1certtool(1) User Commands certtool(1)
2
6 certtool - GnuTLS certificate tool
7
9 certtool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 All arguments must be options.
12
15 Tool to parse and generate X.509 certificates, requests and private
16 keys. It can be used interactively or non interactively by specifying
17 the template command line option.
18 The tool accepts files or URLs supported by GnuTLS. In case PIN is
20 required for the URL access you can provide it using the environment
21 variables GNUTLS_PIN and GNUTLS_SO_PIN.
22
25 -d number, --debug=number
26 Enable debugging. This option takes an integer number as its
27 argument. The value of number is constrained to being:
28 in the range 0 through 9999
29 Specifies the debug level.
31 -V, --verbose
33 More verbose output. This option may appear an unlimited number
34 of times.
35 --infile=file
38 Input file.
39 --outfile=string
42 Output file.
43 -s, --generate-self-signed
46 Generate a self-signed certificate.
47 -c, --generate-certificate
50 Generate a signed certificate.
51 --generate-proxy
54 Generates a proxy certificate.
55 --generate-crl
58 Generate a CRL.
59 -u, --update-certificate
62 Update a signed certificate.
63 -p, --generate-privkey
66 Generate a private key.
67 -q, --generate-request
70 Generate a PKCS #10 certificate request. This option must not
71 appear in combination with any of the following options: infile.
72 Will generate a PKCS #10 certificate request. To specify a pri‐
74 vate key use --load-privkey.
75 -e, --verify-chain
77 Verify a PEM encoded certificate chain.
78 The last certificate in the chain must be a self signed one.
80 --verify
82 Verify a PEM encoded certificate chain using a trusted list.
83 The trusted certificate list can be loaded with --load-ca-cer‐
85 tificate. If no certificate list is provided, then the system's
86 certificate list is used.
87 --verify-crl
89 Verify a CRL using a trusted list. This option must appear in
90 combination with the following options: load-ca-certificate.
91 The trusted certificate list must be loaded with --load-ca-cer‐
93 tificate.
94 --generate-dh-params
96 Generate PKCS #3 encoded Diffie-Hellman parameters.
97 --get-dh-params
100 Get the included PKCS #3 encoded Diffie-Hellman parameters.
101 Returns stored DH parameters in GnuTLS. Those parameters are
103 used in the SRP protocol. The parameters returned by fresh gen‐
104 eration are more efficient since GnuTLS 3.0.9.
105 --dh-info
107 Print information PKCS #3 encoded Diffie-Hellman parameters.
108 --load-privkey=string
111 Loads a private key file.
112 This can be either a file or a PKCS #11 URL
114 --load-pubkey=string
116 Loads a public key file.
117 This can be either a file or a PKCS #11 URL
119 --load-request=string
121 Loads a certificate request file.
122 This option can be used with a file
124 --load-certificate=string
126 Loads a certificate file.
127 This option can be used with a file
129 --load-ca-privkey=string
131 Loads the certificate authority's private key file.
132 This can be either a file or a PKCS #11 URL
134 --load-ca-certificate=string
136 Loads the certificate authority's certificate file.
137 This option can be used with a file
139 --password=string
141 Password to use.
142 You can use this option to specify the password in the command
144 line instead of reading it from the tty. Note, that the command
145 line arguments are available for view in others in the system.
146 Specifying password as '' is the same as specifying no password.
147 --null-password
149 Enforce a NULL password.
150 This option enforces a NULL password. This is different than the
152 empty or no password in schemas like PKCS #8.
153 --empty-password
155 Enforce an empty password.
156 This option enforces an empty password. This is different than
158 the NULL or no password in schemas like PKCS #8.
159 --hex-numbers
161 Print big number in an easier format to parse.
162 --cprint
165 In certain operations it prints the information in C-friendly
166 format.
167 In certain operations it prints the information in C-friendly
169 format, suitable for including into C programs.
170 -i, --certificate-info
172 Print information on the given certificate.
173 --certificate-pubkey
176 Print certificate's public key.
177 --pgp-certificate-info
180 Print information on the given OpenPGP certificate.
181 --pgp-ring-info
184 Print information on the given OpenPGP keyring structure.
185 -l, --crl-info
188 Print information on the given CRL structure.
189 --crq-info
192 Print information on the given certificate request.
193 --no-crq-extensions
196 Do not use extensions in certificate requests.
197 --p12-info
200 Print information on a PKCS #12 structure.
201 --p12-name=string
204 The PKCS #12 friendly name to use.
205 The name to be used for the primary certificate and private key
207 in a PKCS #12 file.
208 --p7-info
210 Print information on a PKCS #7 structure.
211 --smime-to-p7
214 Convert S/MIME to PKCS #7 structure.
215 -k, --key-info
218 Print information on a private key.
219 --pgp-key-info
222 Print information on an OpenPGP private key.
223 --pubkey-info
226 Print information on a public key.
227 The option combined with --load-request, --load-pubkey, --load-
229 privkey and --load-certificate will extract the public key of
230 the object in question.
231 --v1 Generate an X.509 version 1 certificate (with no extensions).
233 --to-p12
236 Generate a PKCS #12 structure. This option must appear in com‐
237 bination with the following options: load-certificate.
238 It requires a certificate, a private key and possibly a CA cer‐
240 tificate to be specified.
241 --to-p8
243 Generate a PKCS #8 structure.
244 -8, --pkcs8
247 Use PKCS #8 format for private keys.
248 --rsa Generate RSA key.
251 When combined with --generate-privkey generates an RSA private
253 key.
254 --dsa Generate DSA key.
256 When combined with --generate-privkey generates a DSA private
258 key.
259 --ecc Generate ECC (ECDSA) key.
261 When combined with --generate-privkey generates an elliptic
263 curve private key to be used with ECDSA.
264 --ecdsa
266 This is an alias for the --ecc option.
267 --hash=string
269 Hash algorithm to use for signing.
270 Available hash functions are SHA1, RMD160, SHA256, SHA384,
272 SHA512.
273 --inder, --no-inder
275 Use DER format for input certificates, private keys, and DH
276 parameters . The no-inder form will disable the option.
277 The input files will be assumed to be in DER or RAW format.
279 Unlike options that in PEM input would allow multiple input data
280 (e.g. multiple certificates), when reading in DER format a sin‐
281 gle data structure is read.
282 --inraw
284 This is an alias for the --inder option.
285 --outder, --no-outder
287 Use DER format for output certificates, private keys, and DH
288 parameters. The no-outder form will disable the option.
289 The output will be in DER or RAW format.
291 --outraw
293 This is an alias for the --outder option.
294 --bits=number
296 Specify the number of bits for key generate. This option takes
297 an integer number as its argument.
298 --curve=string
301 Specify the curve used for EC key generation.
302 Supported values are secp192r1, secp224r1, secp256r1, secp384r1
304 and secp521r1.
305 --sec-param=security parameter
307 Specify the security level [low, legacy, medium, high, ultra].
308 This is alternative to the bits option.
310 --disable-quick-random
312 No effect.
313 --template=string
316 Template file to use for non-interactive operation.
317 --stdout-info
320 Print information to stdout instead of stderr.
321 --ask-pass
324 Enable interaction for entering password when in batch mode..
325 This option will enable interaction to enter password when in
327 batch mode. That is useful when the template option has been
328 specified.
329 --pkcs-cipher=cipher
331 Cipher to use for PKCS #8 and #12 operations.
332 Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
334 aes-256, rc2-40, arcfour.
335 --provider=string
337 Specify the PKCS #11 provider library.
338 This will override the default options in
340 /etc/gnutls/pkcs11.conf
341 -h, --help
343 Display usage information and exit.
344 -!, --more-help
346 Pass the extended usage information through a pager.
347 -v [{v|c|n --version [{v|c|n}]}]
349 Output version of program and exit. The default mode is `v', a
350 simple version. The `c' mode will print copyright information
351 and `n' will print the full copyright notice.
352
354 Certtool's template file format
355 A template file can be used to avoid the interactive questions of cert‐
356 tool. Initially create a file named 'cert.cfg' that contains the infor‐
357 mation about the certificate. The template can be used as below:
358 $ certtool --generate-certificate --load-privkey key.pem --template cert.cfg --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
360 An example certtool template file that can be used to generate a cer‐
362 tificate request or a self signed certificate follows.
363 # X.509 Certificate options
365 #
366 # DN options
367 # The organization of the subject.
369 organization = "Koko inc."
370 # The organizational unit of the subject.
372 unit = "sleeping dept."
373 # The locality of the subject.
375 # locality =
376 # The state of the certificate owner.
378 state = "Attiki"
379 # The country of the subject. Two letter code.
381 country = GR
382 # The common name of the certificate owner.
384 cn = "Cindy Lauper"
385 # A user id of the certificate owner.
387 #uid = "clauper"
388 # Set domain components
390 #dc = "name"
391 #dc = "domain"
392 # If the supported DN OIDs are not adequate you can set
394 # any OID here.
395 # For example set the X.520 Title and the X.520 Pseudonym
396 # by using OID and string pairs.
397 #dn_oid = 2.5.4.12 Dr.
398 #dn_oid = 2.5.4.65 jackal
399 # This is deprecated and should not be used in new
401 # certificates.
402 # pkcs9_email = "none@none.org"
403 # An alternative way to set the certificate's distinguished name directly
405 # is with the "dn" option. The attribute names allowed are:
406 # C (country), street, O (organization), OU (unit), title, CN (common name),
407 # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
408 # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
409 # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
410 # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
411 # jurisdictionOfIncorporationStateOrProvinceName,
412 # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
413 #dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
415 # The serial number of the certificate
417 # Comment the field for a time-based serial number.
418 serial = 007
419 # In how many days, counting from today, this certificate will expire.
421 # Use -1 if there is no expiration date.
422 expiration_days = 700
423 # Alternatively you may set concrete dates and time. The GNU date string
425 # formats are accepted. See:
426 # http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
427 #activation_date = "2004-02-29 16:21:42"
429 #expiration_date = "2025-02-29 16:24:41"
430 # X.509 v3 extensions
432 # A dnsname in case of a WWW server.
434 #dns_name = "www.none.org"
435 #dns_name = "www.morethanone.org"
436 # A subject alternative name URI
438 #uri = "http://www.example.com"
439 # An IP address in case of a server.
441 #ip_address = "192.168.1.1"
442 # An email in case of a person
444 email = "none@none.org"
445 # Challenge password used in certificate requests
447 challenge_password = 123456
448 # Password when encrypting a private key
450 #password = secret
451 # An URL that has CRLs (certificate revocation lists)
453 # available. Needed in CA certificates.
454 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
455 # Whether this is a CA certificate or not
457 #ca
458 # Subject Unique ID (in hex)
460 #subject_unique_id = 00153224
461 # Issuer Unique ID (in hex)
463 #issuer_unique_id = 00153225
464 # for microsoft smart card logon
466 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
467 ### Other predefined key purpose OIDs
469 # Whether this certificate will be used for a TLS client
471 #tls_www_client
472 # Whether this certificate will be used for a TLS server
474 #tls_www_server
475 # Whether this certificate will be used to sign data (needed
477 # in TLS DHE ciphersuites).
478 signing_key
479 # Whether this certificate will be used to encrypt data (needed
481 # in TLS RSA ciphersuites). Note that it is preferred to use different
482 # keys for encryption and signing.
483 encryption_key
484 # Whether this key will be used to sign other certificates.
486 #cert_signing_key
487 # Whether this key will be used to sign CRLs.
489 #crl_signing_key
490 # Whether this key will be used to sign code.
492 #code_signing_key
493 # Whether this key will be used to sign OCSP data.
495 #ocsp_signing_key
496 # Whether this key will be used for time stamping.
498 #time_stamping_key
499 # Whether this key will be used for IPsec IKE operations.
501 #ipsec_ike_key
502 ### end of key purpose OIDs
504 # When generating a certificate from a certificate
506 # request, then honor the extensions stored in the request
507 # and store them in the real certificate.
508 #honor_crq_extensions
509 # Path length contraint. Sets the maximum number of
511 # certificates that can be used to certify this certificate.
512 # (i.e. the certificate chain length)
513 #path_len = -1
514 #path_len = 2
515 # OCSP URI
517 # ocsp_uri = http://my.ocsp.server/ocsp
518 # CA issuers URI
520 # ca_issuers_uri = http://my.ca.issuer
521 # Certificate policies
523 #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
524 #policy1_txt = "This is a long policy to summarize"
525 #policy1_url = http://www.example.com/a-policy-to-read
526 #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
528 #policy2_txt = "This is a short policy"
529 #policy2_url = http://www.example.com/another-policy-to-read
530 # Name constraints
532 # DNS
534 #nc_permit_dns = example.com
535 #nc_exclude_dns = test.example.com
536 # EMAIL
538 #nc_permit_email = "nmav@ex.net"
539 # Exclude subdomains of example.com
541 #nc_exclude_email = .example.com
542 # Exclude all e-mail addresses of example.com
544 #nc_exclude_email = example.com
545 # Options for proxy certificates
548 #proxy_policy_language = 1.3.6.1.5.5.7.21.1
549 # Options for generating a CRL
552 # The number of days the next CRL update will be due.
554 # next CRL update will be in 43 days
555 #crl_next_update = 43
556 # this is the 5th CRL by this CA
558 # Comment the field for a time-based number.
559 #crl_number = 5
560
564 Generating private keys
565 To create an RSA private key, run:
566 $ certtool --generate-privkey --outfile key.pem --rsa
567 To create a DSA or elliptic curves (ECDSA) private key use the above
569 command combined with 'dsa' or 'ecc' options.
570 Generating certificate requests
572 To create a certificate request (needed when the certificate is issued
573 by another party), run:
574 certtool --generate-request --load-privkey key.pem --outfile request.pem
575 If the private key is stored in a smart card you can generate a request
577 by specifying the private key object URL.
578 $ ./certtool --generate-request --load-privkey "pkcs11:..." --load-pubkey "pkcs11:..." --outfile request.pem
579 Generating a self-signed certificate
582 To create a self signed certificate, use the command:
583 $ certtool --generate-privkey --outfile ca-key.pem
584 $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
585 Note that a self-signed certificate usually belongs to a certificate
587 authority, that signs other certificates.
588 Generating a certificate
590 To generate a certificate using the previous request, use the command:
591 $ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
592 To generate a certificate using the private key only, use the command:
594 $ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
595 Certificate information
597 To view the certificate information, use:
598 $ certtool --certificate-info --infile cert.pem
599 PKCS #12 structure generation
601 To generate a PKCS #12 structure using the previous key and certifi‐
602 cate, use the command:
603 $ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
604 Some tools (reportedly web browsers) have problems with that file
606 because it does not contain the CA certificate for the certificate. To
607 work around that problem in the tool, you can use the --load-ca-cer‐
608 tificate parameter as follows:
609 $ certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
611 Diffie-Hellman parameter generation
613 To generate parameters for Diffie-Hellman key exchange, use the com‐
614 mand:
615 $ certtool --generate-dh-params --outfile dh.pem --sec-param medium
616 Proxy certificate generation
618 Proxy certificate can be used to delegate your credential to a tempo‐
619 rary, typically short-lived, certificate. To create one from the pre‐
620 viously created certificate, first create a temporary key and then gen‐
621 erate a proxy certificate for it, using the commands:
622 $ certtool --generate-privkey > proxy-key.pem
624 $ certtool --generate-proxy --load-ca-privkey key.pem --load-privkey proxy-key.pem --load-certificate cert.pem --outfile proxy-cert.pem
625 Certificate revocation list generation
627 To create an empty Certificate Revocation List (CRL) do:
628 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
630 To create a CRL that contains some revoked certificates, place the cer‐
632 tificates in a file and use --load-certificate as follows:
633 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
635 To verify a Certificate Revocation List (CRL) do:
637 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
639
641 One of the following exit values will be returned:
642 0 (EXIT_SUCCESS)
644 Successful program execution.
645 1 (EXIT_FAILURE)
647 The operation failed or the command syntax was not valid.
648 70 (EX_SOFTWARE)
650 libopts had an internal operational error. Please report it to
651 autogen-users@lists.sourceforge.net. Thank you.
652
654 p11tool (1)
655
657 Nikos Mavrogiannopoulos, Simon Josefsson and others; see
658 /usr/share/doc/gnutls/AUTHORS for a complete list.
659
661 Copyright (C) 2000-2018 Free Software Foundation, and others all rights
662 reserved. This program is released under the terms of the GNU General
663 Public License, version 3 or later.
664
666 Please send bug reports to: bugs@gnutls.org
667
669 This manual page was AutoGen-erated from the certtool option defini‐
670 tions.
6713.3.29 16 Feb 2018 certtool(1)