Documentation

PRISM

PKI Resources & Infrastructure Security Manager — full certificate lifecycle management, locally on your device.

Download

macOS V7.3.0 Windows V7.3.0

Requires macOS 14 Sonoma or later / Windows 10 or 11.

Installation

macOS

  1. Download the .dmg file and open it.
  2. Drag PRISM.app to your Applications folder.
  3. On first launch, right-click the app and choose Open — or go to System Settings → Privacy & Security → Open Anyway.
  4. Enter your license key when prompted. PRISM checks the key locally — no account required.

Windows

  1. Download the .exe installer and run it.
  2. If Windows Defender shows a warning, click More info → Run anyway.
  3. Follow the installer prompts. PRISM installs to %LocalAppData%\PRISM by default.
  4. Enter your license key on first launch.

Tools

CSR Generator

Generate RFC 2986-compliant Certificate Signing Requests with SANs, RSA (2048–4096 bit) or ECC (P-256, P-384, P-521) keys, and optional AES-256 private key encryption.

Chain Builder

Drop in a leaf certificate and PRISM automatically fetches issuer certificates from your system keychain to build a complete, correctly-ordered PEM chain.

Custom Chain

Manually assemble a chain from your own CA files. PRISM validates ordering and outputs a clean PEM bundle.

PFX / P12 Generator

Bundle a certificate chain and private key into a password-protected PFX. Supports AES-256-CBC, AES-128-CBC, 3DES, and legacy encryption modes.

Key Extractor

Pull the private key and/or certificates out of any PFX/P12 file in one step.

Crypt Walk

Inspect any certificate — subject, issuer, SANs, validity dates, key algorithm, signature algorithm — at a glance.

Certificate Inventory

Track your certificate library with expiry alerts, tags, notes, search, and CSV import/export. Create Certificate Bundles to group lifecycle files (CSR, key, cert, chain, PFX) with optional encrypted vault storage.

Chain Extractor

Fetch and download the full certificate chain for any HTTPS host or paste a PEM directly. Outputs each certificate individually or as a bundled PEM chain file.

ClearPass Deploy

Push certificates directly to Aruba ClearPass over the REST API. Supports Service and RADIUS/EAP certificate types. Requires ClearPass OAuth2 API credentials.

Cisco ISE Deploy

Import system certificates to a Cisco ISE node via the ISE Open API (/api/v1/certs/system-certificate/import). Supports Portal, Admin, EAP, RADIUS, pxGrid, SAML, and IMS certificate roles. Requires ISE ERS API to be enabled and an ERS Admin or Super Admin account.

Windows ADFS Deploy (BETA)

Deploy certificates to AD Federation Services locally or via SSH. Auto-detects if ADFS is running on the same machine for direct deployment — no SSH required. Remote mode SCPs the PFX and runs PowerShell over SSH. Supports Service Communications, Token Signing, and Token Decryption roles. Optionally restarts the ADFS service.

Certificate Bundles

Certificate Bundles let you group all files from a certificate lifecycle under one inventory entry. When you generate a CSR, PRISM will ask if you want to create a bundle. Choose from three storage modes:

  • Metadata Only — track certificate details only, no file storage.
  • Master Password Vault — all files encrypted with PBKDF2-SHA256 + AES-256-GCM. No password recovery.
  • Keychain Vault — private key encrypted via macOS Keychain; other files tracked by path.

V2 envelope encryption (introduced in V7.1.1) protects all Master Password Vault entries with a two-layer model: a master key wraps unique per-entry 256-bit random keys, so compromising one entry never exposes others.

See the Security Model page for full technical details on vault encryption.

Using ClearPass Deploy

Server-side API setup

  1. In ClearPass Guest, go to Administration → API Clients → Create API Client.
  2. Set Grant Type to client_credentials.
  3. Set Operator Profile to a profile with certificate upload rights.
  4. Copy the Client ID and Client Secret — you'll paste these into PRISM.

A new client secret must be generated each session. You can shorten the Access Token Lifetime in ClearPass for better security.

Deploying a certificate

  1. Open the ClearPass tool under the Deploy section.
  2. Enter your ClearPass FQDN or IP, Client ID, and Client Secret. Toggle off SSL verification if your ClearPass uses a self-signed admin certificate.
  3. Click Test Connection to verify credentials and connectivity.
  4. Browse for your PFX/P12 file and enter its passphrase.
  5. Select the certificate usage: Service (HTTPS) and/or RADIUS/EAP. Enter a friendly name.
  6. Click Deploy Certificate. PRISM uploads the PFX via the ClearPass certificate import API and reports the result.

Using Cisco ISE Deploy

Server-side requirements

  • ISE ERS API must be enabled: go to Administration → System → Settings → API Settings and enable ERS (Read/Write). The certificate import endpoint (/api/v1/) requires this even though it uses the Open API path.
  • The ISE admin account used must have ERS Admin or Super Admin privileges.

Deploying a certificate

  1. Open the Cisco ISE tool under the Deploy section.
  2. Enter the Node FQDN/IP (the specific ISE node to push to), the ISE Hostname (short hostname used for certificate listing), and your admin username and password.
  3. Toggle off SSL verification if your ISE admin certificate is self-signed.
  4. Click Test Connection — PRISM does a GET to the system certificate list endpoint to verify auth.
  5. Browse for your PFX/P12 file and enter its passphrase. Optionally edit the Friendly Name (defaults to a timestamped name) and the Portal Group Tag.
  6. Select the certificate roles: Portal (on by default), Admin, EAP, RADIUS, pxGrid, SAML, IMS.
  7. Click Import Certificate. PRISM extracts the certificate and private key from the PFX, re-encrypts the key as PKCS#8 (required by ISE), and POSTs to /api/v1/certs/system-certificate/import.

Note: Each ISE node requires a separate import. Repeat this process pointing at each node's FQDN.

Using Windows ADFS Deploy (BETA)

PRISM supports two deployment modes: local (when ADFS is running on the same machine) and remote (via SSH to another server). On launch, PRISM checks for a running adfssrv service and automatically enables local mode if found.

Local mode requirements

  • PRISM must be running on the ADFS server itself.
  • The current user must have local administrator rights (required to run ADFS PowerShell cmdlets and import to the machine certificate store).
  • The ADFS PowerShell module must be available (installed by default with the ADFS role).

Remote (SSH) mode requirements

  • OpenSSH Server must be installed and running on the ADFS server: Add-WindowsCapability -Online -Name OpenSSH.Server* then Start-Service sshd.
  • The SSH user account must have local administrator rights on the ADFS server.
  • The ADFS PowerShell module must be available on the server (installed by default with the ADFS role).

Deploying a certificate

  1. Open the Windows ADFS (BETA) tool under the Deploy section.
  2. Local mode: If PRISM detected the local ADFS service, the deployment mode toggle will appear. Enable it to deploy directly — no server address or SSH credentials needed. Click Check ADFS Service to verify the service is running before deploying.
  3. Remote mode: Enter the ADFS Server FQDN or IP, SSH Port (default 22), and Username. Choose Password or SSH Key authentication, then click Test Connection to verify connectivity.
  4. Browse for your PFX/P12 file and enter its passphrase.
  5. Select the certificate usage: Service Communications (SSL/TLS), Token Signing, and/or Token Decryption. Enable at least one.
  6. Toggle Restart ADFS Service if you want adfssrv restarted automatically after deployment.
  7. Click Deploy Certificate. In local mode, PRISM copies the PFX to a temp location and runs PowerShell directly. In remote mode, PRISM SCPs the PFX to C:\Windows\Temp\ and runs the PowerShell script over SSH, then removes the temp file.

Note: This tool is in beta. Multi-node ADFS farms require running the deploy against each node separately. In remote mode, ensure firewall rules permit SSH (port 22) from your machine to the ADFS server.

Auto-Updates (macOS)

PRISM uses Sparkle for automatic updates on macOS. When a new version is available, you'll see a notification in the app. Updates are downloaded and verified before installation.

License

PRISM is released under the MIT License. Copyright © 2024–2026 CMDLAB.