| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
6.5 The certtool application
This is a program to generate X.509 certificates, certificate requests, CRLs and private keys.
Certtool help
Usage: certtool [options]
-s, --generate-self-signed
Generate a self-signed certificate.
-c, --generate-certificate
Generate a signed certificate.
--generate-proxy Generate a proxy certificate.
--generate-crl Generate a CRL.
-u, --update-certificate
Update a signed certificate.
-p, --generate-privkey Generate a private key.
-q, --generate-request Generate a PKCS #10 certificate
request.
-e, --verify-chain Verify a PEM encoded certificate chain.
The last certificate in the chain must
be a self signed one.
--verify Verify a PEM encoded certificate chain.
CA certificates must be loaded with
--load-ca-certificate.
--verify-crl Verify a CRL.
--generate-dh-params Generate PKCS #3 encoded Diffie-Hellman
parameters.
--get-dh-params Get the included PKCS #3 encoded
Diffie-Hellman parameters.
--load-privkey FILE Private key file to use.
--load-pubkey FILE Public key file to use.
--load-request FILE Certificate request file to use.
--load-certificate FILE
Certificate file to use.
--load-ca-privkey FILE Certificate authority's private key
file to use.
--load-ca-certificate FILE
Certificate authority's certificate
file to use.
--password PASSWORD Password to use.
-i, --certificate-info Print information on a certificate.
--certificate-pubkey Print certificate public key.
--pgp-certificate-info Print information on a OpenPGP
certificate.
--pgp-ring-info Print information on a keyring
structure.
-l, --crl-info Print information on a CRL.
--crq-info Print information on a Certificate
Request.
--no-crq-extensions Do not use extensions in certificate
requests.
--p12-info Print information on a PKCS #12
structure.
--p7-info Print information on a PKCS #7
structure.
--smime-to-p7 Convert S/MIME to PKCS #7 structure.
-k, --key-info Print information on a private key.
--pgp-key-info Print information on a OpenPGP private
key.
--pubkey-info Print information on a public key.
--fix-key Regenerate the parameters in a private
key.
--v1 Generate an X.509 version 1 certificate
(no extensions).
--to-p12 Generate a PKCS #12 structure.
--to-p8 Generate a PKCS #8 key structure.
-8, --pkcs8 Use PKCS #8 format for private keys.
--dsa Use DSA keys.
--ecc Use ECC (ECDSA) keys.
--hash STR Hash algorithm to use for signing
(MD5,SHA1,RMD160,SHA256,SHA384,SHA512).
--export-ciphers Use weak encryption algorithms.
--inder Use DER format for input certificates
and private keys.
--inraw Use RAW/DER format for input
certificates and private keys.
--outder Use DER format for output certificates
and private keys.
--outraw Use RAW/DER format for output
certificates and private keys.
--bits BITS specify the number of bits for key
generation.
--sec-param PARAM specify the security level
[low|normal|high|ultra].
--disable-quick-random Use /dev/random for key generationg,
thus increasing the quality of
randomness used.
--outfile FILE Output file.
--infile FILE Input file.
--template FILE Template file to use for non
interactive operation.
--pkcs-cipher CIPHER Cipher to use for pkcs operations
(3des,3des-pkcs12,aes-128,aes-192,aes-25
6,rc2-40,arcfour).
-d, --debug LEVEL specify the debug level. Default is 1.
-h, --help shows this help text
-v, --version shows the program's version
The program can be used interactively or non interactively by
specifying the --template command line option. See below for an
example of a template file.
Diffie-Hellman parameter generation
To generate parameters for Diffie-Hellman key exchange, use the command:
$ certtool --generate-dh-params --outfile dh.pem --sec-param normal
Self-signed certificate generation
To create a self signed certificate, use the command:
$ certtool --generate-privkey --outfile ca-key.pem $ certtool --generate-self-signed --load-privkey ca-key.pem \ --outfile ca-cert.pem
Note that a self-signed certificate usually belongs to a certificate authority, that signs other certificates.
Private key generation
To create a private key (RSA by default), run:
$ certtool --generate-privkey --outfile key.pem
To create a DSA or elliptic curves (ECDSA) private key use the
above command combined with --dsa or --ecc options.
Certificate generation
To generate a certificate using the private key, use the command:
$ certtool --generate-certificate --load-privkey key.pem \ --outfile cert.pem --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem
Alternatively you may create a certificate request, which is needed when the certificate will be signed by a third party authority.
$ certtool --generate-request --load-privkey key.pem \ --outfile request.pem
If the private key is stored in a smart card you can generate a request by specifying the private key object URL (see The p11tool application on how to obtain the URL).
$ certtool --generate-request --load-privkey pkcs11:(PRIVKEY URL) \ --load-pubkey pkcs11:(PUBKEY URL) --outfile request.pem
To generate a certificate using the previous request, use the command:
$ certtool --generate-certificate --load-request request.pem \ --outfile cert.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
Certificate information
To view the certificate information, use:
$ certtool --certificate-info --infile cert.pem
PKCS #12 structure generation
To generate a PKCS #12 structure using the previous key and certificate, use the command:
$ certtool --load-certificate cert.pem --load-privkey key.pem \ --to-p12 --outder --outfile key.p12
Some tools (reportedly web browsers) have problems with that file because it does not contain the CA certificate for the certificate. To work around that problem in the tool, you can use the –load-ca-certificate parameter as follows:
$ certtool --load-ca-certificate ca.pem \ --load-certificate cert.pem --load-privkey key.pem \ --to-p12 --outder --outfile key.p12
Proxy certificate generation
Proxy certificate can be used to delegate your credential to a temporary, typically short-lived, certificate. To create one from the previously created certificate, first create a temporary key and then generate a proxy certificate for it, using the commands:
$ certtool --generate-privkey > proxy-key.pem $ certtool --generate-proxy --load-ca-privkey key.pem \ --load-privkey proxy-key.pem --load-certificate cert.pem \ --outfile proxy-cert.pem
Certificate revocation list generation
To create an empty Certificate Revocation List (CRL) do:
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
--load-ca-certificate x509-ca.pem
To create a CRL that contains some revoked certificates, place the
certificates in a file and use --load-certificate as follows:
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
To verify a Certificate Revocation List (CRL) do:
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
Certtool’s template file format:
A template file can be used to avoid the interactive questions of certtool. Initially create a file named ’cert.cfg’ that contains the information about the certificate. The template can be used as below:
$ certtool --generate-certificate cert.pem --load-privkey key.pem \ --template cert.cfg \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
An example certtool template file:
# X.509 Certificate options # # DN options # The organization of the subject. organization = "Koko inc." # The organizational unit of the subject. unit = "sleeping dept." # The locality of the subject. # locality = # The state of the certificate owner. state = "Attiki" # The country of the subject. Two letter code. country = GR # The common name of the certificate owner. cn = "Cindy Lauper" # A user id of the certificate owner. #uid = "clauper" # If the supported DN OIDs are not adequate you can set # any OID here. # For example set the X.520 Title and the X.520 Pseudonym # by using OID and string pairs. #dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" # This is deprecated and should not be used in new # certificates. # pkcs9_email = "none@none.org" # The serial number of the certificate serial = 007 # In how many days, counting from today, this certificate will expire. expiration_days = 700 # X.509 v3 extensions # A dnsname in case of a WWW server. #dns_name = "www.none.org" #dns_name = "www.morethanone.org" # An IP address in case of a server. #ip_address = "192.168.1.1" # An email in case of a person email = "none@none.org" # An URL that has CRLs (certificate revocation lists) # available. Needed in CA certificates. #crl_dist_points = "http://www.getcrl.crl/getcrl/" # Whether this is a CA certificate or not #ca # Whether this certificate will be used for a TLS client #tls_www_client # Whether this certificate will be used for a TLS server #tls_www_server # Whether this certificate will be used to sign data (needed # in TLS DHE ciphersuites). signing_key # Whether this certificate will be used to encrypt data (needed # in TLS RSA ciphersuites). Note that it is preferred to use different # keys for encryption and signing. #encryption_key # Whether this key will be used to sign other certificates. #cert_signing_key # Whether this key will be used to sign CRLs. #crl_signing_key # Whether this key will be used to sign code. #code_signing_key # Whether this key will be used to sign OCSP data. #ocsp_signing_key # Whether this key will be used for time stamping. #time_stamping_key # Whether this key will be used for IPsec IKE operations. #ipsec_ike_key
| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on January 21, 2012 using texi2html 5.0.