Previous: Invoking gnutls-serv, Up: Included programs


8.5 Invoking certtool

This is a program to generate X.509 certificates, certificate requests, CRLs and private keys.

Certtool help
Usage: certtool [options]
     -s, --generate-self-signed
                              Generate a self-signed certificate.
     -c, --generate-certificate
                              Generate a signed certificate.
     --generate-proxy         Generate a proxy certificate.
     --generate-crl           Generate a CRL.
     -u, --update-certificate
                              Update a signed certificate.
     -p, --generate-privkey   Generate a private key.
     -q, --generate-request   Generate a PKCS #10 certificate
                              request.
     -e, --verify-chain       Verify a PEM encoded certificate chain.
                              The last certificate in the chain must
                              be a self signed one.
     --verify-crl             Verify a CRL.
     --generate-dh-params     Generate PKCS #3 encoded Diffie Hellman
                              parameters.
     --get-dh-params          Get the included PKCS #3 encoded Diffie
                              Hellman parameters.
     --load-privkey FILE      Private key file to use.
     --load-request FILE      Certificate request file to use.
     --load-certificate FILE
                              Certificate file to use.
     --load-ca-privkey FILE   Certificate authority's private key
                              file to use.
     --load-ca-certificate FILE
                              Certificate authority's certificate
                              file to use.
     --password PASSWORD      Password to use.
     -i, --certificate-info   Print information on a certificate.
     -l, --crl-info           Print information on a CRL.
     --p12-info               Print information on a PKCS #12
                              structure.
     --p7-info                Print information on a PKCS #7
                              structure.
     --smime-to-p7            Convert S/MIME to PKCS #7 structure.
     -k, --key-info           Print information on a private key.
     --fix-key                Regenerate the parameters in a private
                              key.
     --to-p12                 Generate a PKCS #12 structure.
     -8, --pkcs8              Use PKCS #8 format for private keys.
     --dsa                    Use DSA keys.
     --hash STR               Hash algorithm to use for signing
                              (MD5,SHA1,RMD160).
     --export-ciphers         Use weak encryption algorithms.
     --inder                  Use DER format for input certificates
                              and private keys.
     --xml                    Use XML format for output certificates.
     --outder                 Use DER format for output certificates
                              and private keys.
     --bits BITS              specify the number of bits for key
                              generation.
     --outfile FILE           Output file.
     --infile FILE            Input file.
     --template FILE          Template file to use for non
                              interactive operation.
     -d, --debug LEVEL        specify the debug level. Default is 1.
     -h, --help               shows this help text
     -v, --version            shows the program's version
     --copyright              shows the program's license

The program can be used interactively or non interactively by specifying the --template command line option. See below for an example of a template file.

How to use certtool interactively:

Certtool's template file format:

An example certtool template file:

     # X.509 Certificate options
     #
     # DN options
     
     # The organization of the subject.
     organization = "Koko inc."
     
     # The organizational unit of the subject.
     unit = "sleeping dept."
     
     # The locality of the subject.
     # locality =
     
     # The state of the certificate owner.
     state = "Attiki"
     
     # The country of the subject. Two letter code.
     country = GR
     
     # The common name of the certificate owner.
     cn = "Cindy Lauper"
     
     # A user id of the certificate owner.
     #uid = "clauper"
     
     # If the supported DN OIDs are not adequate you can set
     # any OID here.
     # For example set the X.520 Title and the X.520 Pseudonym
     # by using OID and string pairs.
     #dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
     
     # This is deprecated and should not be used in new
     # certificates.
     # pkcs9_email = "none@none.org"
     
     # The serial number of the certificate
     serial = 007
     
     # In how many days, counting from today, this certificate will expire.
     expiration_days = 700
     
     # X.509 v3 extensions
     
     # A dnsname in case of a WWW server.
     #dns_name = "www.none.org"
     
     # An IP address in case of a server.
     #ip_address = "192.168.1.1"
     
     # An email in case of a person
     email = "none@none.org"
     
     # An URL that has CRLs (certificate revocation lists)
     # available. Needed in CA certificates.
     #crl_dist_points = "http://www.getcrl.crl/getcrl/"
     
     # Whether this is a CA certificate or not
     #ca
     
     # Whether this certificate will be used for a TLS client
     #tls_www_client
     
     # Whether this certificate will be used for a TLS server
     #tls_www_server
     
     # Whether this certificate will be used to sign data (needed
     # in TLS DHE ciphersuites).
     signing_key
     
     # Whether this certificate will be used to encrypt data (needed
     # in TLS RSA ciphersuites). Note that it is prefered to use different
     # keys for encryption and signing.
     #encryption_key
     
     # Whether this key will be used to sign other certificates.
     #cert_signing_key
     
     # Whether this key will be used to sign CRLs.
     #crl_signing_key
     
     # Whether this key will be used to sign code.
     #code_signing_key
     
     # Whether this key will be used to sign OCSP data.
     #ocsp_signing_key
     
     # Whether this key will be used for time stamping.
     #time_stamping_key