are unsigned — SmartScreen "Run anyway" workflow on Windows, Gatekeeper "Open Anyway" on macOS. Same trust roadmap as NetGuard.