Why I Rejected Vault and Python to Build a Zero-Dependency TLS Generator with GraalVM

May 31, 2026

The Integration Test Nightmare

During a recent engineering sprint, I ran into a classic infrastructure testing bottleneck: I needed to validate how our system behaves when an upstream TLS certificate expires. To test this reliably in a CI/CD matrix, I needed a scriptable tool that could issue a valid, strictly profiled TLS certificate that would self-destruct (expire) in exactly one hour—or even a few minutes.

Simple, right? Not quite.

The Land of Overkill Solutions

When looking at the existing ecosystem, the available paths were frustratingly over-engineered for a local testing environment:

Enterprise Machinery (Vault / cert-manager): Tools like HashiCorp Vault or Kubernetes cert-manager are fantastic for production clusters. But spinning up a Vault container, initializing a transit engine, and configuring PKI roles just to run a localized mTLS integration test is like using a rocket launcher to crack a nut.
The OpenSSL Configuration Maze: You can technically do this with native openssl commands, but modern clients (Chrome, Go web servers, Java HttpClient) strictly require X509v3 Subject Alternative Name (SAN) extensions and Basic Constraints. Forcing OpenSSL to generate these through inline flags without managing external .cnf template files turns into a multi-line, unreadable bash spaghetti pile.

Why Not Just Write a Python Script?

The immediate fallback for any developer needing a quick tool is a Python script using the cryptography library. It’s quick to write, but it comes with a hidden tax: the execution environment.

If you share a Python script with a team or drop it into a clean GitHub Actions runner, you are instantly gambling on the host environment. Someone has Python 3.8; someone else has 3.12. One developer breaks their local pip virtual environment, and another runner crashes because a underlying native C-dependency (libffi-dev) isn’t installed on the bare Linux image.

I didn’t want a script that required an installation guide. I wanted a single, isolated tool with zero host dependencies.

Enter Certshift (and the Power of GraalVM)

I decided to build Certshift—a lightweight, single-purpose CLI tool designed explicitly to shift out transient, fully compliant TLS certificates on demand.

For the language stack, I chose Java. The Java ecosystem boasts mature, production-hardened cryptographic libraries like BouncyCastle. However, shipping a traditional Java application means dragging along the Java Virtual Machine (JVM). Nobody wants to install a 200MB JDK or wait for a heavy JVM warmup cycle just to generate an ephemeral cert in a shell script.

To solve this, I leveraged GraalVM Native Image.

By compiling the Java bytecode Ahead-Of-Time (AOT), GraalVM strips away the entire JVM infrastructure, optimizes the dead code path, and outputs a native Linux ELF binary.

The architectural wins were immediate:

Zero Dependencies: The binary is completely self-contained. No Java runtime required.

Instant Startup: It boots, parses flags, generates an ECDSA P-256 keypair, signs the certificate, and exits in under 5 milliseconds.

Lightweight footptint: Perfect for micro-containers and ephemeral CI pipelines.

See It in Action

With certshift, generating a modern, secure, short-lived certificate is down to a single readable line:

./certshift -c localhost -s "localhost,127.0.0.1" -d 1h -o ./certs

If you inspect the output using OpenSSL, you can see that despite its tiny size, it generates an absolutely compliant cryptographic layout:

X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    X509v3 Subject Alternative Name: 
        DNS:localhost, DNS:127.0.0.1

Try It Out!

Certshift is open source and ready to be dropped into your local testing toolbelt. You can download the native binary directly via curl without even needing Java on your machine:

curl -L -o certshift https://github.com/volodymyr-sokur/certshift/releases/download/v1.0.1/certshift
chmod +x certshift
./certshift --help

Check out the full repository here: https://github.com/volodymyr-sokur/certshift