Previous: Invoking gnutls-serv, Up: Included programs
This is a program to generate X.509 certificates, certificate requests, CRLs and private keys.
Certtool help Usage: certtool [options] -s, --generate-self-signed Generate a self-signed certificate. -c, --generate-certificate Generate a signed certificate. --generate-proxy Generate a proxy certificate. --generate-crl Generate a CRL. -u, --update-certificate Update a signed certificate. -p, --generate-privkey Generate a private key. -q, --generate-request Generate a PKCS #10 certificate request. -e, --verify-chain Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one. --verify-crl Verify a CRL. --generate-dh-params Generate PKCS #3 encoded Diffie Hellman parameters. --get-dh-params Get the included PKCS #3 encoded Diffie Hellman parameters. --load-privkey FILE Private key file to use. --load-request FILE Certificate request file to use. --load-certificate FILE Certificate file to use. --load-ca-privkey FILE Certificate authority's private key file to use. --load-ca-certificate FILE Certificate authority's certificate file to use. --password PASSWORD Password to use. -i, --certificate-info Print information on a certificate. -l, --crl-info Print information on a CRL. --p12-info Print information on a PKCS #12 structure. --p7-info Print information on a PKCS #7 structure. --smime-to-p7 Convert S/MIME to PKCS #7 structure. -k, --key-info Print information on a private key. --fix-key Regenerate the parameters in a private key. --to-p12 Generate a PKCS #12 structure. -8, --pkcs8 Use PKCS #8 format for private keys. --dsa Use DSA keys. --hash STR Hash algorithm to use for signing (MD5,SHA1,RMD160). --export-ciphers Use weak encryption algorithms. --inder Use DER format for input certificates and private keys. --xml Use XML format for output certificates. --outder Use DER format for output certificates and private keys. --bits BITS specify the number of bits for key generation. --outfile FILE Output file. --infile FILE Input file. --template FILE Template file to use for non interactive operation. -d, --debug LEVEL specify the debug level. Default is 1. -h, --help shows this help text -v, --version shows the program's version --copyright shows the program's license
The program can be used interactively or non interactively by
specifying the --template
command line option. See below for an
example of a template file.
How to use certtool interactively:
$ certtool --generate-dh-params --outfile dh.pem
$ certtool --generate-privkey --bits 512 --outfile rsa.pem
$ certtool --generate-privkey --outfile ca-key.pem $ certtool --generate-self-signed --load-privkey ca-key.pem \ --outfile ca-cert.pem
Note that a self-signed certificate usually belongs to a certificate authority, that signs other certificates.
$ certtool --generate-privkey --outfile key.pem
$ certtool --generate-request --load-privkey key.pem \ --outfile request.pem
$ certtool --generate-certificate --load-request request.pem \ --outfile cert.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
$ certtool --certificate-info --infile cert.pem
$ certtool --load-certificate cert.pem --load-privkey key.pem \ --to-p12 --outder --outfile key.p12
$ certtool --generate-privkey > proxy-key.pem $ certtool --generate-proxy --load-ca-privkey key.pem \ --load-privkey proxy-key.pem --load-certificate cert.pem \ --outfile proxy-cert.pem
Certtool's template file format:
$ certtool --generate-certificate cert.pem --load-privkey key.pem \ --template cert.cfg \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
An example certtool template file:
# X.509 Certificate options # # DN options # The organization of the subject. organization = "Koko inc." # The organizational unit of the subject. unit = "sleeping dept." # The locality of the subject. # locality = # The state of the certificate owner. state = "Attiki" # The country of the subject. Two letter code. country = GR # The common name of the certificate owner. cn = "Cindy Lauper" # A user id of the certificate owner. #uid = "clauper" # If the supported DN OIDs are not adequate you can set # any OID here. # For example set the X.520 Title and the X.520 Pseudonym # by using OID and string pairs. #dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" # This is deprecated and should not be used in new # certificates. # pkcs9_email = "none@none.org" # The serial number of the certificate serial = 007 # In how many days, counting from today, this certificate will expire. expiration_days = 700 # X.509 v3 extensions # A dnsname in case of a WWW server. #dns_name = "www.none.org" # An IP address in case of a server. #ip_address = "192.168.1.1" # An email in case of a person email = "none@none.org" # An URL that has CRLs (certificate revocation lists) # available. Needed in CA certificates. #crl_dist_points = "http://www.getcrl.crl/getcrl/" # Whether this is a CA certificate or not #ca # Whether this certificate will be used for a TLS client #tls_www_client # Whether this certificate will be used for a TLS server #tls_www_server # Whether this certificate will be used to sign data (needed # in TLS DHE ciphersuites). signing_key # Whether this certificate will be used to encrypt data (needed # in TLS RSA ciphersuites). Note that it is prefered to use different # keys for encryption and signing. #encryption_key # Whether this key will be used to sign other certificates. #cert_signing_key # Whether this key will be used to sign CRLs. #crl_signing_key # Whether this key will be used to sign code. #code_signing_key # Whether this key will be used to sign OCSP data. #ocsp_signing_key # Whether this key will be used for time stamping. #time_stamping_key