certtool(1)

1certtool(1)                 General Commands Manual                certtool(1)
2
3
4

NAME

6       certtool - Manipulate certificates and keys.
7

SYNOPSIS

9       certtool [options]
10

DESCRIPTION

12       Generate X.509 certificates, certificate requests, and private keys.
13

OPTIONS

15   Program control options
16       -d, --debug LEVEL
17              Specify the debug level. Default is 1.
18
19       -h, --help
20              Shows this help text
21
22       -v, --version
23              Shows the program's version
24
25
26   Getting information on X.509 certificates
27       -i, --certificate-info
28              Print information on a certificate.
29
30       -k, --key-info
31              Print information on a private key.
32
33       -l, --crl-info
34              Print information on a CRL.
35
36       --p12-info
37              Print information on a PKCS #12 structure.
38
39
40   Getting information on Openpgp certificates
41       --pgp--certificate-info
42              Print information on an OpenPGP certificate.
43
44       --pgp--key-info
45              Print information on an OpenPGP private key.
46
47       --pgp--ring-info
48              Print information on a keyring.
49
50
51   Generating/verifying X.509 certificates/keys
52       -c, --generate-certificate
53              Generate a signed certificate.
54
55       -e, --verify-chain
56              Verify a PEM encoded certificate chain.  The last certificate in
57              the chain must be a self signed one.
58
59       --generate-dh-params
60              Generate PKCS #3 encoded Diffie-Hellman parameters.
61
62       --load-ca-certificate FILE
63              Certificate authority's certificate file to use.
64
65       --load-ca-privkey FILE
66              Certificate authority's private key file to use.
67
68       --load-certificate FILE
69              Certificate file to use.
70
71       --load-privkey FILE
72              Private key file to use.
73
74       --load-request FILE
75              Certificate request file to use.
76
77       -p, --generate-privkey
78              Generate a private key.
79
80       -q, --generate-request
81              Generate a PKCS #10 certificate request.
82
83       -s, --generate-self-signed
84              Generate a self-signed certificate.
85
86       -u, --update-certificate
87              Update a signed certificate.
88
89
90   Controlling output
91       -8, --pkcs8
92              Use PKCS #8 format for private keys.
93
94       --dsa  Generate a DSA key.
95
96       --bits BITS
97              Specify the number of bits for key generation.
98
99       --export-ciphers
100              Use weak encryption algorithms.
101
102       --inraw
103              Use RAW/DER format for input certificates and private keys.
104
105       --infile FILE
106              Input file.
107
108       --outraw
109              Use RAW/DER format for output certificates and private keys.
110
111       --outfile FILE
112              Output file.
113
114       --password PASSWORD
115              Password to use.
116
117       --to-p12
118              Generate a PKCS #12 structure.
119
120       --template
121              Use a template file to read input. See the  doc/certtool.cfg  in
122              the distribution, for an example.
123
124       --fix-key
125              Some   previous  versions  of  certtool  generated  wrongly  the
126              optional parameters in a private key. This may  affect  programs
127              that used them. To fix an old private key use --key-info in com‐
128              bination with this parameter.
129
130       --v1   When generating a certificate use the X.509  version  1  format.
131              This  does  not add any extensions (such as indication for a CA)
132              but some programs do need these.
133
134

EXAMPLES

136       To create a private key, run:
137
138              $ certtool --generate-privkey --outfile key.pem
139
140       To create a certificate request (needed when the certificate is  issued
141       by another party), run:
142
143              $ certtool --generate-request --load-privkey key.pem \
144                 --outfile request.pem
145
146       To generate a certificate using the previous request, use the command:
147
148              $ certtool --generate-certificate --load-request request.pem \
149                 --outfile cert.pem --load-ca-certificate ca-cert.pem \
150                 --load-ca-privkey ca-key.pem
151
152       To generate a certificate using the private key only, use the command:
153
154              $ certtool --generate-certificate --load-privkey key.pem \
155                 --outfile cert.pem --load-ca-certificate ca-cert.pem \
156                 --load-ca-privkey ca-key.pem
157
158       To view the certificate information, use:
159
160              $ certtool --certificate-info --infile cert.pem
161
162       To  generate  a  PKCS #12 structure using the previous key and certifi‐
163       cate, use the command:
164
165              $ certtool --load-certificate cert.pem --load-privkey key.pem \
166                 --to-p12 --outder --outfile key.p12
167
168

AUTHOR

170       Nikos    Mavroyanopoulos    <nmav@gnutls.org>    and    others;     see
171       /usr/share/doc/gnutls-bin/AUTHORS for a complete list.
172
173       This  manual  page  was written by Ivo Timmermans <ivo@debian.org>, for
174       the Debian GNU/Linux system (but may be used by others).
175
176
177
178                                 May 23rd 2005                     certtool(1)