certtool(1)

1certtool(1)                 General Commands Manual                certtool(1)
2
3
4

NAME

6       certtool - Manipulate certificates and keys.
7

SYNOPSIS

9       certtool [options]
10

DESCRIPTION

12       Generate X.509 certificates, certificate requests, and private keys.
13

OPTIONS

15   Program control options
16       -d, --debug LEVEL
17              Specify the debug level. Default is 1.
18
19       -h, --help
20              Shows this help text
21
22       -v, --version
23              Shows the program's version
24
25
26   Getting information on X.509 certificates
27       -i, --certificate-info
28              Print information on a certificate.
29
30       -k, --key-info
31              Print information on a private key.
32
33       -l, --crl-info
34              Print information on a CRL.
35
36       --p12-info
37              Print information on a PKCS #12 structure.
38
39
40   Getting information on Openpgp certificates
41       --pgp--certificate-info
42              Print information on an OpenPGP certificate.
43
44       --pgp--key-info
45              Print information on an OpenPGP private key.
46
47       --pgp--ring-info
48              Print information on a keyring.
49
50
51   Generating/verifying X.509 certificates/keys
52       -c, --generate-certificate
53              Generate a signed certificate.
54
55       -e, --verify-chain
56              Verify a PEM encoded certificate chain.  The last certificate in
57              the chain must be a self signed one.
58
59       --generate-dh-params
60              Generate PKCS #3 encoded Diffie-Hellman parameters.
61
62       --load-ca-certificate FILE
63              Certificate authority's certificate file to use.
64
65       --load-ca-privkey FILE
66              Certificate authority's private key file or PKCS #11 URL to use.
67
68       --load-certificate FILE
69              Certificate file to use.
70
71       --load-privkey FILE
72              Private key file  or PKCS #11 URL to use.
73
74       --load-pubkey FILE
75              Public key file  or PKCS #11 URL to use.
76
77       --load-request FILE
78              Certificate request file to use.
79
80       -p, --generate-privkey
81              Generate a private key.
82
83       -q, --generate-request
84              Generate a PKCS #10 certificate request.
85
86       -s, --generate-self-signed
87              Generate a self-signed certificate.
88
89       -u, --update-certificate
90              Update a signed certificate.
91
92
93   Controlling output
94       -8, --pkcs8
95              Use PKCS #8 format for private keys.
96
97       --pkcs-cipher
98              The cipher to use when doing pkcs encryption. Valid options  are
99              3des,aes-128,aes-192,aes-256,rc2-40
100
101       --dsa  Generate a DSA key.
102
103       --bits BITS
104              Specify the number of bits for key generation.
105
106       --export-ciphers
107              Use weak encryption algorithms.
108
109       --inraw
110              Use RAW/DER format for input certificates and private keys.
111
112       --infile FILE
113              Input file.
114
115       --outraw
116              Use RAW/DER format for output certificates and private keys.
117
118       --outfile FILE
119              Output file.
120
121       --password PASSWORD
122              Password to use.
123
124       --to-p12
125              Generate a PKCS #12 structure.
126
127       --template
128              Use  a  template file to read input. See the doc/certtool.cfg in
129              the distribution, for an example.
130
131       --fix-key
132              Some  previous  versions  of  certtool  generated  wrongly   the
133              optional  parameters  in a private key. This may affect programs
134              that used them. To fix an old private key use --key-info in com‐
135              bination with this parameter.
136
137       --v1   When  generating  a  certificate use the X.509 version 1 format.
138              This does not add any extensions (such as indication for  a  CA)
139              but some programs do need these.
140
141

EXAMPLES

143       To create a private key, run:
144
145              $ certtool --generate-privkey --outfile key.pem
146
147       To  create a certificate request (needed when the certificate is issued
148       by another party), run:
149
150              $ certtool --generate-request --load-privkey key.pem \
151                 --outfile request.pem
152
153       To create a certificate request using a key stored in a PKCS #11 token,
154       run:
155
156              $ ./certtool --generate-request --load-privkey "pkcs11:..." \
157                --load-pubkey "pkcs11:..." --outfile request.pem
158
159       To generate a certificate using the previous request, use the command:
160
161              $ certtool --generate-certificate --load-request request.pem \
162                 --outfile cert.pem --load-ca-certificate ca-cert.pem \
163                 --load-ca-privkey ca-key.pem
164
165       To generate a certificate using the private key only, use the command:
166
167              $ certtool --generate-certificate --load-privkey key.pem \
168                 --outfile cert.pem --load-ca-certificate ca-cert.pem \
169                 --load-ca-privkey ca-key.pem
170
171       To view the certificate information, use:
172
173              $ certtool --certificate-info --infile cert.pem
174
175       To  generate  a  PKCS #12 structure using the previous key and certifi‐
176       cate, use the command:
177
178              $ certtool --load-certificate cert.pem --load-privkey key.pem \
179                 --to-p12 --outder --outfile key.p12
180
181

AUTHOR

183       Nikos   Mavrogiannopoulos    <nmav@gnutls.org>    and    others;    see
184       /usr/share/doc/gnutls-bin/AUTHORS for a complete list.
185
186       This  manual  page  was written by Ivo Timmermans <ivo@debian.org>, for
187       the Debian GNU/Linux system (but may be used by others).
188
189
190
191                                 May 23rd 2005                     certtool(1)