1certtool(1) User Commands certtool(1)
2
6 certtool - GnuTLS certificate tool
7
9 certtool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 All arguments must be options.
12
14 Tool to parse and generate X.509 certificates, requests and private
15 keys. It can be used interactively or non interactively by specifying
16 the template command line option.
17 The tool accepts files or supported URIs via the --infile option. In
19 case PIN is required for URI access you can provide it using the envi‐
20 ronment variables GNUTLS_PIN and GNUTLS_SO_PIN.
21
24 -d num, --debug=num
25 Enable debugging. This option takes an integer number as its
26 argument. The value of num is constrained to being:
27 in the range 0 through 9999
28 Specifies the debug level.
30 -V, --verbose
32 More verbose output.
33 --infile=file
36 Input file.
37 --outfile=str
40 Output file.
41 --attime=timestamp
44 Perform validation at the timestamp instead of the system time.
45 timestamp is an instance in time encoded as Unix time or in a
47 human
48 readable timestring such as "29 Feb 2004", "2004-02-29". Full
49 documentation available at <https://www.gnu.org/software/core‐
50 utils/manual/html_node/Date-input-formats.html> or locally via
51 info '(coreutils) date invocation'.
52 Certificate related options
54 -i, --certificate-info
55 Print information on the given certificate.
56 --pubkey-info
59 Print information on a public key.
60 The option combined with --load-request, --load-pubkey,
62 --load-privkey and --load-certificate will extract the public
63 key of the object in question.
64 -s, --generate-self-signed
66 Generate a self-signed certificate.
67 -c, --generate-certificate
70 Generate a signed certificate.
71 --generate-proxy
74 Generates a proxy certificate.
75 -u, --update-certificate
78 Update a signed certificate.
79 --fingerprint
82 Print the fingerprint of the given certificate.
83 This is a simple hash of the DER encoding of the certificate. It
85 can be combined with the --hash parameter. However, it is recom‐
86 mended for identification to use the key-id which depends only
87 on the certificate's key.
88 --key-id
90 Print the key ID of the given certificate.
91 This is a hash of the public key of the given certificate. It
93 identifies the key uniquely, remains the same on a certificate
94 renewal and depends only on signed fields of the certificate.
95 --certificate-pubkey
97 Print certificate's public key.
98 This option is deprecated as a duplicate of --pubkey-info
100 NOTE: THIS OPTION IS DEPRECATED
102 --v1 Generate an X.509 version 1 certificate (with no extensions).
104 --sign-params=str
107 Sign a certificate with a specific signature algorithm.
108 This option can be combined with --generate-certificate, to sign
110 the certificate with a specific signature algorithm variant. The
111 only option supported is 'RSA-PSS', and should be specified when
112 the signer does not have a certificate which is marked for
113 RSA-PSS use only.
114 Certificate request related options
116 --crq-info
117 Print information on the given certificate request.
118 -q, --generate-request
121 Generate a PKCS #10 certificate request. This option must not
122 appear in combination with any of the following options: infile.
123 Will generate a PKCS #10 certificate request. To specify a pri‐
125 vate key use --load-privkey.
126 --no-crq-extensions
128 Do not use extensions in certificate requests.
129 PKCS#12 file related options
132 --p12-info
133 Print information on a PKCS #12 structure.
134 This option will dump the contents and print the metadata of the
136 provided PKCS #12 structure.
137 --p12-name=str
139 The PKCS #12 friendly name to use.
140 The name to be used for the primary certificate and private key
142 in a PKCS #12 file.
143 --to-p12
145 Generate a PKCS #12 structure.
146 It requires a certificate, a private key and possibly a CA cer‐
148 tificate to be specified.
149 Private key related options
151 -k, --key-info
152 Print information on a private key.
153 --p8-info
156 Print information on a PKCS #8 structure.
157 This option will print information about encrypted PKCS #8
159 structures. That option does not require the decryption of the
160 structure.
161 --to-rsa
163 Convert an RSA-PSS key to raw RSA format.
164 It requires an RSA-PSS key as input and will output a raw RSA
166 key. This command is necessary for compatibility with applica‐
167 tions that cannot read RSA-PSS keys.
168 -p, --generate-privkey
170 Generate a private key.
171 When generating RSA-PSS private keys, the --hash option will re‐
173 strict the allowed hash for the key; in the same keys the
174 --salt-size option is also acceptable.
175 --key-type=str
177 Specify the key type to use on key generation.
178 This option can be combined with --generate-privkey, to specify
180 the key type to be generated. Valid options are, 'rsa',
181 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, 'ed448', 'x25519', and
182 'x448'.'. When combined with certificate generation it can be
183 used to specify an RSA-PSS certificate when an RSA key is given.
184 --bits=num
186 Specify the number of bits for key generation. This option
187 takes an integer number as its argument.
188 --curve=str
191 Specify the curve used for EC key generation.
192 Supported values are secp192r1, secp224r1, secp256r1, secp384r1
194 and secp521r1.
195 --sec-param=security parameter
197 Specify the security level [low, legacy, medium, high, ultra].
198 This is alternative to the bits option.
200 --to-p8
202 Convert a given key to a PKCS #8 structure.
203 This needs to be combined with --load-privkey.
205 -8, --pkcs8
207 Use PKCS #8 format for private keys.
208 --provable
211 Generate a private key or parameters from a seed using a prov‐
212 able method.
213 This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor)
215 for provable key generation. When specified the private keys or
216 parameters will be generated from a seed, and can be later vali‐
217 dated with --verify-provable-privkey to be correctly generated
218 from the seed. You may specify --seed or allow GnuTLS to gener‐
219 ate one (recommended). This option can be combined with --gener‐
220 ate-privkey or --generate-dh-params.
221 That option applies to RSA and DSA keys. On the DSA keys the PQG
223 parameters are generated using the seed, and on RSA the two
224 primes.
225 --verify-provable-privkey
227 Verify a private key generated from a seed using a provable
228 method.
229 This will use the FIPS-186-4 algorithms for provable key genera‐
231 tion. You may specify --seed or use the seed stored in the pri‐
232 vate key structure.
233 --seed=str
235 When generating a private key use the given hex-encoded seed.
236 The seed acts as a security parameter for the private key, and
238 thus a seed size which corresponds to the security level of the
239 private key should be provided (e.g., 256-bits seed).
240 CRL related options
242 -l, --crl-info
243 Print information on the given CRL structure.
244 --generate-crl
247 Generate a CRL.
248 This option generates a Certificate Revocation List. When com‐
250 bined with --load-crl it would use the loaded CRL as base for
251 the generated (i.e., all revoked certificates in the base will
252 be copied to the new CRL). To add new certificates to the CRL
253 use --load-certificate.
254 --verify-crl
256 Verify a Certificate Revocation List using a trusted list. This
257 option must appear in combination with the following options:
258 load-ca-certificate.
259 The trusted certificate list must be loaded with --load-ca-cer‐
261 tificate.
262 Certificate verification related options
264 -e, --verify-chain
265 Verify a PEM encoded certificate chain.
266 Verifies the validity of a certificate chain. That is, an or‐
268 dered set of certificates where each one is the issuer of the
269 previous, and the first is the end-certificate to be validated.
270 In a proper chain the last certificate is a self signed one. It
271 can be combined with --verify-purpose or --verify-hostname.
272 --verify
274 Verify a PEM encoded certificate (chain) against a trusted set.
275 The trusted certificate list can be loaded with --load-ca-cer‐
277 tificate. If no certificate list is provided, then the system's
278 trusted certificate list is used. Note that during verification
279 multiple paths may be explored. On a successful verification the
280 successful path will be the last one. It can be combined with
281 --verify-purpose or --verify-hostname.
282 --verify-hostname=str
284 Specify a hostname to be used for certificate chain verifica‐
285 tion.
286 This is to be combined with one of the verify certificate op‐
288 tions.
289 --verify-email=str
291 Specify a email to be used for certificate chain verification.
292 This option must not appear in combination with any of the fol‐
293 lowing options: verify-hostname.
294 This is to be combined with one of the verify certificate op‐
296 tions.
297 --verify-purpose=str
299 Specify a purpose OID to be used for certificate chain verifica‐
300 tion.
301 This object identifier restricts the purpose of the certificates
303 to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS
304 WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate
305 without a purpose set (extended key usage) is valid for any pur‐
306 pose.
307 --verify-allow-broken
309 Allow broken algorithms, such as MD5 for verification.
310 This can be combined with --p7-verify, --verify or --ver‐
312 ify-chain.
313 --verify-profile=str
315 Specify a security level profile to be used for verification.
316 This option can be used to specify a certificate verification
318 profile. Certificate
319 verification profiles correspond to the security level. This
320 should be one of
321 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ul‐
322 tra',
323 'future'. Note that by default no profile is applied, unless
324 one is set
325 as minimum in the gnutls configuration file.
326 PKCS#7 structure options
328 --p7-generate
329 Generate a PKCS #7 structure.
330 This option generates a PKCS #7 certificate container structure.
332 To add certificates in the structure use --load-certificate and
333 --load-crl.
334 --p7-sign
336 Signs using a PKCS #7 structure.
337 This option generates a PKCS #7 structure containing a signature
339 for the provided data from infile. The data are stored within
340 the structure. The signer certificate has to be specified using
341 --load-certificate and --load-privkey. The input to --load-cer‐
342 tificate can be a list of certificates. In case of a list, the
343 first certificate is used for signing and the other certificates
344 are included in the structure.
345 --p7-detached-sign
347 Signs using a detached PKCS #7 structure.
348 This option generates a PKCS #7 structure containing a signature
350 for the provided data from infile. The signer certificate has to
351 be specified using --load-certificate and --load-privkey. The
352 input to --load-certificate can be a list of certificates. In
353 case of a list, the first certificate is used for signing and
354 the other certificates are included in the structure.
355 --p7-include-cert, --no-p7-include-cert
357 The signer's certificate will be included in the cert list. The
358 no-p7-include-cert form will disable the option. This option is
359 enabled by default.
360 This options works with --p7-sign or --p7-detached-sign and will
362 include or exclude the signer's certificate into the generated
363 signature.
364 --p7-time, --no-p7-time
366 Will include a timestamp in the PKCS #7 structure. The
367 no-p7-time form will disable the option.
368 This option will include a timestamp in the generated signature
370 --p7-show-data, --no-p7-show-data
372 Will show the embedded data in the PKCS #7 structure. The
373 no-p7-show-data form will disable the option.
374 This option can be combined with --p7-verify or --p7-info and
376 will display the embedded signed data in the PKCS #7 structure.
377 --p7-info
379 Print information on a PKCS #7 structure.
380 --p7-verify
383 Verify the provided PKCS #7 structure.
384 This option verifies the signed PKCS #7 structure. The certifi‐
386 cate list to use for verification can be specified with
387 --load-ca-certificate. When no certificate list is provided,
388 then the system's certificate list is used. Alternatively a di‐
389 rect signer can be provided using --load-certificate. A key pur‐
390 pose can be enforced with the --verify-purpose option, and the
391 --load-data option will utilize detached data.
392 --smime-to-p7
394 Convert S/MIME to PKCS #7 structure.
395 Other options
398 --generate-dh-params
399 Generate PKCS #3 encoded Diffie-Hellman parameters.
400 The will generate random parameters to be used with Diffie-Hell‐
402 man key exchange. The output parameters will be in PKCS #3 for‐
403 mat. Note that it is recommended to use the --get-dh-params op‐
404 tion instead.
405 NOTE: THIS OPTION IS DEPRECATED
407 --get-dh-params
409 List the included PKCS #3 encoded Diffie-Hellman parameters.
410 Returns stored DH parameters in GnuTLS. Those parameters re‐
412 turned are defined in RFC7919, and can be considered standard
413 parameters for a TLS key exchange. This option is provided for
414 old applications which require DH parameters to be specified;
415 modern GnuTLS applications should not require them.
416 --dh-info
418 Print information PKCS #3 encoded Diffie-Hellman parameters.
419 --load-privkey=str
422 Loads a private key file.
423 This can be either a file or a PKCS #11 URL
425 --load-pubkey=str
427 Loads a public key file.
428 This can be either a file or a PKCS #11 URL
430 --load-request=str
432 Loads a certificate request file.
433 This option can be used with a file
435 --load-certificate=str
437 Loads a certificate file.
438 This option can be used with a file
440 --load-ca-privkey=str
442 Loads the certificate authority's private key file.
443 This can be either a file or a PKCS #11 URL
445 --load-ca-certificate=str
447 Loads the certificate authority's certificate file.
448 This can be either a file or a PKCS #11 URL
450 --load-crl=str
452 Loads the provided CRL.
453 This option can be used with a file
455 --load-data=str
457 Loads auxiliary data.
458 This option can be used with a file
460 --password=str
462 Password to use.
463 You can use this option to specify the password in the command
465 line instead of reading it from the tty. Note, that the command
466 line arguments are available for view in others in the system.
467 Specifying password as '' is the same as specifying no password.
468 --null-password
470 Enforce a NULL password.
471 This option enforces a NULL password. This is different than the
473 empty or no password in schemas like PKCS #8.
474 --empty-password
476 Enforce an empty password.
477 This option enforces an empty password. This is different than
479 the NULL or no password in schemas like PKCS #8.
480 --hex-numbers
482 Print big number in an easier format to parse.
483 --cprint
486 In certain operations it prints the information in C-friendly
487 format.
488 In certain operations it prints the information in C-friendly
490 format, suitable for including into C programs.
491 --rsa Generate RSA key.
493 When combined with --generate-privkey generates an RSA private
495 key.
496 NOTE: THIS OPTION IS DEPRECATED
498 --dsa Generate DSA key.
500 When combined with --generate-privkey generates a DSA private
502 key.
503 NOTE: THIS OPTION IS DEPRECATED
505 --ecc Generate ECC (ECDSA) key.
507 When combined with --generate-privkey generates an elliptic
509 curve private key to be used with ECDSA.
510 NOTE: THIS OPTION IS DEPRECATED
512 --ecdsa
514 This is an alias for the --ecc option.
515 NOTE: THIS OPTION IS DEPRECATED
517 --hash=str
519 Hash algorithm to use for signing.
520 Available hash functions are SHA1, RMD160, SHA256, SHA384,
522 SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
523 --salt-size=num
525 Specify the RSA-PSS key default salt size. This option takes an
526 integer number as its argument.
527 Typical keys shouldn't set or restrict this option.
529 --inder, --no-inder
531 Use DER format for input certificates, private keys, and DH pa‐
532 rameters . The no-inder form will disable the option.
533 The input files will be assumed to be in DER or RAW format. Un‐
535 like options that in PEM input would allow multiple input data
536 (e.g. multiple certificates), when reading in DER format a sin‐
537 gle data structure is read.
538 --inraw
540 This is an alias for the --inder option.
541 --outder, --no-outder
543 Use DER format for output certificates, private keys, and DH pa‐
544 rameters. The no-outder form will disable the option.
545 The output will be in DER or RAW format.
547 --outraw
549 This is an alias for the --outder option.
550 --disable-quick-random
552 No effect.
553 NOTE: THIS OPTION IS DEPRECATED
556 --template=str
558 Template file to use for non-interactive operation.
559 --stdout-info
562 Print information to stdout instead of stderr.
563 --ask-pass
566 Enable interaction for entering password when in batch mode.
567 This option will enable interaction to enter password when in
569 batch mode. That is useful when the template option has been
570 specified.
571 --pkcs-cipher=cipher
573 Cipher to use for PKCS #8 and #12 operations.
574 Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
576 aes-256, rc2-40, arcfour.
577 --provider=str
579 Specify the PKCS #11 provider library.
580 This will override the default options in
582 /etc/gnutls/pkcs11.conf
583 --text, --no-text
585 Output textual information before PEM-encoded certificates, pri‐
586 vate keys, etc. The no-text form will disable the option. This
587 option is enabled by default.
588 Output textual information before PEM-encoded data
590 -v arg, --version=arg
592 Output version of program and exit. The default mode is `v', a
593 simple version. The `c' mode will print copyright information
594 and `n' will print the full copyright notice.
595 -h, --help
597 Display usage information and exit.
598 -!, --more-help
600 Pass the extended usage information through a pager.
601
604 Certtool's template file format
605 A template file can be used to avoid the interactive questions of cert‐
606 tool. Initially create a file named 'cert.cfg' that contains the infor‐
607 mation about the certificate. The template can be used as below:
608 $ certtool --generate-certificate --load-privkey key.pem --template cert.cfg --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
610 An example certtool template file that can be used to generate a cer‐
612 tificate request or a self signed certificate follows.
613 # X.509 Certificate options
615 #
616 # DN options
617 # The organization of the subject.
619 organization = "Koko inc."
620 # The organizational unit of the subject.
622 unit = "sleeping dept."
623 # The locality of the subject.
625 # locality =
626 # The state of the certificate owner.
628 state = "Attiki"
629 # The country of the subject. Two letter code.
631 country = GR
632 # The common name of the certificate owner.
634 cn = "Cindy Lauper"
635 # A user id of the certificate owner.
637 #uid = "clauper"
638 # Set domain components
640 #dc = "name"
641 #dc = "domain"
642 # If the supported DN OIDs are not adequate you can set
644 # any OID here.
645 # For example set the X.520 Title and the X.520 Pseudonym
646 # by using OID and string pairs.
647 #dn_oid = "2.5.4.12 Dr."
648 #dn_oid = "2.5.4.65 jackal"
649 # This is deprecated and should not be used in new
651 # certificates.
652 # pkcs9_email = "none@none.org"
653 # An alternative way to set the certificate's distinguished name directly
655 # is with the "dn" option. The attribute names allowed are:
656 # C (country), street, O (organization), OU (unit), title, CN (common name),
657 # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
658 # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
659 # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
660 # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
661 # jurisdictionOfIncorporationStateOrProvinceName,
662 # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
663 #dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
665 # The serial number of the certificate
667 # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
668 # Comment the field for a random serial number.
669 serial = 007
670 # In how many days, counting from today, this certificate will expire.
672 # Use -1 if there is no expiration date.
673 expiration_days = 700
674 # Alternatively you may set concrete dates and time. The GNU date string
676 # formats are accepted. See:
677 # https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
678 #activation_date = "2004-02-29 16:21:42"
680 #expiration_date = "2025-02-29 16:24:41"
681 # X.509 v3 extensions
683 # A dnsname in case of a WWW server.
685 #dns_name = "www.none.org"
686 #dns_name = "www.morethanone.org"
687 # An othername defined by an OID and a hex encoded string
689 #other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
690 #other_name_utf8 = "1.2.4.5.6 A UTF8 string"
691 #other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
692 # Allows writing an XmppAddr Identifier
694 #xmpp_name = juliet@im.example.com
695 # Names used in PKINIT
697 #krb5_principal = user@REALM.COM
698 #krb5_principal = HTTP/user@REALM.COM
699 # A subject alternative name URI
701 #uri = "https://www.example.com"
702 # An IP address in case of a server.
704 #ip_address = "192.168.1.1"
705 # An email in case of a person
707 email = "none@none.org"
708 # TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
710 # extension features to be provided by the server. In practice this is used
711 # to require the Status Request (extid: 5) extension from the server. That is,
712 # to require the server holding this certificate to provide a stapled OCSP response.
713 # You can have multiple lines for multiple TLS features.
714 # To ask for OCSP status request use:
716 #tls_feature = 5
717 # Challenge password used in certificate requests
719 challenge_password = 123456
720 # Password when encrypting a private key
722 #password = secret
723 # An URL that has CRLs (certificate revocation lists)
725 # available. Needed in CA certificates.
726 #crl_dist_points = "https://www.getcrl.crl/getcrl/"
727 # Whether this is a CA certificate or not
729 #ca
730 # Subject Unique ID (in hex)
732 #subject_unique_id = 00153224
733 # Issuer Unique ID (in hex)
735 #issuer_unique_id = 00153225
736 #### Key usage
738 # The following key usage flags are used by CAs and end certificates
740 # Whether this certificate will be used to sign data (needed
742 # in TLS DHE ciphersuites). This is the digitalSignature flag
743 # in RFC5280 terminology.
744 signing_key
745 # Whether this certificate will be used to encrypt data (needed
747 # in TLS RSA ciphersuites). Note that it is preferred to use different
748 # keys for encryption and signing. This is the keyEncipherment flag
749 # in RFC5280 terminology.
750 encryption_key
751 # Whether this key will be used to sign other certificates. The
753 # keyCertSign flag in RFC5280 terminology.
754 #cert_signing_key
755 # Whether this key will be used to sign CRLs. The
757 # cRLSign flag in RFC5280 terminology.
758 #crl_signing_key
759 # The keyAgreement flag of RFC5280. Its purpose is loosely
761 # defined. Not use it unless required by a protocol.
762 #key_agreement
763 # The dataEncipherment flag of RFC5280. Its purpose is loosely
765 # defined. Not use it unless required by a protocol.
766 #data_encipherment
767 # The nonRepudiation flag of RFC5280. Its purpose is loosely
769 # defined. Not use it unless required by a protocol.
770 #non_repudiation
771 #### Extended key usage (key purposes)
773 # The following extensions are used in an end certificate
775 # to clarify its purpose. Some CAs also use it to indicate
776 # the types of certificates they are purposed to sign.
777 # Whether this certificate will be used for a TLS client;
780 # this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
781 # extended key usage.
782 #tls_www_client
783 # Whether this certificate will be used for a TLS server;
785 # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
786 # extended key usage.
787 #tls_www_server
788 # Whether this key will be used to sign code. This sets the
790 # id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
791 # extension.
792 #code_signing_key
793 # Whether this key will be used to sign OCSP data. This sets the
795 # id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
796 #ocsp_signing_key
797 # Whether this key will be used for time stamping. This sets the
799 # id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
800 #time_stamping_key
801 # Whether this key will be used for email protection. This sets the
803 # id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
804 #email_protection_key
805 # Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
807 #ipsec_ike_key
808 ## adding custom key purpose OIDs
810 # for microsoft smart card logon
812 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
813 # for email protection
815 # key_purpose_oid = 1.3.6.1.5.5.7.3.4
816 # for any purpose (must not be used in intermediate CA certificates)
818 # key_purpose_oid = 2.5.29.37.0
819 ### end of key purpose OIDs
821 ### Adding arbitrary extensions
823 # This requires to provide the extension OIDs, as well as the extension data in
824 # hex format. The following two options are available since GnuTLS 3.5.3.
825 #add_extension = "1.2.3.4 0x0AAB01ACFE"
826 # As above but encode the data as an octet string
828 #add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
829 # For portability critical extensions shouldn't be set to certificates.
831 #add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
832 # When generating a certificate from a certificate
834 # request, then honor the extensions stored in the request
835 # and store them in the real certificate.
836 #honor_crq_extensions
837 # Alternatively only specific extensions can be copied.
839 #honor_crq_ext = 2.5.29.17
840 #honor_crq_ext = 2.5.29.15
841 # Path length constraint. Sets the maximum number of
843 # certificates that can be used to certify this certificate.
844 # (i.e. the certificate chain length)
845 #path_len = -1
846 #path_len = 2
847 # OCSP URI
849 # ocsp_uri = https://my.ocsp.server/ocsp
850 # CA issuers URI
852 # ca_issuers_uri = https://my.ca.issuer
853 # Certificate policies
855 #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
856 #policy1_txt = "This is a long policy to summarize"
857 #policy1_url = https://www.example.com/a-policy-to-read
858 #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
860 #policy2_txt = "This is a short policy"
861 #policy2_url = https://www.example.com/another-policy-to-read
862 # The number of additional certificates that may appear in a
864 # path before the anyPolicy is no longer acceptable.
865 #inhibit_anypolicy_skip_certs 1
866 # Name constraints
868 # DNS
870 #nc_permit_dns = example.com
871 #nc_exclude_dns = test.example.com
872 # EMAIL
874 #nc_permit_email = "nmav@ex.net"
875 # Exclude subdomains of example.com
877 #nc_exclude_email = .example.com
878 # Exclude all e-mail addresses of example.com
880 #nc_exclude_email = example.com
881 # IP
883 #nc_permit_ip = 192.168.0.0/16
884 #nc_exclude_ip = 192.168.5.0/24
885 #nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
886 # Options for proxy certificates
889 #proxy_policy_language = 1.3.6.1.5.5.7.21.1
890 # Options for generating a CRL
893 # The number of days the next CRL update will be due.
895 # next CRL update will be in 43 days
896 #crl_next_update = 43
897 # this is the 5th CRL by this CA
899 # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
900 # Comment the field for a time-based number.
901 # Time-based CRL numbers generated in GnuTLS 3.6.3 and later
902 # are significantly larger than those generated in previous
903 # versions. Since CRL numbers need to be monotonic, you need
904 # to specify the CRL number here manually if you intend to
905 # downgrade to an earlier version than 3.6.3 after publishing
906 # the CRL as it is not possible to specify CRL numbers greater
907 # than 2**63-2 using hex notation in those versions.
908 #crl_number = 5
909 # Specify the update dates more precisely.
911 #crl_this_update_date = "2004-02-29 16:21:42"
912 #crl_next_update_date = "2025-02-29 16:24:41"
913 # The date that the certificates will be made seen as
915 # being revoked.
916 #crl_revocation_date = "2025-02-29 16:24:41"
917
921 Generating private keys
922 To create an RSA private key, run:
923 $ certtool --generate-privkey --outfile key.pem --rsa
924 To create a DSA or elliptic curves (ECDSA) private key use the above
926 command combined with 'dsa' or 'ecc' options.
927 Generating certificate requests
929 To create a certificate request (needed when the certificate is issued
930 by another party), run:
931 certtool --generate-request --load-privkey key.pem --outfile request.pem
932 If the private key is stored in a smart card you can generate a request
934 by specifying the private key object URL.
935 $ ./certtool --generate-request --load-privkey "pkcs11:..." --load-pubkey "pkcs11:..." --outfile request.pem
936 Generating a self-signed certificate
939 To create a self signed certificate, use the command:
940 $ certtool --generate-privkey --outfile ca-key.pem
941 $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
942 Note that a self-signed certificate usually belongs to a certificate
944 authority, that signs other certificates.
945 Generating a certificate
947 To generate a certificate using the previous request, use the command:
948 $ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
949 To generate a certificate using the private key only, use the command:
951 $ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
952 Certificate information
954 To view the certificate information, use:
955 $ certtool --certificate-info --infile cert.pem
956 Changing the certificate format
958 To convert the certificate from PEM to DER format, use:
959 $ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
960 PKCS #12 structure generation
962 To generate a PKCS #12 structure using the previous key and certifi‐
963 cate, use the command:
964 $ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
965 Some tools (reportedly web browsers) have problems with that file be‐
967 cause it does not contain the CA certificate for the certificate. To
968 work around that problem in the tool, you can use the --load-ca-cer‐
969 tificate parameter as follows:
970 $ certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
972 Obtaining Diffie-Hellman parameters
974 To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use
975 the command:
976 $ certtool --get-dh-params --outfile dh.pem --sec-param medium
977 Verifying a certificate
979 To verify a certificate in a file against the system's CA trust store
980 use the following command:
981 $ certtool --verify --infile cert.pem
982 It is also possible to simulate hostname verification with the follow‐
984 ing options:
985 $ certtool --verify --verify-hostname www.example.com --infile cert.pem
986 Proxy certificate generation
989 Proxy certificate can be used to delegate your credential to a tempo‐
990 rary, typically short-lived, certificate. To create one from the pre‐
991 viously created certificate, first create a temporary key and then gen‐
992 erate a proxy certificate for it, using the commands:
993 $ certtool --generate-privkey > proxy-key.pem
995 $ certtool --generate-proxy --load-ca-privkey key.pem --load-privkey proxy-key.pem --load-certificate cert.pem --outfile proxy-cert.pem
996 Certificate revocation list generation
998 To create an empty Certificate Revocation List (CRL) do:
999 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
1001 To create a CRL that contains some revoked certificates, place the cer‐
1003 tificates in a file and use --load-certificate as follows:
1004 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
1006 To verify a Certificate Revocation List (CRL) do:
1008 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
1010
1012 One of the following exit values will be returned:
1013 0 (EXIT_SUCCESS)
1015 Successful program execution.
1016 1 (EXIT_FAILURE)
1018 The operation failed or the command syntax was not valid.
1019
1021 p11tool (1), psktool (1), srptool (1)
1022
1025 Copyright (C) 2020-2023 Free Software Foundation, and others all rights
1026 reserved. This program is released under the terms of the GNU General
1027 Public License, version 3 or later
1028
1030 Please send bug reports to: bugs@gnutls.org
10313.8.2 15 Nov 2023 certtool(1)