manpagez: man pages & more
info gnutls
Home | html | info | man
[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

6.4 The certtool application

This is a program to generate X.509 certificates, certificate requests, CRLs and private keys.

Certtool help
Usage: certtool [options]
     -s, --generate-self-signed 
                              Generate a self-signed certificate.
     -c, --generate-certificate 
                              Generate a signed certificate.
     --generate-proxy         Generate a proxy certificate.
     --generate-crl           Generate a CRL.
     -u, --update-certificate 
                              Update a signed certificate.
     -p, --generate-privkey   Generate a private key.
     -q, --generate-request   Generate a PKCS #10 certificate 
                              request.
     -e, --verify-chain       Verify a PEM encoded certificate chain. 
                              The last certificate in the chain must 
                              be a self signed one.
     --verify                 Verify a PEM encoded certificate chain. 
                              CA certificates must be loaded with 
                              --load-ca-certificate.
     --verify-crl             Verify a CRL.
     --generate-dh-params     Generate PKCS #3 encoded Diffie-Hellman 
                              parameters.
     --get-dh-params          Get the included PKCS #3 encoded 
                              Diffie-Hellman parameters.
     --load-privkey FILE      Private key file to use.
     --load-pubkey FILE       Public key file to use.
     --load-request FILE      Certificate request file to use.
     --load-certificate FILE  
                              Certificate file to use.
     --load-ca-privkey FILE   Certificate authority's private key 
                              file to use.
     --load-ca-certificate FILE  
                              Certificate authority's certificate 
                              file to use.
     --password PASSWORD      Password to use.
     -i, --certificate-info   Print information on a certificate.
     --certificate-pubkey     Print certificate public key.
     --pgp-certificate-info   Print information on a OpenPGP 
                              certificate.
     --pgp-ring-info          Print information on a keyring 
                              structure.
     -l, --crl-info           Print information on a CRL.
     --crq-info               Print information on a Certificate 
                              Request.
     --no-crq-extensions      Do not use extensions in certificate 
                              requests.
     --p12-info               Print information on a PKCS #12 
                              structure.
     --p7-info                Print information on a PKCS #7 
                              structure.
     --smime-to-p7            Convert S/MIME to PKCS #7 structure.
     -k, --key-info           Print information on a private key.
     --pgp-key-info           Print information on a OpenPGP private 
                              key.
     --pubkey-info            Print information on a public key.
     --fix-key                Regenerate the parameters in a private 
                              key.
     --v1                     Generate an X.509 version 1 certificate 
                              (no extensions).
     --to-p12                 Generate a PKCS #12 structure.
     --to-p8                  Generate a PKCS #8 key structure.
     -8, --pkcs8              Use PKCS #8 format for private keys.
     --dsa                    Use DSA keys.
     --ecc                    Use ECC (ECDSA) keys.
     --hash STR               Hash algorithm to use for signing 
                              (MD5,SHA1,RMD160,SHA256,SHA384,SHA512).
     --export-ciphers         Use weak encryption algorithms.
     --inder                  Use DER format for input certificates 
                              and private keys.
     --inraw                  Use RAW/DER format for input 
                              certificates and private keys.
     --outder                 Use DER format for output certificates 
                              and private keys.
     --outraw                 Use RAW/DER format for output 
                              certificates and private keys.
     --bits BITS              specify the number of bits for key 
                              generation.
     --sec-param PARAM        specify the security level 
                              [low|normal|high|ultra].
     --disable-quick-random   Use /dev/random for key generationg, 
                              thus increasing the quality of 
                              randomness used.
     --outfile FILE           Output file.
     --infile FILE            Input file.
     --template FILE          Template file to use for non 
                              interactive operation.
     --pkcs-cipher CIPHER     Cipher to use for pkcs operations 
                              (3des,3des-pkcs12,aes-128,aes-192,aes-25
                              6,rc2-40,arcfour).
     -d, --debug LEVEL        specify the debug level. Default is 1.
     -h, --help               shows this help text
     -v, --version            shows the program's version

The program can be used interactively or non interactively by specifying the --template command line option. See below for an example of a template file.

Diffie-Hellman parameter generation

To generate parameters for Diffie-Hellman key exchange, use the command:

$ certtool --generate-dh-params --outfile dh.pem

Self-signed certificate generation

To create a self signed certificate, use the command:

$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem \
   --outfile ca-cert.pem

Note that a self-signed certificate usually belongs to a certificate authority, that signs other certificates.

Private key generation

To create a private key (RSA by default), run:

$ certtool --generate-privkey --outfile key.pem

To create a DSA or elliptic curves (ECDSA) private key use the above command combined with --dsa or --ecc options.

Certificate generation

To generate a certificate using the private key, use the command:

$ certtool --generate-certificate --load-privkey key.pem \
   --outfile cert.pem --load-ca-certificate ca-cert.pem \
   --load-ca-privkey ca-key.pem

Alternatively you may create a certificate request, which is needed when the certificate will be signed by a third party authority.

$ certtool --generate-request --load-privkey key.pem \
  --outfile request.pem

If the private key is stored in a smart card you can generate a request by specifying the private key object URL (see The p11tool application on how to obtain the URL).

$ certtool --generate-request --load-privkey pkcs11:(PRIVKEY URL) \
  --load-pubkey pkcs11:(PUBKEY URL) --outfile request.pem

To generate a certificate using the previous request, use the command:

$ certtool --generate-certificate --load-request request.pem \
   --outfile cert.pem \
   --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem

Certificate information

To view the certificate information, use:

$ certtool --certificate-info --infile cert.pem

PKCS #12 structure generation

To generate a PKCS #12 structure using the previous key and certificate, use the command:

$ certtool --load-certificate cert.pem --load-privkey key.pem \
  --to-p12 --outder --outfile key.p12

Some tools (reportedly web browsers) have problems with that file because it does not contain the CA certificate for the certificate. To work around that problem in the tool, you can use the –load-ca-certificate parameter as follows:

$ certtool --load-ca-certificate ca.pem \
  --load-certificate cert.pem --load-privkey key.pem \
  --to-p12 --outder --outfile key.p12

Proxy certificate generation

Proxy certificate can be used to delegate your credential to a temporary, typically short-lived, certificate. To create one from the previously created certificate, first create a temporary key and then generate a proxy certificate for it, using the commands:

$ certtool --generate-privkey > proxy-key.pem
$ certtool --generate-proxy --load-ca-privkey key.pem \
  --load-privkey proxy-key.pem --load-certificate cert.pem \
  --outfile proxy-cert.pem

Certificate revocation list generation

To create an empty Certificate Revocation List (CRL) do:

$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
           --load-ca-certificate x509-ca.pem

To create a CRL that contains some revoked certificates, place the certificates in a file and use --load-certificate as follows:

$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
  --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem

To verify a Certificate Revocation List (CRL) do:

$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem

Certtool’s template file format:

A template file can be used to avoid the interactive questions of certtool. Initially create a file named ’cert.cfg’ that contains the information about the certificate. The template can be used as below:

$ certtool --generate-certificate cert.pem --load-privkey key.pem  \
   --template cert.cfg \
   --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem

An example certtool template file:

# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "Koko inc."

# The organizational unit of the subject.
unit = "sleeping dept."

# The locality of the subject.
# locality =

# The state of the certificate owner.
state = "Attiki"

# The country of the subject. Two letter code.
country = GR

# The common name of the certificate owner.
cn = "Cindy Lauper"

# A user id of the certificate owner.
#uid = "clauper"

# If the supported DN OIDs are not adequate you can set
# any OID here.
# For example set the X.520 Title and the X.520 Pseudonym
# by using OID and string pairs.
#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"

# This is deprecated and should not be used in new
# certificates.
# pkcs9_email = "none@none.org"

# The serial number of the certificate
serial = 007

# In how many days, counting from today, this certificate will expire.
expiration_days = 700

# X.509 v3 extensions

# A dnsname in case of a WWW server.
#dns_name = "www.none.org"
#dns_name = "www.morethanone.org"

# An IP address in case of a server.
#ip_address = "192.168.1.1"

# An email in case of a person
email = "none@none.org"

# An URL that has CRLs (certificate revocation lists)
# available. Needed in CA certificates.
#crl_dist_points = "http://www.getcrl.crl/getcrl/"

# Whether this is a CA certificate or not
#ca

# Whether this certificate will be used for a TLS client
#tls_www_client

# Whether this certificate will be used for a TLS server
#tls_www_server

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
signing_key

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
#encryption_key

# Whether this key will be used to sign other certificates.
#cert_signing_key

# Whether this key will be used to sign CRLs.
#crl_signing_key

# Whether this key will be used to sign code.
#code_signing_key

# Whether this key will be used to sign OCSP data.
#ocsp_signing_key

# Whether this key will be used for time stamping.
#time_stamping_key

# Whether this key will be used for IPsec IKE operations.
#ipsec_ike_key

[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

This document was generated on January 4, 2012 using texi2html 5.0.

© manpagez.com 2000-2025
Individual documents may contain additional copyright information.