1certtool(1)                      User Commands                     certtool(1)
2
3
4

NAME

6       certtool - GnuTLS certificate tool
7

SYNOPSIS

9       certtool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10
11       All arguments must be options.
12
13

DESCRIPTION

15       Tool  to  parse  and  generate X.509 certificates, requests and private
16       keys.  It can be used interactively or non interactively by  specifying
17       the template command line option.
18
19       The  tool  accepts  files or supported URIs via the --infile option. In
20       case PIN is required for URI access you can provide it using the  envi‐
21       ronment variables GNUTLS_PIN and GNUTLS_SO_PIN.
22
23

OPTIONS

25       -d number, --debug=number
26              Enable  debugging.   This  option takes an integer number as its
27              argument.  The value of number is constrained to being:
28                  in the range  0 through 9999
29
30              Specifies the debug level.
31
32       -V, --verbose
33              More verbose output.  This option may appear an unlimited number
34              of times.
35
36
37       --infile=file
38              Input file.
39
40
41       --outfile=string
42              Output file.
43
44
45   Certificate related options
46       -i, --certificate-info
47              Print information on the given certificate.
48
49
50       --pubkey-info
51              Print information on a public key.
52
53              The option combined with --load-request, --load-pubkey, --load-
54              privkey and --load-certificate will extract the public key of
55              the object in question.
56
57       -s, --generate-self-signed
58              Generate a self-signed certificate.
59
60
61       -c, --generate-certificate
62              Generate a signed certificate.
63
64
65       --generate-proxy
66              Generates a proxy certificate.
67
68
69       -u, --update-certificate
70              Update a signed certificate.
71
72
73       --fingerprint
74              Print the fingerprint of the given certificate.
75
76              This is a simple hash of the DER encoding of the certificate. It
77              can be combined with the --hash parameter. However, it is recom‐
78              mended for identification to use the key-id which depends only
79              on the certificate's key.
80
81       --key-id
82              Print the key ID of the given certificate.
83
84              This is a hash of the public key of the given certificate. It
85              identifies the key uniquely, remains the same on a certificate
86              renewal and depends only on signed fields of the certificate.
87
88       --certificate-pubkey
89              Print certificate's public key.
90
91              This option is deprecated as a duplicate of --pubkey-info
92
93              NOTE: THIS OPTION IS DEPRECATED
94
95       --v1   Generate an X.509 version 1 certificate (with no extensions).
96
97
98       --sign-params=string
99              Sign a certificate with a specific signature algorithm.
100
101              This option can be combined with --generate-certificate, to sign
102              the certificate with a specific signature algorithm variant. The
103              only option supported is 'RSA-PSS', and should be specified when
104              the signer does not have a certificate which is marked for RSA-
105              PSS use only.
106
107   Certificate request related options
108       --crq-info
109              Print information on the given certificate request.
110
111
112       -q, --generate-request
113              Generate a PKCS #10 certificate request.  This option must not
114              appear in combination with any of the following options: infile.
115
116              Will generate a PKCS #10 certificate request. To specify a pri‐
117              vate key use --load-privkey.
118
119       --no-crq-extensions
120              Do not use extensions in certificate requests.
121
122
123   PKCS#12 file related options
124       --p12-info
125              Print information on a PKCS #12 structure.
126
127              This option will dump the contents and print the metadata of the
128              provided PKCS #12 structure.
129
130       --p12-name=string
131              The PKCS #12 friendly name to use.
132
133              The name to be used for the primary certificate and private key
134              in a PKCS #12 file.
135
136       --to-p12
137              Generate a PKCS #12 structure.
138
139              It requires a certificate, a private key and possibly a CA cer‐
140              tificate to be specified.
141
142   Private key related options
143       -k, --key-info
144              Print information on a private key.
145
146
147       --p8-info
148              Print information on a PKCS #8 structure.
149
150              This option will print information about encrypted PKCS #8
151              structures. That option does not require the decryption of the
152              structure.
153
154       --to-rsa
155              Convert an RSA-PSS key to raw RSA format.
156
157              It requires an RSA-PSS key as input and will output a raw RSA
158              key. This command is necessary for compatibility with applica‐
159              tions that cannot read RSA-PSS keys.
160
161       -p, --generate-privkey
162              Generate a private key.
163
164              When generating RSA-PSS private keys, the --hash option will
165              restrict the allowed hash for the key; in the same keys the
166              --salt-size option is also acceptable.
167
168       --key-type=string
169              Specify the key type to use on key generation.
170
171              This option can be combined with --generate-privkey, to specify
172              the key type to be generated. Valid options are, 'rsa', 'rsa-
173              pss', 'dsa', 'ecdsa', and 'ed25519'.  When combined with cer‐
174              tificate generation it can be used to specify an RSA-PSS cer‐
175              tificate when an RSA key is given.
176
177       --bits=number
178              Specify the number of bits for key generation.  This option
179              takes an integer number as its argument.
180
181
182       --curve=string
183              Specify the curve used for EC key generation.
184
185              Supported values are secp192r1, secp224r1, secp256r1, secp384r1
186              and secp521r1.
187
188       --sec-param=security parameter
189              Specify the security level [low, legacy, medium, high, ultra].
190
191              This is alternative to the bits option.
192
193       --to-p8
194              Convert a given key to a PKCS #8 structure.
195
196              This needs to be combined with --load-privkey.
197
198       -8, --pkcs8
199              Use PKCS #8 format for private keys.
200
201
202       --provable
203              Generate a private key or parameters from a seed using a prov‐
204              able method.
205
206              This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor)
207              for provable key generation.  When specified the private keys or
208              parameters will be generated from a seed, and can be later vali‐
209              dated with --verify-provable-privkey to be correctly generated
210              from the seed. You may specify --seed or allow GnuTLS to gener‐
211              ate one (recommended). This option can be combined with --gener‐
212              ate-privkey or --generate-dh-params.
213
214              That option applies to RSA and DSA keys. On the DSA keys the PQG
215              parameters are generated using the seed, and on RSA the two
216              primes.
217
218       --verify-provable-privkey
219              Verify a private key generated from a seed using a provable
220              method.
221
222              This will use the FIPS-186-4 algorithms for provable key genera‐
223              tion. You may specify --seed or use the seed stored in the pri‐
224              vate key structure.
225
226       --seed=string
227              When generating a private key use the given hex-encoded seed.
228
229              The seed acts as a security parameter for the private key, and
230              thus a seed size which corresponds to the security level of the
231              private key should be provided (e.g., 256-bits seed).
232
233   CRL related options
234       -l, --crl-info
235              Print information on the given CRL structure.
236
237
238       --generate-crl
239              Generate a CRL.
240
241              This option generates a Certificate Revocation List. When com‐
242              bined with --load-crl it would use the loaded CRL as base for
243              the generated (i.e., all revoked certificates in the base will
244              be copied to the new CRL).  To add new certificates to the CRL
245              use --load-certificate.
246
247       --verify-crl
248              Verify a Certificate Revocation List using a trusted list.  This
249              option must appear in combination with the following options:
250              load-ca-certificate.
251
252              The trusted certificate list must be loaded with --load-ca-cer‐
253              tificate.
254
255   Certificate verification related options
256       -e, --verify-chain
257              Verify a PEM encoded certificate chain.
258
259              Verifies the validity of a certificate chain. That is, an
260              ordered set of certificates where each one is the issuer of the
261              previous, and the first is the end-certificate to be validated.
262              In a proper chain the last certificate is a self signed one. It
263              can be combined with --verify-purpose or --verify-hostname.
264
265       --verify
266              Verify a PEM encoded certificate (chain) against a trusted set.
267
268              The trusted certificate list can be loaded with --load-ca-cer‐
269              tificate. If no certificate list is provided, then the system's
270              trusted certificate list is used. Note that during verification
271              multiple paths may be explored. On a successful verification the
272              successful path will be the last one. It can be combined with
273              --verify-purpose or --verify-hostname.
274
275       --verify-hostname=string
276              Specify a hostname to be used for certificate chain verifica‐
277              tion.
278
279              This is to be combined with one of the verify certificate
280              options.
281
282       --verify-email=string
283              Specify a email to be used for certificate chain verification.
284              This option must not appear in combination with any of the fol‐
285              lowing options: verify-hostname.
286
287              This is to be combined with one of the verify certificate
288              options.
289
290       --verify-purpose=string
291              Specify a purpose OID to be used for certificate chain verifica‐
292              tion.
293
294              This object identifier restricts the purpose of the certificates
295              to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS
296              WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate
297              without a purpose set (extended key usage) is valid for any pur‐
298              pose.
299
300       --verify-allow-broken
301              Allow broken algorithms, such as MD5 for verification.
302
303              This can be combined with --p7-verify, --verify or --verify-
304              chain.
305
306   PKCS#7 structure options
307       --p7-generate
308              Generate a PKCS #7 structure.
309
310              This option generates a PKCS #7 certificate container structure.
311              To add certificates in the structure use --load-certificate and
312              --load-crl.
313
314       --p7-sign
315              Signs using a PKCS #7 structure.
316
317              This option generates a PKCS #7 structure containing a signature
318              for the provided data from infile. The data are stored within
319              the structure. The signer certificate has to be specified using
320              --load-certificate and --load-privkey. The input to --load-cer‐
321              tificate can be a list of certificates. In case of a list, the
322              first certificate is used for signing and the other certificates
323              are included in the structure.
324
325       --p7-detached-sign
326              Signs using a detached PKCS #7 structure.
327
328              This option generates a PKCS #7 structure containing a signature
329              for the provided data from infile. The signer certificate has to
330              be specified using --load-certificate and --load-privkey. The
331              input to --load-certificate can be a list of certificates. In
332              case of a list, the first certificate is used for signing and
333              the other certificates are included in the structure.
334
335       --p7-include-cert, --no-p7-include-cert
336              The signer's certificate will be included in the cert list..
337              The no-p7-include-cert form will disable the option.  This
338              option is enabled by default.
339
340              This options works with --p7-sign or --p7-detached-sign and will
341              include or exclude the signer's certificate into the generated
342              signature.
343
344       --p7-time, --no-p7-time
345              Will include a timestamp in the PKCS #7 structure.  The
346              no-p7-time form will disable the option.
347
348              This option will include a timestamp in the generated signature
349
350       --p7-show-data, --no-p7-show-data
351              Will show the embedded data in the PKCS #7 structure.  The
352              no-p7-show-data form will disable the option.
353
354              This option can be combined with --p7-verify or --p7-info and
355              will display the embedded signed data in the PKCS #7 structure.
356
357       --p7-info
358              Print information on a PKCS #7 structure.
359
360
361       --p7-verify
362              Verify the provided PKCS #7 structure.
363
364              This option verifies the signed PKCS #7 structure. The certifi‐
365              cate list to use for verification can be specified with --load-
366              ca-certificate. When no certificate list is provided, then the
367              system's certificate list is used. Alternatively a direct signer
368              can be provided using --load-certificate. A key purpose can be
369              enforced with the --verify-purpose option, and the --load-data
370              option will utilize detached data.
371
372       --smime-to-p7
373              Convert S/MIME to PKCS #7 structure.
374
375
376   Other options
377       --generate-dh-params
378              Generate PKCS #3 encoded Diffie-Hellman parameters.
379
380              The will generate random parameters to be used with Diffie-Hell‐
381              man key exchange. The output parameters will be in PKCS #3 for‐
382              mat. Note that it is recommended to use the --get-dh-params
383              option instead.
384
385              NOTE: THIS OPTION IS DEPRECATED
386
387       --get-dh-params
388              List the included PKCS #3 encoded Diffie-Hellman parameters.
389
390              Returns stored DH parameters in GnuTLS. Those parameters
391              returned are defined in RFC7919, and can be considered standard
392              parameters for a TLS key exchange. This option is provided for
393              old applications which require DH parameters to be specified;
394              modern GnuTLS applications should not require them.
395
396       --dh-info
397              Print information PKCS #3 encoded Diffie-Hellman parameters.
398
399
400       --load-privkey=string
401              Loads a private key file.
402
403              This can be either a file or a PKCS #11 URL
404
405       --load-pubkey=string
406              Loads a public key file.
407
408              This can be either a file or a PKCS #11 URL
409
410       --load-request=string
411              Loads a certificate request file.
412
413              This option can be used with a file
414
415       --load-certificate=string
416              Loads a certificate file.
417
418              This option can be used with a file
419
420       --load-ca-privkey=string
421              Loads the certificate authority's private key file.
422
423              This can be either a file or a PKCS #11 URL
424
425       --load-ca-certificate=string
426              Loads the certificate authority's certificate file.
427
428              This can be either a file or a PKCS #11 URL
429
430       --load-crl=string
431              Loads the provided CRL.
432
433              This option can be used with a file
434
435       --load-data=string
436              Loads auxiliary data.
437
438              This option can be used with a file
439
440       --password=string
441              Password to use.
442
443              You can use this option to specify the password in the command
444              line instead of reading it from the tty. Note, that the command
445              line arguments are available for view in others in the system.
446              Specifying password as '' is the same as specifying no password.
447
448       --null-password
449              Enforce a NULL password.
450
451              This option enforces a NULL password. This is different than the
452              empty or no password in schemas like PKCS #8.
453
454       --empty-password
455              Enforce an empty password.
456
457              This option enforces an empty password. This is different than
458              the NULL or no password in schemas like PKCS #8.
459
460       --hex-numbers
461              Print big number in an easier format to parse.
462
463
464       --cprint
465              In certain operations it prints the information in C-friendly
466              format.
467
468              In certain operations it prints the information in C-friendly
469              format, suitable for including into C programs.
470
471       --rsa  Generate RSA key.
472
473              When combined with --generate-privkey generates an RSA private
474              key.
475
476              NOTE: THIS OPTION IS DEPRECATED
477
478       --dsa  Generate DSA key.
479
480              When combined with --generate-privkey generates a DSA private
481              key.
482
483              NOTE: THIS OPTION IS DEPRECATED
484
485       --ecc  Generate ECC (ECDSA) key.
486
487              When combined with --generate-privkey generates an elliptic
488              curve private key to be used with ECDSA.
489
490              NOTE: THIS OPTION IS DEPRECATED
491
492       --ecdsa
493              This is an alias for the --ecc option.
494
495              NOTE: THIS OPTION IS DEPRECATED
496
497       --hash=string
498              Hash algorithm to use for signing.
499
500              Available hash functions are SHA1, RMD160, SHA256, SHA384,
501              SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
502
503       --salt-size=number
504              Specify the RSA-PSS key default salt size.  This option takes an
505              integer number as its argument.
506
507              Typical keys shouldn't set or restrict this option.
508
509       --inder, --no-inder
510              Use DER format for input certificates, private keys, and DH
511              parameters .  The no-inder form will disable the option.
512
513              The input files will be assumed to be in DER or RAW format.
514              Unlike options that in PEM input would allow multiple input data
515              (e.g. multiple certificates), when reading in DER format a sin‐
516              gle data structure is read.
517
518       --inraw
519              This is an alias for the --inder option.
520
521       --outder, --no-outder
522              Use DER format for output certificates, private keys, and DH
523              parameters.  The no-outder form will disable the option.
524
525              The output will be in DER or RAW format.
526
527       --outraw
528              This is an alias for the --outder option.
529
530       --disable-quick-random
531              No effect.
532
533
534              NOTE: THIS OPTION IS DEPRECATED
535
536       --template=string
537              Template file to use for non-interactive operation.
538
539
540       --stdout-info
541              Print information to stdout instead of stderr.
542
543
544       --ask-pass
545              Enable interaction for entering password when in batch mode..
546
547              This option will enable interaction to enter password when in
548              batch mode. That is useful when the template option has been
549              specified.
550
551       --pkcs-cipher=cipher
552              Cipher to use for PKCS #8 and #12 operations.
553
554              Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
555              aes-256, rc2-40, arcfour.
556
557       --provider=string
558              Specify the PKCS #11 provider library.
559
560              This will override the default options in
561              /etc/gnutls/pkcs11.conf
562
563       --text, --no-text
564              Output textual information before PEM-encoded certificates, pri‐
565              vate keys, etc.  The no-text form will disable the option.  This
566              option is enabled by default.
567
568              Output textual information before PEM-encoded data
569
570       -h, --help
571              Display usage information and exit.
572
573       -!, --more-help
574              Pass the extended usage information through a pager.
575
576       -v [{v|c|n --version [{v|c|n}]}]
577              Output version of program and exit.  The default mode is `v', a
578              simple version.  The `c' mode will print copyright information
579              and `n' will print the full copyright notice.
580

FILES

582       Certtool's template file format
583       A template file can be used to avoid the interactive questions of cert‐
584       tool. Initially create a file named 'cert.cfg' that contains the infor‐
585       mation about the certificate. The template can be used as below:
586
587           $ certtool --generate-certificate --load-privkey key.pem     --template cert.cfg --outfile cert.pem    --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
588
589       An example certtool template file that can be used to generate a cer‐
590       tificate request or a self signed certificate follows.
591
592           # X.509 Certificate options
593           #
594           # DN options
595
596           # The organization of the subject.
597           organization = "Koko inc."
598
599           # The organizational unit of the subject.
600           unit = "sleeping dept."
601
602           # The locality of the subject.
603           # locality =
604
605           # The state of the certificate owner.
606           state = "Attiki"
607
608           # The country of the subject. Two letter code.
609           country = GR
610
611           # The common name of the certificate owner.
612           cn = "Cindy Lauper"
613
614           # A user id of the certificate owner.
615           #uid = "clauper"
616
617           # Set domain components
618           #dc = "name"
619           #dc = "domain"
620
621           # If the supported DN OIDs are not adequate you can set
622           # any OID here.
623           # For example set the X.520 Title and the X.520 Pseudonym
624           # by using OID and string pairs.
625           #dn_oid = "2.5.4.12 Dr."
626           #dn_oid = "2.5.4.65 jackal"
627
628           # This is deprecated and should not be used in new
629           # certificates.
630           # pkcs9_email = "none@none.org"
631
632           # An alternative way to set the certificate's distinguished name directly
633           # is with the "dn" option. The attribute names allowed are:
634           # C (country), street, O (organization), OU (unit), title, CN (common name),
635           # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
636           # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
637           # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
638           # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
639           # jurisdictionOfIncorporationStateOrProvinceName,
640           # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
641
642           #dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
643
644           # The serial number of the certificate
645           # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
646           # Comment the field for a random serial number.
647           serial = 007
648
649           # In how many days, counting from today, this certificate will expire.
650           # Use -1 if there is no expiration date.
651           expiration_days = 700
652
653           # Alternatively you may set concrete dates and time. The GNU date string
654           # formats are accepted. See:
655           # https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
656
657           #activation_date = "2004-02-29 16:21:42"
658           #expiration_date = "2025-02-29 16:24:41"
659
660           # X.509 v3 extensions
661
662           # A dnsname in case of a WWW server.
663           #dns_name = "www.none.org"
664           #dns_name = "www.morethanone.org"
665
666           # An othername defined by an OID and a hex encoded string
667           #other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
668           #other_name_utf8 = "1.2.4.5.6 A UTF8 string"
669           #other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
670
671           # Allows writing an XmppAddr Identifier
672           #xmpp_name = juliet@im.example.com
673
674           # Names used in PKINIT
675           #krb5_principal = user@REALM.COM
676           #krb5_principal = HTTP/user@REALM.COM
677
678           # A subject alternative name URI
679           #uri = "https://www.example.com"
680
681           # An IP address in case of a server.
682           #ip_address = "192.168.1.1"
683
684           # An email in case of a person
685           email = "none@none.org"
686
687           # TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
688           # extension features to be provided by the server. In practice this is used
689           # to require the Status Request (extid: 5) extension from the server. That is,
690           # to require the server holding this certificate to provide a stapled OCSP response.
691           # You can have multiple lines for multiple TLS features.
692
693           # To ask for OCSP status request use:
694           #tls_feature = 5
695
696           # Challenge password used in certificate requests
697           challenge_password = 123456
698
699           # Password when encrypting a private key
700           #password = secret
701
702           # An URL that has CRLs (certificate revocation lists)
703           # available. Needed in CA certificates.
704           #crl_dist_points = "https://www.getcrl.crl/getcrl/"
705
706           # Whether this is a CA certificate or not
707           #ca
708
709           # Subject Unique ID (in hex)
710           #subject_unique_id = 00153224
711
712           # Issuer Unique ID (in hex)
713           #issuer_unique_id = 00153225
714
715           #### Key usage
716
717           # The following key usage flags are used by CAs and end certificates
718
719           # Whether this certificate will be used to sign data (needed
720           # in TLS DHE ciphersuites). This is the digitalSignature flag
721           # in RFC5280 terminology.
722           signing_key
723
724           # Whether this certificate will be used to encrypt data (needed
725           # in TLS RSA ciphersuites). Note that it is preferred to use different
726           # keys for encryption and signing. This is the keyEncipherment flag
727           # in RFC5280 terminology.
728           encryption_key
729
730           # Whether this key will be used to sign other certificates. The
731           # keyCertSign flag in RFC5280 terminology.
732           #cert_signing_key
733
734           # Whether this key will be used to sign CRLs. The
735           # cRLSign flag in RFC5280 terminology.
736           #crl_signing_key
737
738           # The keyAgreement flag of RFC5280. It's purpose is loosely
739           # defined. Not use it unless required by a protocol.
740           #key_agreement
741
742           # The dataEncipherment flag of RFC5280. It's purpose is loosely
743           # defined. Not use it unless required by a protocol.
744           #data_encipherment
745
746           # The nonRepudiation flag of RFC5280. It's purpose is loosely
747           # defined. Not use it unless required by a protocol.
748           #non_repudiation
749
750           #### Extended key usage (key purposes)
751
752           # The following extensions are used in an end certificate
753           # to clarify its purpose. Some CAs also use it to indicate
754           # the types of certificates they are purposed to sign.
755
756
757           # Whether this certificate will be used for a TLS client;
758           # this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
759           # extended key usage.
760           #tls_www_client
761
762           # Whether this certificate will be used for a TLS server;
763           # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
764           # extended key usage.
765           #tls_www_server
766
767           # Whether this key will be used to sign code. This sets the
768           # id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
769           # extension.
770           #code_signing_key
771
772           # Whether this key will be used to sign OCSP data. This sets the
773           # id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
774           #ocsp_signing_key
775
776           # Whether this key will be used for time stamping. This sets the
777           # id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
778           #time_stamping_key
779
780           # Whether this key will be used for email protection. This sets the
781           # id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
782           #email_protection_key
783
784           # Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
785           #ipsec_ike_key
786
787           ## adding custom key purpose OIDs
788
789           # for microsoft smart card logon
790           # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
791
792           # for email protection
793           # key_purpose_oid = 1.3.6.1.5.5.7.3.4
794
795           # for any purpose (must not be used in intermediate CA certificates)
796           # key_purpose_oid = 2.5.29.37.0
797
798           ### end of key purpose OIDs
799
800           ### Adding arbitrary extensions
801           # This requires to provide the extension OIDs, as well as the extension data in
802           # hex format. The following two options are available since GnuTLS 3.5.3.
803           #add_extension = "1.2.3.4 0x0AAB01ACFE"
804
805           # As above but encode the data as an octet string
806           #add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
807
808           # For portability critical extensions shouldn't be set to certificates.
809           #add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
810
811           # When generating a certificate from a certificate
812           # request, then honor the extensions stored in the request
813           # and store them in the real certificate.
814           #honor_crq_extensions
815
816           # Alternatively only specific extensions can be copied.
817           #honor_crq_ext = 2.5.29.17
818           #honor_crq_ext = 2.5.29.15
819
820           # Path length contraint. Sets the maximum number of
821           # certificates that can be used to certify this certificate.
822           # (i.e. the certificate chain length)
823           #path_len = -1
824           #path_len = 2
825
826           # OCSP URI
827           # ocsp_uri = https://my.ocsp.server/ocsp
828
829           # CA issuers URI
830           # ca_issuers_uri = https://my.ca.issuer
831
832           # Certificate policies
833           #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
834           #policy1_txt = "This is a long policy to summarize"
835           #policy1_url = https://www.example.com/a-policy-to-read
836
837           #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
838           #policy2_txt = "This is a short policy"
839           #policy2_url = https://www.example.com/another-policy-to-read
840
841           # The number of additional certificates that may appear in a
842           # path before the anyPolicy is no longer acceptable.
843           #inhibit_anypolicy_skip_certs 1
844
845           # Name constraints
846
847           # DNS
848           #nc_permit_dns = example.com
849           #nc_exclude_dns = test.example.com
850
851           # EMAIL
852           #nc_permit_email = "nmav@ex.net"
853
854           # Exclude subdomains of example.com
855           #nc_exclude_email = .example.com
856
857           # Exclude all e-mail addresses of example.com
858           #nc_exclude_email = example.com
859
860           # IP
861           #nc_permit_ip = 192.168.0.0/16
862           #nc_exclude_ip = 192.168.5.0/24
863           #nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
864
865
866           # Options for proxy certificates
867           #proxy_policy_language = 1.3.6.1.5.5.7.21.1
868
869
870           # Options for generating a CRL
871
872           # The number of days the next CRL update will be due.
873           # next CRL update will be in 43 days
874           #crl_next_update = 43
875
876           # this is the 5th CRL by this CA
877           # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
878           # Comment the field for a time-based number.
879           # Time-based CRL numbers generated in GnuTLS 3.6.3 and later
880           # are significantly larger than those generated in previous
881           # versions. Since CRL numbers need to be monotonic, you need
882           # to specify the CRL number here manually if you intend to
883           # downgrade to an earlier version than 3.6.3 after publishing
884           # the CRL as it is not possible to specify CRL numbers greater
885           # than 263-2 using hex notation in those versions.
886           #crl_number = 5
887
888           # Specify the update dates more precisely.
889           #crl_this_update_date = "2004-02-29 16:21:42"
890           #crl_next_update_date = "2025-02-29 16:24:41"
891
892           # The date that the certificates will be made seen as
893           # being revoked.
894           #crl_revocation_date = "2025-02-29 16:24:41"
895
896
897

EXAMPLES

899       Generating private keys
900       To create an RSA private key, run:
901           $ certtool --generate-privkey --outfile key.pem --rsa
902
903       To create a DSA or elliptic curves (ECDSA) private key use the above
904       command combined with 'dsa' or 'ecc' options.
905
906       Generating certificate requests
907       To create a certificate request (needed when the certificate is  issued
908       by another party), run:
909           certtool --generate-request --load-privkey key.pem    --outfile request.pem
910
911       If the private key is stored in a smart card you can generate a request
912       by specifying the private key object URL.
913           $ ./certtool --generate-request --load-privkey "pkcs11:..."   --load-pubkey "pkcs11:..." --outfile request.pem
914
915
916       Generating a self-signed certificate
917       To create a self signed certificate, use the command:
918           $ certtool --generate-privkey --outfile ca-key.pem
919           $ certtool --generate-self-signed --load-privkey ca-key.pem    --outfile ca-cert.pem
920
921       Note that a self-signed certificate usually belongs to a certificate
922       authority, that signs other certificates.
923
924       Generating a certificate
925       To generate a certificate using the previous request, use the command:
926           $ certtool --generate-certificate --load-request request.pem    --outfile cert.pem --load-ca-certificate ca-cert.pem    --load-ca-privkey ca-key.pem
927
928       To generate a certificate using the private key only, use the command:
929           $ certtool --generate-certificate --load-privkey key.pem    --outfile cert.pem --load-ca-certificate ca-cert.pem    --load-ca-privkey ca-key.pem
930
931       Certificate information
932       To view the certificate information, use:
933           $ certtool --certificate-info --infile cert.pem
934
935       Changing the certificate format
936       To convert the certificate from PEM to DER format, use:
937           $ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
938
939       PKCS #12 structure generation
940       To generate a PKCS #12 structure using the previous key and certifi‐
941       cate, use the command:
942           $ certtool --load-certificate cert.pem --load-privkey key.pem    --to-p12 --outder --outfile key.p12
943
944       Some tools (reportedly web browsers) have problems with that file
945       because it does not contain the CA certificate for the certificate.  To
946       work around that problem in the tool, you can use the --load-ca-cer‐
947       tificate parameter as follows:
948
949           $ certtool --load-ca-certificate ca.pem   --load-certificate cert.pem --load-privkey key.pem   --to-p12 --outder --outfile key.p12
950
951       Obtaining Diffie-Hellman parameters
952       To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use
953       the command:
954           $ certtool --get-dh-params --outfile dh.pem --sec-param medium
955
956       Verifying a certificate
957       To verify a certificate in a file against the system's CA trust store
958       use the following command:
959           $ certtool --verify --infile cert.pem
960
961       It is also possible to simulate hostname verification with the follow‐
962       ing options:
963           $ certtool --verify --verify-hostname www.example.com --infile cert.pem
964
965
966       Proxy certificate generation
967       Proxy certificate can be used to delegate your credential to a tempo‐
968       rary, typically short-lived, certificate.  To create one from the pre‐
969       viously created certificate, first create a temporary key and then gen‐
970       erate a proxy certificate for it, using the commands:
971
972           $ certtool --generate-privkey > proxy-key.pem
973           $ certtool --generate-proxy --load-ca-privkey key.pem   --load-privkey proxy-key.pem --load-certificate cert.pem   --outfile proxy-cert.pem
974
975       Certificate revocation list generation
976       To create an empty Certificate Revocation List (CRL) do:
977
978           $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem            --load-ca-certificate x509-ca.pem
979
980       To create a CRL that contains some revoked certificates, place the cer‐
981       tificates in a file and use --load-certificate as follows:
982
983           $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem   --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
984
985       To verify a Certificate Revocation List (CRL) do:
986
987           $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
988

EXIT STATUS

990       One of the following exit values will be returned:
991
992       0  (EXIT_SUCCESS)
993              Successful program execution.
994
995       1  (EXIT_FAILURE)
996              The operation failed or the command syntax was not valid.
997
998       70  (EX_SOFTWARE)
999              libopts had an internal operational error.  Please report it to
1000              autogen-users@lists.sourceforge.net.  Thank you.
1001

SEE ALSO

1003           p11tool (1), psktool (1), srptool (1)
1004

AUTHORS

1006       Nikos Mavrogiannopoulos, Simon Josefsson and others; see
1007       /usr/share/doc/gnutls/AUTHORS for a complete list.
1008
1010       Copyright (C) 2000-2019 Free Software Foundation, and others all rights
1011       reserved.  This program is released under the terms of the GNU General
1012       Public License, version 3 or later.
1013

BUGS

1015       Please send bug reports to: bugs@gnutls.org
1016

NOTES

1018       This manual page was AutoGen-erated from the certtool option defini‐
1019       tions.
1020
1021
1022
10233.6.8                             25 May 2019                      certtool(1)
Impressum