1certtool(1)                      User Commands                     certtool(1)
2
3
4

NAME

6       certtool - GnuTLS certificate tool
7

SYNOPSIS

9       certtool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10
11       All arguments must be options.
12
13

DESCRIPTION

15       Tool  to  parse  and  generate X.509 certificates, requests and private
16       keys.  It can be used interactively or non interactively by  specifying
17       the template command line option.
18
19       The  tool  accepts  files or supported URIs via the --infile option. In
20       case PIN is required for URI access you can provide it using the  envi‐
21       ronment variables GNUTLS_PIN and GNUTLS_SO_PIN.
22
23

OPTIONS

25       -d number, --debug=number
26              Enable  debugging.   This  option takes an integer number as its
27              argument.  The value of number is constrained to being:
28                  in the range  0 through 9999
29
30              Specifies the debug level.
31
32       -V, --verbose
33              More verbose output.  This option may appear an unlimited number
34              of times.
35
36
37       --infile=file
38              Input file.
39
40
41       --outfile=string
42              Output file.
43
44
45   Certificate related options
46       -i, --certificate-info
47              Print information on the given certificate.
48
49
50       --pubkey-info
51              Print information on a public key.
52
53              The option combined with --load-request, --load-pubkey, --load-
54              privkey and --load-certificate will extract the public key of
55              the object in question.
56
57       -s, --generate-self-signed
58              Generate a self-signed certificate.
59
60
61       -c, --generate-certificate
62              Generate a signed certificate.
63
64
65       --generate-proxy
66              Generates a proxy certificate.
67
68
69       -u, --update-certificate
70              Update a signed certificate.
71
72
73       --fingerprint
74              Print the fingerprint of the given certificate.
75
76              This is a simple hash of the DER encoding of the certificate. It
77              can be combined with the --hash parameter. However, it is recom‐
78              mended for identification to use the key-id which depends only
79              on the certificate's key.
80
81       --key-id
82              Print the key ID of the given certificate.
83
84              This is a hash of the public key of the given certificate. It
85              identifies the key uniquely, remains the same on a certificate
86              renewal and depends only on signed fields of the certificate.
87
88       --certificate-pubkey
89              Print certificate's public key.
90
91              This option is deprecated as a duplicate of --pubkey-info
92
93              NOTE: THIS OPTION IS DEPRECATED
94
95       --v1   Generate an X.509 version 1 certificate (with no extensions).
96
97
98       --sign-params=string
99              Sign a certificate with a specific signature algorithm.
100
101              This option can be combined with --generate-certificate, to sign
102              the certificate with a specific signature algorithm variant. The
103              only option supported is 'RSA-PSS', and should be specified when
104              the signer does not have a certificate which is marked for RSA-
105              PSS use only.
106
107   Certificate request related options
108       --crq-info
109              Print information on the given certificate request.
110
111
112       -q, --generate-request
113              Generate a PKCS #10 certificate request.  This option must not
114              appear in combination with any of the following options: infile.
115
116              Will generate a PKCS #10 certificate request. To specify a pri‐
117              vate key use --load-privkey.
118
119       --no-crq-extensions
120              Do not use extensions in certificate requests.
121
122
123   PKCS#12 file related options
124       --p12-info
125              Print information on a PKCS #12 structure.
126
127              This option will dump the contents and print the metadata of the
128              provided PKCS #12 structure.
129
130       --p12-name=string
131              The PKCS #12 friendly name to use.
132
133              The name to be used for the primary certificate and private key
134              in a PKCS #12 file.
135
136       --to-p12
137              Generate a PKCS #12 structure.
138
139              It requires a certificate, a private key and possibly a CA cer‐
140              tificate to be specified.
141
142   Private key related options
143       -k, --key-info
144              Print information on a private key.
145
146
147       --p8-info
148              Print information on a PKCS #8 structure.
149
150              This option will print information about encrypted PKCS #8
151              structures. That option does not require the decryption of the
152              structure.
153
154       --to-rsa
155              Convert an RSA-PSS key to raw RSA format.
156
157              It requires an RSA-PSS key as input and will output a raw RSA
158              key. This command is necessary for compatibility with applica‐
159              tions that cannot read RSA-PSS keys.
160
161       -p, --generate-privkey
162              Generate a private key.
163
164              When generating RSA-PSS private keys, the --hash option will
165              restrict the allowed hash for the key; in the same keys the
166              --salt-size option is also acceptable.
167
168       --key-type=string
169              Specify the key type to use on key generation.
170
171              This option can be combined with --generate-privkey, to specify
172                  the key type to be generated. Valid options are, 'rsa',
173              'rsa-pss',
174
175       --bits=number
176              Specify the number of bits for key generation.  This option
177              takes an integer number as its argument.
178
179
180       --curve=string
181              Specify the curve used for EC key generation.
182
183              Supported values are secp192r1, secp224r1, secp256r1, secp384r1
184              and secp521r1.
185
186       --sec-param=security parameter
187              Specify the security level [low, legacy, medium, high, ultra].
188
189              This is alternative to the bits option.
190
191       --to-p8
192              Convert a given key to a PKCS #8 structure.
193
194              This needs to be combined with --load-privkey.
195
196       -8, --pkcs8
197              Use PKCS #8 format for private keys.
198
199
200       --provable
201              Generate a private key or parameters from a seed using a prov‐
202              able method.
203
204              This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor)
205              for provable key generation.  When specified the private keys or
206              parameters will be generated from a seed, and can be later vali‐
207              dated with --verify-provable-privkey to be correctly generated
208              from the seed. You may specify --seed or allow GnuTLS to gener‐
209              ate one (recommended). This option can be combined with --gener‐
210              ate-privkey or --generate-dh-params.
211
212              That option applies to RSA and DSA keys. On the DSA keys the PQG
213              parameters are generated using the seed, and on RSA the two
214              primes.
215
216       --verify-provable-privkey
217              Verify a private key generated from a seed using a provable
218              method.
219
220              This will use the FIPS-186-4 algorithms for provable key genera‐
221              tion. You may specify --seed or use the seed stored in the pri‐
222              vate key structure.
223
224       --seed=string
225              When generating a private key use the given hex-encoded seed.
226
227              The seed acts as a security parameter for the private key, and
228              thus a seed size which corresponds to the security level of the
229              private key should be provided (e.g., 256-bits seed).
230
231   CRL related options
232       -l, --crl-info
233              Print information on the given CRL structure.
234
235
236       --generate-crl
237              Generate a CRL.
238
239              This option generates a Certificate Revocation List. When com‐
240              bined with --load-crl it would use the loaded CRL as base for
241              the generated (i.e., all revoked certificates in the base will
242              be copied to the new CRL).  To add new certificates to the CRL
243              use --load-certificate.
244
245       --verify-crl
246              Verify a Certificate Revocation List using a trusted list.  This
247              option must appear in combination with the following options:
248              load-ca-certificate.
249
250              The trusted certificate list must be loaded with --load-ca-cer‐
251              tificate.
252
253   Certificate verification related options
254       -e, --verify-chain
255              Verify a PEM encoded certificate chain.
256
257              Verifies the validity of a certificate chain. That is, an
258              ordered set of
259                  certificates where each one is the issuer of the previous,
260              and the first is
261                  the end-certificate to be validated. In a proper chain the
262              last certificate
263                  is a self signed one. It can be combined with --verify-pur‐
264              pose or --verify-hostname.
265
266       --verify
267              Verify a PEM encoded certificate (chain) against a trusted set.
268
269              The trusted certificate list can be loaded with --load-ca-cer‐
270              tificate. If no certificate list is provided, then the system's
271              trusted certificate list is used. Note that during verification
272              multiple paths may be explored. On a successful verification the
273              successful path will be the last one. It can be combined with
274              --verify-purpose or --verify-hostname.
275
276       --verify-hostname=string
277              Specify a hostname to be used for certificate chain verifica‐
278              tion.
279
280              This is to be combined with one of the verify certificate
281              options.
282
283       --verify-email=string
284              Specify a email to be used for certificate chain verification.
285              This option must not appear in combination with any of the fol‐
286              lowing options: verify-hostname.
287
288              This is to be combined with one of the verify certificate
289              options.
290
291       --verify-purpose=string
292              Specify a purpose OID to be used for certificate chain verifica‐
293              tion.
294
295              This object identifier restricts the purpose of the certificates
296              to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS
297              WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate
298              without a purpose set (extended key usage) is valid for any pur‐
299              pose.
300
301       --verify-allow-broken
302              Allow broken algorithms, such as MD5 for verification.
303
304              This can be combined with --p7-verify, --verify or --verify-
305              chain.
306
307   PKCS#7 structure options
308       --p7-generate
309              Generate a PKCS #7 structure.
310
311              This option generates a PKCS #7 certificate container structure.
312              To add certificates in the structure use --load-certificate and
313              --load-crl.
314
315       --p7-sign
316              Signs using a PKCS #7 structure.
317
318              This option generates a PKCS #7 structure containing a signature
319              for the provided data from infile. The data are stored within
320              the structure. The signer certificate has to be specified using
321              --load-certificate and --load-privkey. The input to --load-cer‐
322              tificate can be a list of certificates. In case of a list, the
323              first certificate is used for signing and the other certificates
324              are included in the structure.
325
326       --p7-detached-sign
327              Signs using a detached PKCS #7 structure.
328
329              This option generates a PKCS #7 structure containing a signature
330              for the provided data from infile. The signer certificate has to
331              be specified using --load-certificate and --load-privkey. The
332              input to --load-certificate can be a list of certificates. In
333              case of a list, the first certificate is used for signing and
334              the other certificates are included in the structure.
335
336       --p7-include-cert, --no-p7-include-cert
337              The signer's certificate will be included in the cert list..
338              The no-p7-include-cert form will disable the option.  This
339              option is enabled by default.
340
341              This options works with --p7-sign or --p7-detached-sign and will
342              include or exclude the signer's certificate into the generated
343              signature.
344
345       --p7-time, --no-p7-time
346              Will include a timestamp in the PKCS #7 structure.  The
347              no-p7-time form will disable the option.
348
349              This option will include a timestamp in the generated signature
350
351       --p7-show-data, --no-p7-show-data
352              Will show the embedded data in the PKCS #7 structure.  The
353              no-p7-show-data form will disable the option.
354
355              This option can be combined with --p7-verify or --p7-info and
356              will display the embedded signed data in the PKCS #7 structure.
357
358       --p7-info
359              Print information on a PKCS #7 structure.
360
361
362       --p7-verify
363              Verify the provided PKCS #7 structure.
364
365              This option verifies the signed PKCS #7 structure. The certifi‐
366              cate list to use for verification can be specified with --load-
367              ca-certificate. When no certificate list is provided, then the
368              system's certificate list is used. Alternatively a direct signer
369              can be provided using --load-certificate. A key purpose can be
370              enforced with the --verify-purpose option, and the --load-data
371              option will utilize detached data.
372
373       --smime-to-p7
374              Convert S/MIME to PKCS #7 structure.
375
376
377   Other options
378       --generate-dh-params
379              Generate PKCS #3 encoded Diffie-Hellman parameters.
380
381              The will generate random parameters to be used with Diffie-Hell‐
382              man key exchange. The output parameters will be in PKCS #3 for‐
383              mat. Note that it is recommended to use the --get-dh-params
384              option instead.
385
386              NOTE: THIS OPTION IS DEPRECATED
387
388       --get-dh-params
389              List the included PKCS #3 encoded Diffie-Hellman parameters.
390
391              Returns stored DH parameters in GnuTLS. Those parameters
392              returned are defined in RFC7919, and can be considered standard
393              parameters for a TLS key exchange. This option is provided for
394              old applications which require DH parameters to be specified;
395              modern GnuTLS applications should not require them.
396
397       --dh-info
398              Print information PKCS #3 encoded Diffie-Hellman parameters.
399
400
401       --load-privkey=string
402              Loads a private key file.
403
404              This can be either a file or a PKCS #11 URL
405
406       --load-pubkey=string
407              Loads a public key file.
408
409              This can be either a file or a PKCS #11 URL
410
411       --load-request=string
412              Loads a certificate request file.
413
414              This option can be used with a file
415
416       --load-certificate=string
417              Loads a certificate file.
418
419              This option can be used with a file
420
421       --load-ca-privkey=string
422              Loads the certificate authority's private key file.
423
424              This can be either a file or a PKCS #11 URL
425
426       --load-ca-certificate=string
427              Loads the certificate authority's certificate file.
428
429              This can be either a file or a PKCS #11 URL
430
431       --load-crl=string
432              Loads the provided CRL.
433
434              This option can be used with a file
435
436       --load-data=string
437              Loads auxiliary data.
438
439              This option can be used with a file
440
441       --password=string
442              Password to use.
443
444              You can use this option to specify the password in the command
445              line instead of reading it from the tty. Note, that the command
446              line arguments are available for view in others in the system.
447              Specifying password as '' is the same as specifying no password.
448
449       --null-password
450              Enforce a NULL password.
451
452              This option enforces a NULL password. This is different than the
453              empty or no password in schemas like PKCS #8.
454
455       --empty-password
456              Enforce an empty password.
457
458              This option enforces an empty password. This is different than
459              the NULL or no password in schemas like PKCS #8.
460
461       --hex-numbers
462              Print big number in an easier format to parse.
463
464
465       --cprint
466              In certain operations it prints the information in C-friendly
467              format.
468
469              In certain operations it prints the information in C-friendly
470              format, suitable for including into C programs.
471
472       --rsa  Generate RSA key.
473
474              When combined with --generate-privkey generates an RSA private
475              key.
476
477              NOTE: THIS OPTION IS DEPRECATED
478
479       --dsa  Generate DSA key.
480
481              When combined with --generate-privkey generates a DSA private
482              key.
483
484              NOTE: THIS OPTION IS DEPRECATED
485
486       --ecc  Generate ECC (ECDSA) key.
487
488              When combined with --generate-privkey generates an elliptic
489              curve private key to be used with ECDSA.
490
491              NOTE: THIS OPTION IS DEPRECATED
492
493       --ecdsa
494              This is an alias for the --ecc option.
495
496              NOTE: THIS OPTION IS DEPRECATED
497
498       --hash=string
499              Hash algorithm to use for signing.
500
501              Available hash functions are SHA1, RMD160, SHA256, SHA384,
502              SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
503
504       --salt-size=number
505              Specify the RSA-PSS key default salt size.  This option takes an
506              integer number as its argument.
507
508              Typical keys shouldn't set or restrict this option.
509
510       --inder, --no-inder
511              Use DER format for input certificates, private keys, and DH
512              parameters .  The no-inder form will disable the option.
513
514              The input files will be assumed to be in DER or RAW format.
515              Unlike options that in PEM input would allow multiple input data
516              (e.g. multiple certificates), when reading in DER format a sin‐
517              gle data structure is read.
518
519       --inraw
520              This is an alias for the --inder option.
521
522       --outder, --no-outder
523              Use DER format for output certificates, private keys, and DH
524              parameters.  The no-outder form will disable the option.
525
526              The output will be in DER or RAW format.
527
528       --outraw
529              This is an alias for the --outder option.
530
531       --disable-quick-random
532              No effect.
533
534
535              NOTE: THIS OPTION IS DEPRECATED
536
537       --template=string
538              Template file to use for non-interactive operation.
539
540
541       --stdout-info
542              Print information to stdout instead of stderr.
543
544
545       --ask-pass
546              Enable interaction for entering password when in batch mode..
547
548              This option will enable interaction to enter password when in
549              batch mode. That is useful when the template option has been
550              specified.
551
552       --pkcs-cipher=cipher
553              Cipher to use for PKCS #8 and #12 operations.
554
555              Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
556              aes-256, rc2-40, arcfour.
557
558       --provider=string
559              Specify the PKCS #11 provider library.
560
561              This will override the default options in
562              /etc/gnutls/pkcs11.conf
563
564       --text, --no-text
565              Output textual information before PEM-encoded certificates, pri‐
566              vate keys, etc.  The no-text form will disable the option.  This
567              option is enabled by default.
568
569              Output textual information before PEM-encoded data
570
571       -h, --help
572              Display usage information and exit.
573
574       -!, --more-help
575              Pass the extended usage information through a pager.
576
577       -v [{v|c|n --version [{v|c|n}]}]
578              Output version of program and exit.  The default mode is `v', a
579              simple version.  The `c' mode will print copyright information
580              and `n' will print the full copyright notice.
581

FILES

583       Certtool's template file format
584       A template file can be used to avoid the interactive questions of cert‐
585       tool. Initially create a file named 'cert.cfg' that contains the infor‐
586       mation about the certificate. The template can be used as below:
587
588           $ certtool --generate-certificate --load-privkey key.pem     --template cert.cfg --outfile cert.pem    --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
589
590       An example certtool template file that can be used to generate a cer‐
591       tificate request or a self signed certificate follows.
592
593           # X.509 Certificate options
594           #
595           # DN options
596
597           # The organization of the subject.
598           organization = "Koko inc."
599
600           # The organizational unit of the subject.
601           unit = "sleeping dept."
602
603           # The locality of the subject.
604           # locality =
605
606           # The state of the certificate owner.
607           state = "Attiki"
608
609           # The country of the subject. Two letter code.
610           country = GR
611
612           # The common name of the certificate owner.
613           cn = "Cindy Lauper"
614
615           # A user id of the certificate owner.
616           #uid = "clauper"
617
618           # Set domain components
619           #dc = "name"
620           #dc = "domain"
621
622           # If the supported DN OIDs are not adequate you can set
623           # any OID here.
624           # For example set the X.520 Title and the X.520 Pseudonym
625           # by using OID and string pairs.
626           #dn_oid = "2.5.4.12 Dr."
627           #dn_oid = "2.5.4.65 jackal"
628
629           # This is deprecated and should not be used in new
630           # certificates.
631           # pkcs9_email = "none@none.org"
632
633           # An alternative way to set the certificate's distinguished name directly
634           # is with the "dn" option. The attribute names allowed are:
635           # C (country), street, O (organization), OU (unit), title, CN (common name),
636           # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
637           # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
638           # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
639           # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
640           # jurisdictionOfIncorporationStateOrProvinceName,
641           # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
642
643           #dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
644
645           # The serial number of the certificate
646           # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
647           # Comment the field for a random serial number.
648           serial = 007
649
650           # In how many days, counting from today, this certificate will expire.
651           # Use -1 if there is no expiration date.
652           expiration_days = 700
653
654           # Alternatively you may set concrete dates and time. The GNU date string
655           # formats are accepted. See:
656           # http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
657
658           #activation_date = "2004-02-29 16:21:42"
659           #expiration_date = "2025-02-29 16:24:41"
660
661           # X.509 v3 extensions
662
663           # A dnsname in case of a WWW server.
664           #dns_name = "www.none.org"
665           #dns_name = "www.morethanone.org"
666
667           # An othername defined by an OID and a hex encoded string
668           #other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
669           #other_name_utf8 = "1.2.4.5.6 A UTF8 string"
670           #other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
671
672           # Allows writing an XmppAddr Identifier
673           #xmpp_name = juliet@im.example.com
674
675           # Names used in PKINIT
676           #krb5_principal = user@REALM.COM
677           #krb5_principal = HTTP/user@REALM.COM
678
679           # A subject alternative name URI
680           #uri = "http://www.example.com"
681
682           # An IP address in case of a server.
683           #ip_address = "192.168.1.1"
684
685           # An email in case of a person
686           email = "none@none.org"
687
688           # TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
689           # extension features to be provided by the server. In practice this is used
690           # to require the Status Request (extid: 5) extension from the server. That is,
691           # to require the server holding this certificate to provide a stapled OCSP response.
692           # You can have multiple lines for multiple TLS features.
693
694           # To ask for OCSP status request use:
695           #tls_feature = 5
696
697           # Challenge password used in certificate requests
698           challenge_password = 123456
699
700           # Password when encrypting a private key
701           #password = secret
702
703           # An URL that has CRLs (certificate revocation lists)
704           # available. Needed in CA certificates.
705           #crl_dist_points = "http://www.getcrl.crl/getcrl/"
706
707           # Whether this is a CA certificate or not
708           #ca
709
710           # Subject Unique ID (in hex)
711           #subject_unique_id = 00153224
712
713           # Issuer Unique ID (in hex)
714           #issuer_unique_id = 00153225
715
716           #### Key usage
717
718           # The following key usage flags are used by CAs and end certificates
719
720           # Whether this certificate will be used to sign data (needed
721           # in TLS DHE ciphersuites). This is the digitalSignature flag
722           # in RFC5280 terminology.
723           signing_key
724
725           # Whether this certificate will be used to encrypt data (needed
726           # in TLS RSA ciphersuites). Note that it is preferred to use different
727           # keys for encryption and signing. This is the keyEncipherment flag
728           # in RFC5280 terminology.
729           encryption_key
730
731           # Whether this key will be used to sign other certificates. The
732           # keyCertSign flag in RFC5280 terminology.
733           #cert_signing_key
734
735           # Whether this key will be used to sign CRLs. The
736           # cRLSign flag in RFC5280 terminology.
737           #crl_signing_key
738
739           # The keyAgreement flag of RFC5280. It's purpose is loosely
740           # defined. Not use it unless required by a protocol.
741           #key_agreement
742
743           # The dataEncipherment flag of RFC5280. It's purpose is loosely
744           # defined. Not use it unless required by a protocol.
745           #data_encipherment
746
747           # The nonRepudiation flag of RFC5280. It's purpose is loosely
748           # defined. Not use it unless required by a protocol.
749           #non_repudiation
750
751           #### Extended key usage (key purposes)
752
753           # The following extensions are used in an end certificate
754           # to clarify its purpose. Some CAs also use it to indicate
755           # the types of certificates they are purposed to sign.
756
757
758           # Whether this certificate will be used for a TLS client;
759           # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
760           # extended key usage.
761           #tls_www_client
762
763           # Whether this certificate will be used for a TLS server;
764           # This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
765           # extended key usage.
766           #tls_www_server
767
768           # Whether this key will be used to sign code. This sets the
769           # id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
770           # extension.
771           #code_signing_key
772
773           # Whether this key will be used to sign OCSP data. This sets the
774           # id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
775           #ocsp_signing_key
776
777           # Whether this key will be used for time stamping. This sets the
778           # id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
779           #time_stamping_key
780
781           # Whether this key will be used for email protection. This sets the
782           # id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
783           #email_protection_key
784
785           # Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
786           #ipsec_ike_key
787
788           ## adding custom key purpose OIDs
789
790           # for microsoft smart card logon
791           # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
792
793           # for email protection
794           # key_purpose_oid = 1.3.6.1.5.5.7.3.4
795
796           # for any purpose (must not be used in intermediate CA certificates)
797           # key_purpose_oid = 2.5.29.37.0
798
799           ### end of key purpose OIDs
800
801           ### Adding arbitrary extensions
802           # This requires to provide the extension OIDs, as well as the extension data in
803           # hex format. The following two options are available since GnuTLS 3.5.3.
804           #add_extension = "1.2.3.4 0x0AAB01ACFE"
805
806           # As above but encode the data as an octet string
807           #add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
808
809           # For portability critical extensions shouldn't be set to certificates.
810           #add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
811
812           # When generating a certificate from a certificate
813           # request, then honor the extensions stored in the request
814           # and store them in the real certificate.
815           #honor_crq_extensions
816
817           # Alternatively only specific extensions can be copied.
818           #honor_crq_ext = 2.5.29.17
819           #honor_crq_ext = 2.5.29.15
820
821           # Path length contraint. Sets the maximum number of
822           # certificates that can be used to certify this certificate.
823           # (i.e. the certificate chain length)
824           #path_len = -1
825           #path_len = 2
826
827           # OCSP URI
828           # ocsp_uri = http://my.ocsp.server/ocsp
829
830           # CA issuers URI
831           # ca_issuers_uri = http://my.ca.issuer
832
833           # Certificate policies
834           #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
835           #policy1_txt = "This is a long policy to summarize"
836           #policy1_url = http://www.example.com/a-policy-to-read
837
838           #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
839           #policy2_txt = "This is a short policy"
840           #policy2_url = http://www.example.com/another-policy-to-read
841
842           # The number of additional certificates that may appear in a
843           # path before the anyPolicy is no longer acceptable.
844           #inhibit_anypolicy_skip_certs 1
845
846           # Name constraints
847
848           # DNS
849           #nc_permit_dns = example.com
850           #nc_exclude_dns = test.example.com
851
852           # EMAIL
853           #nc_permit_email = "nmav@ex.net"
854
855           # Exclude subdomains of example.com
856           #nc_exclude_email = .example.com
857
858           # Exclude all e-mail addresses of example.com
859           #nc_exclude_email = example.com
860
861           # IP
862           #nc_permit_ip = 192.168.0.0/16
863           #nc_exclude_ip = 192.168.5.0/24
864           #nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
865
866
867           # Options for proxy certificates
868           #proxy_policy_language = 1.3.6.1.5.5.7.21.1
869
870
871           # Options for generating a CRL
872
873           # The number of days the next CRL update will be due.
874           # next CRL update will be in 43 days
875           #crl_next_update = 43
876
877           # this is the 5th CRL by this CA
878           # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
879           # Comment the field for a time-based number.
880           # Time-based CRL numbers generated in GnuTLS 3.6.3 and later
881           # are significantly larger than those generated in previous
882           # versions. Since CRL numbers need to be monotonic, you need
883           # to specify the CRL number here manually if you intend to
884           # downgrade to an earlier version than 3.6.3 after publishing
885           # the CRL as it is not possible to specify CRL numbers greater
886           # than 263-2 using hex notation in those versions.
887           #crl_number = 5
888
889           # Specify the update dates more precisely.
890           #crl_this_update_date = "2004-02-29 16:21:42"
891           #crl_next_update_date = "2025-02-29 16:24:41"
892
893           # The date that the certificates will be made seen as
894           # being revoked.
895           #crl_revocation_date = "2025-02-29 16:24:41"
896
897
898

EXAMPLES

900       Generating private keys
901       To create an RSA private key, run:
902           $ certtool --generate-privkey --outfile key.pem --rsa
903
904       To create a DSA or elliptic curves (ECDSA) private key use the above
905       command combined with 'dsa' or 'ecc' options.
906
907       Generating certificate requests
908       To create a certificate request (needed when the certificate is  issued
909       by another party), run:
910           certtool --generate-request --load-privkey key.pem    --outfile request.pem
911
912       If the private key is stored in a smart card you can generate a request
913       by specifying the private key object URL.
914           $ ./certtool --generate-request --load-privkey "pkcs11:..."   --load-pubkey "pkcs11:..." --outfile request.pem
915
916
917       Generating a self-signed certificate
918       To create a self signed certificate, use the command:
919           $ certtool --generate-privkey --outfile ca-key.pem
920           $ certtool --generate-self-signed --load-privkey ca-key.pem    --outfile ca-cert.pem
921
922       Note that a self-signed certificate usually belongs to a certificate
923       authority, that signs other certificates.
924
925       Generating a certificate
926       To generate a certificate using the previous request, use the command:
927           $ certtool --generate-certificate --load-request request.pem    --outfile cert.pem --load-ca-certificate ca-cert.pem    --load-ca-privkey ca-key.pem
928
929       To generate a certificate using the private key only, use the command:
930           $ certtool --generate-certificate --load-privkey key.pem    --outfile cert.pem --load-ca-certificate ca-cert.pem    --load-ca-privkey ca-key.pem
931
932       Certificate information
933       To view the certificate information, use:
934           $ certtool --certificate-info --infile cert.pem
935
936       Changing the certificate format
937       To convert the certificate from PEM to DER format, use:
938           $ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
939
940       PKCS #12 structure generation
941       To generate a PKCS #12 structure using the previous key and certifi‐
942       cate, use the command:
943           $ certtool --load-certificate cert.pem --load-privkey key.pem    --to-p12 --outder --outfile key.p12
944
945       Some tools (reportedly web browsers) have problems with that file
946       because it does not contain the CA certificate for the certificate.  To
947       work around that problem in the tool, you can use the --load-ca-cer‐
948       tificate parameter as follows:
949
950           $ certtool --load-ca-certificate ca.pem   --load-certificate cert.pem --load-privkey key.pem   --to-p12 --outder --outfile key.p12
951
952       Obtaining Diffie-Hellman parameters
953       To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use
954       the command:
955           $ certtool --get-dh-params --outfile dh.pem --sec-param medium
956
957       Verifying a certificate
958       To verify a certificate in a file against the system's CA trust store
959       use the following command:
960           $ certtool --verify --infile cert.pem
961
962       It is also possible to simulate hostname verification with the follow‐
963       ing options:
964           $ certtool --verify --verify-hostname www.example.com --infile cert.pem
965
966
967       Proxy certificate generation
968       Proxy certificate can be used to delegate your credential to a tempo‐
969       rary, typically short-lived, certificate.  To create one from the pre‐
970       viously created certificate, first create a temporary key and then gen‐
971       erate a proxy certificate for it, using the commands:
972
973           $ certtool --generate-privkey > proxy-key.pem
974           $ certtool --generate-proxy --load-ca-privkey key.pem   --load-privkey proxy-key.pem --load-certificate cert.pem   --outfile proxy-cert.pem
975
976       Certificate revocation list generation
977       To create an empty Certificate Revocation List (CRL) do:
978
979           $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem            --load-ca-certificate x509-ca.pem
980
981       To create a CRL that contains some revoked certificates, place the cer‐
982       tificates in a file and use --load-certificate as follows:
983
984           $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem   --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
985
986       To verify a Certificate Revocation List (CRL) do:
987
988           $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
989

EXIT STATUS

991       One of the following exit values will be returned:
992
993       0  (EXIT_SUCCESS)
994              Successful program execution.
995
996       1  (EXIT_FAILURE)
997              The operation failed or the command syntax was not valid.
998
999       70  (EX_SOFTWARE)
1000              libopts had an internal operational error.  Please report it to
1001              autogen-users@lists.sourceforge.net.  Thank you.
1002

SEE ALSO

1004           p11tool (1), psktool (1), srptool (1)
1005

AUTHORS

1007       Nikos Mavrogiannopoulos, Simon Josefsson and others; see
1008       /usr/share/doc/gnutls/AUTHORS for a complete list.
1009
1011       Copyright (C) 2000-2018 Free Software Foundation, and others all rights
1012       reserved.  This program is released under the terms of the GNU General
1013       Public License, version 3 or later.
1014

BUGS

1016       Please send bug reports to: bugs@gnutls.org
1017

NOTES

1019       This manual page was AutoGen-erated from the certtool option defini‐
1020       tions.
1021
1022
1023
10243.6.4                             30 Nov 2018                      certtool(1)
Impressum