1certtool(1) User Commands certtool(1)
2
6 certtool - GnuTLS certificate tool
7
9 certtool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 All arguments must be options.
12
15 Tool to parse and generate X.509 certificates, requests and private
16 keys. It can be used interactively or non interactively by specifying
17 the template command line option.
18 The tool accepts files or supported URIs via the --infile option. In
20 case PIN is required for URI access you can provide it using the envi‐
21 ronment variables GNUTLS_PIN and GNUTLS_SO_PIN.
22
25 -d number, --debug=number
26 Enable debugging. This option takes an integer number as its
27 argument. The value of number is constrained to being:
28 in the range 0 through 9999
29 Specifies the debug level.
31 -V, --verbose
33 More verbose output. This option may appear an unlimited number
34 of times.
35 --infile=file
38 Input file.
39 --outfile=string
42 Output file.
43 Certificate related options
46 -i, --certificate-info
47 Print information on the given certificate.
48 --pubkey-info
51 Print information on a public key.
52 The option combined with --load-request, --load-pubkey, --load-
54 privkey and --load-certificate will extract the public key of
55 the object in question.
56 -s, --generate-self-signed
58 Generate a self-signed certificate.
59 -c, --generate-certificate
62 Generate a signed certificate.
63 --generate-proxy
66 Generates a proxy certificate.
67 -u, --update-certificate
70 Update a signed certificate.
71 --fingerprint
74 Print the fingerprint of the given certificate.
75 This is a simple hash of the DER encoding of the certificate. It
77 can be combined with the --hash parameter. However, it is recom‐
78 mended for identification to use the key-id which depends only
79 on the certificate's key.
80 --key-id
82 Print the key ID of the given certificate.
83 This is a hash of the public key of the given certificate. It
85 identifies the key uniquely, remains the same on a certificate
86 renewal and depends only on signed fields of the certificate.
87 --certificate-pubkey
89 Print certificate's public key.
90 This option is deprecated as a duplicate of --pubkey-info
92 NOTE: THIS OPTION IS DEPRECATED
94 --v1 Generate an X.509 version 1 certificate (with no extensions).
96 --sign-params=string
99 Sign a certificate with a specific signature algorithm.
100 This option can be combined with --generate-certificate, to sign
102 the certificate with a specific signature algorithm variant. The
103 only option supported is 'RSA-PSS', and should be specified when
104 the signer does not have a certificate which is marked for RSA-
105 PSS use only.
106 Certificate request related options
108 --crq-info
109 Print information on the given certificate request.
110 -q, --generate-request
113 Generate a PKCS #10 certificate request. This option must not
114 appear in combination with any of the following options: infile.
115 Will generate a PKCS #10 certificate request. To specify a pri‐
117 vate key use --load-privkey.
118 --no-crq-extensions
120 Do not use extensions in certificate requests.
121 PKCS#12 file related options
124 --p12-info
125 Print information on a PKCS #12 structure.
126 This option will dump the contents and print the metadata of the
128 provided PKCS #12 structure.
129 --p12-name=string
131 The PKCS #12 friendly name to use.
132 The name to be used for the primary certificate and private key
134 in a PKCS #12 file.
135 --to-p12
137 Generate a PKCS #12 structure.
138 It requires a certificate, a private key and possibly a CA cer‐
140 tificate to be specified.
141 Private key related options
143 -k, --key-info
144 Print information on a private key.
145 --p8-info
148 Print information on a PKCS #8 structure.
149 This option will print information about encrypted PKCS #8
151 structures. That option does not require the decryption of the
152 structure.
153 --to-rsa
155 Convert an RSA-PSS key to raw RSA format.
156 It requires an RSA-PSS key as input and will output a raw RSA
158 key. This command is necessary for compatibility with applica‐
159 tions that cannot read RSA-PSS keys.
160 -p, --generate-privkey
162 Generate a private key.
163 When generating RSA-PSS private keys, the --hash option will
165 restrict the allowed hash for the key; in the same keys the
166 --salt-size option is also acceptable.
167 --key-type=string
169 Specify the key type to use on key generation.
170 This option can be combined with --generate-privkey, to specify
172 the key type to be generated. Valid options are, 'rsa', 'rsa-
173 pss', 'dsa', 'ecdsa', and 'ed25519'.
174 --bits=number
176 Specify the number of bits for key generation. This option
177 takes an integer number as its argument.
178 --curve=string
181 Specify the curve used for EC key generation.
182 Supported values are secp192r1, secp224r1, secp256r1, secp384r1
184 and secp521r1.
185 --sec-param=security parameter
187 Specify the security level [low, legacy, medium, high, ultra].
188 This is alternative to the bits option.
190 --to-p8
192 Convert a given key to a PKCS #8 structure.
193 This needs to be combined with --load-privkey.
195 -8, --pkcs8
197 Use PKCS #8 format for private keys.
198 --provable
201 Generate a private key or parameters from a seed using a prov‐
202 able method.
203 This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor)
205 for provable key generation. When specified the private keys or
206 parameters will be generated from a seed, and can be later vali‐
207 dated with --verify-provable-privkey to be correctly generated
208 from the seed. You may specify --seed or allow GnuTLS to gener‐
209 ate one (recommended). This option can be combined with --gener‐
210 ate-privkey or --generate-dh-params.
211 That option applies to RSA and DSA keys. On the DSA keys the PQG
213 parameters are generated using the seed, and on RSA the two
214 primes.
215 --verify-provable-privkey
217 Verify a private key generated from a seed using a provable
218 method.
219 This will use the FIPS-186-4 algorithms for provable key genera‐
221 tion. You may specify --seed or use the seed stored in the pri‐
222 vate key structure.
223 --seed=string
225 When generating a private key use the given hex-encoded seed.
226 The seed acts as a security parameter for the private key, and
228 thus a seed size which corresponds to the security level of the
229 private key should be provided (e.g., 256-bits seed).
230 CRL related options
232 -l, --crl-info
233 Print information on the given CRL structure.
234 --generate-crl
237 Generate a CRL.
238 This option generates a Certificate Revocation List. When com‐
240 bined with --load-crl it would use the loaded CRL as base for
241 the generated (i.e., all revoked certificates in the base will
242 be copied to the new CRL). To add new certificates to the CRL
243 use --load-certificate.
244 --verify-crl
246 Verify a Certificate Revocation List using a trusted list. This
247 option must appear in combination with the following options:
248 load-ca-certificate.
249 The trusted certificate list must be loaded with --load-ca-cer‐
251 tificate.
252 Certificate verification related options
254 -e, --verify-chain
255 Verify a PEM encoded certificate chain.
256 Verifies the validity of a certificate chain. That is, an
258 ordered set of certificates where each one is the issuer of the
259 previous, and the first is the end-certificate to be validated.
260 In a proper chain the last certificate is a self signed one. It
261 can be combined with --verify-purpose or --verify-hostname.
262 --verify
264 Verify a PEM encoded certificate (chain) against a trusted set.
265 The trusted certificate list can be loaded with --load-ca-cer‐
267 tificate. If no certificate list is provided, then the system's
268 trusted certificate list is used. Note that during verification
269 multiple paths may be explored. On a successful verification the
270 successful path will be the last one. It can be combined with
271 --verify-purpose or --verify-hostname.
272 --verify-hostname=string
274 Specify a hostname to be used for certificate chain verifica‐
275 tion.
276 This is to be combined with one of the verify certificate
278 options.
279 --verify-email=string
281 Specify a email to be used for certificate chain verification.
282 This option must not appear in combination with any of the fol‐
283 lowing options: verify-hostname.
284 This is to be combined with one of the verify certificate
286 options.
287 --verify-purpose=string
289 Specify a purpose OID to be used for certificate chain verifica‐
290 tion.
291 This object identifier restricts the purpose of the certificates
293 to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS
294 WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate
295 without a purpose set (extended key usage) is valid for any pur‐
296 pose.
297 --verify-allow-broken
299 Allow broken algorithms, such as MD5 for verification.
300 This can be combined with --p7-verify, --verify or --verify-
302 chain.
303 PKCS#7 structure options
305 --p7-generate
306 Generate a PKCS #7 structure.
307 This option generates a PKCS #7 certificate container structure.
309 To add certificates in the structure use --load-certificate and
310 --load-crl.
311 --p7-sign
313 Signs using a PKCS #7 structure.
314 This option generates a PKCS #7 structure containing a signature
316 for the provided data from infile. The data are stored within
317 the structure. The signer certificate has to be specified using
318 --load-certificate and --load-privkey. The input to --load-cer‐
319 tificate can be a list of certificates. In case of a list, the
320 first certificate is used for signing and the other certificates
321 are included in the structure.
322 --p7-detached-sign
324 Signs using a detached PKCS #7 structure.
325 This option generates a PKCS #7 structure containing a signature
327 for the provided data from infile. The signer certificate has to
328 be specified using --load-certificate and --load-privkey. The
329 input to --load-certificate can be a list of certificates. In
330 case of a list, the first certificate is used for signing and
331 the other certificates are included in the structure.
332 --p7-include-cert, --no-p7-include-cert
334 The signer's certificate will be included in the cert list..
335 The no-p7-include-cert form will disable the option. This
336 option is enabled by default.
337 This options works with --p7-sign or --p7-detached-sign and will
339 include or exclude the signer's certificate into the generated
340 signature.
341 --p7-time, --no-p7-time
343 Will include a timestamp in the PKCS #7 structure. The
344 no-p7-time form will disable the option.
345 This option will include a timestamp in the generated signature
347 --p7-show-data, --no-p7-show-data
349 Will show the embedded data in the PKCS #7 structure. The
350 no-p7-show-data form will disable the option.
351 This option can be combined with --p7-verify or --p7-info and
353 will display the embedded signed data in the PKCS #7 structure.
354 --p7-info
356 Print information on a PKCS #7 structure.
357 --p7-verify
360 Verify the provided PKCS #7 structure.
361 This option verifies the signed PKCS #7 structure. The certifi‐
363 cate list to use for verification can be specified with --load-
364 ca-certificate. When no certificate list is provided, then the
365 system's certificate list is used. Alternatively a direct signer
366 can be provided using --load-certificate. A key purpose can be
367 enforced with the --verify-purpose option, and the --load-data
368 option will utilize detached data.
369 --smime-to-p7
371 Convert S/MIME to PKCS #7 structure.
372 Other options
375 --generate-dh-params
376 Generate PKCS #3 encoded Diffie-Hellman parameters.
377 The will generate random parameters to be used with Diffie-Hell‐
379 man key exchange. The output parameters will be in PKCS #3 for‐
380 mat. Note that it is recommended to use the --get-dh-params
381 option instead.
382 NOTE: THIS OPTION IS DEPRECATED
384 --get-dh-params
386 List the included PKCS #3 encoded Diffie-Hellman parameters.
387 Returns stored DH parameters in GnuTLS. Those parameters
389 returned are defined in RFC7919, and can be considered standard
390 parameters for a TLS key exchange. This option is provided for
391 old applications which require DH parameters to be specified;
392 modern GnuTLS applications should not require them.
393 --dh-info
395 Print information PKCS #3 encoded Diffie-Hellman parameters.
396 --load-privkey=string
399 Loads a private key file.
400 This can be either a file or a PKCS #11 URL
402 --load-pubkey=string
404 Loads a public key file.
405 This can be either a file or a PKCS #11 URL
407 --load-request=string
409 Loads a certificate request file.
410 This option can be used with a file
412 --load-certificate=string
414 Loads a certificate file.
415 This option can be used with a file
417 --load-ca-privkey=string
419 Loads the certificate authority's private key file.
420 This can be either a file or a PKCS #11 URL
422 --load-ca-certificate=string
424 Loads the certificate authority's certificate file.
425 This can be either a file or a PKCS #11 URL
427 --load-crl=string
429 Loads the provided CRL.
430 This option can be used with a file
432 --load-data=string
434 Loads auxiliary data.
435 This option can be used with a file
437 --password=string
439 Password to use.
440 You can use this option to specify the password in the command
442 line instead of reading it from the tty. Note, that the command
443 line arguments are available for view in others in the system.
444 Specifying password as '' is the same as specifying no password.
445 --null-password
447 Enforce a NULL password.
448 This option enforces a NULL password. This is different than the
450 empty or no password in schemas like PKCS #8.
451 --empty-password
453 Enforce an empty password.
454 This option enforces an empty password. This is different than
456 the NULL or no password in schemas like PKCS #8.
457 --hex-numbers
459 Print big number in an easier format to parse.
460 --cprint
463 In certain operations it prints the information in C-friendly
464 format.
465 In certain operations it prints the information in C-friendly
467 format, suitable for including into C programs.
468 --rsa Generate RSA key.
470 When combined with --generate-privkey generates an RSA private
472 key.
473 NOTE: THIS OPTION IS DEPRECATED
475 --dsa Generate DSA key.
477 When combined with --generate-privkey generates a DSA private
479 key.
480 NOTE: THIS OPTION IS DEPRECATED
482 --ecc Generate ECC (ECDSA) key.
484 When combined with --generate-privkey generates an elliptic
486 curve private key to be used with ECDSA.
487 NOTE: THIS OPTION IS DEPRECATED
489 --ecdsa
491 This is an alias for the --ecc option.
492 NOTE: THIS OPTION IS DEPRECATED
494 --hash=string
496 Hash algorithm to use for signing.
497 Available hash functions are SHA1, RMD160, SHA256, SHA384,
499 SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
500 --salt-size=number
502 Specify the RSA-PSS key default salt size. This option takes an
503 integer number as its argument.
504 Typical keys shouldn't set or restrict this option.
506 --inder, --no-inder
508 Use DER format for input certificates, private keys, and DH
509 parameters . The no-inder form will disable the option.
510 The input files will be assumed to be in DER or RAW format.
512 Unlike options that in PEM input would allow multiple input data
513 (e.g. multiple certificates), when reading in DER format a sin‐
514 gle data structure is read.
515 --inraw
517 This is an alias for the --inder option.
518 --outder, --no-outder
520 Use DER format for output certificates, private keys, and DH
521 parameters. The no-outder form will disable the option.
522 The output will be in DER or RAW format.
524 --outraw
526 This is an alias for the --outder option.
527 --disable-quick-random
529 No effect.
530 NOTE: THIS OPTION IS DEPRECATED
533 --template=string
535 Template file to use for non-interactive operation.
536 --stdout-info
539 Print information to stdout instead of stderr.
540 --ask-pass
543 Enable interaction for entering password when in batch mode..
544 This option will enable interaction to enter password when in
546 batch mode. That is useful when the template option has been
547 specified.
548 --pkcs-cipher=cipher
550 Cipher to use for PKCS #8 and #12 operations.
551 Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
553 aes-256, rc2-40, arcfour.
554 --provider=string
556 Specify the PKCS #11 provider library.
557 This will override the default options in
559 /etc/gnutls/pkcs11.conf
560 --text, --no-text
562 Output textual information before PEM-encoded certificates, pri‐
563 vate keys, etc. The no-text form will disable the option. This
564 option is enabled by default.
565 Output textual information before PEM-encoded data
567 -h, --help
569 Display usage information and exit.
570 -!, --more-help
572 Pass the extended usage information through a pager.
573 -v [{v|c|n --version [{v|c|n}]}]
575 Output version of program and exit. The default mode is `v', a
576 simple version. The `c' mode will print copyright information
577 and `n' will print the full copyright notice.
578
580 Certtool's template file format
581 A template file can be used to avoid the interactive questions of cert‐
582 tool. Initially create a file named 'cert.cfg' that contains the infor‐
583 mation about the certificate. The template can be used as below:
584 $ certtool --generate-certificate --load-privkey key.pem --template cert.cfg --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
586 An example certtool template file that can be used to generate a cer‐
588 tificate request or a self signed certificate follows.
589 # X.509 Certificate options
591 #
592 # DN options
593 # The organization of the subject.
595 organization = "Koko inc."
596 # The organizational unit of the subject.
598 unit = "sleeping dept."
599 # The locality of the subject.
601 # locality =
602 # The state of the certificate owner.
604 state = "Attiki"
605 # The country of the subject. Two letter code.
607 country = GR
608 # The common name of the certificate owner.
610 cn = "Cindy Lauper"
611 # A user id of the certificate owner.
613 #uid = "clauper"
614 # Set domain components
616 #dc = "name"
617 #dc = "domain"
618 # If the supported DN OIDs are not adequate you can set
620 # any OID here.
621 # For example set the X.520 Title and the X.520 Pseudonym
622 # by using OID and string pairs.
623 #dn_oid = "2.5.4.12 Dr."
624 #dn_oid = "2.5.4.65 jackal"
625 # This is deprecated and should not be used in new
627 # certificates.
628 # pkcs9_email = "none@none.org"
629 # An alternative way to set the certificate's distinguished name directly
631 # is with the "dn" option. The attribute names allowed are:
632 # C (country), street, O (organization), OU (unit), title, CN (common name),
633 # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
634 # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
635 # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
636 # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
637 # jurisdictionOfIncorporationStateOrProvinceName,
638 # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
639 #dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
641 # The serial number of the certificate
643 # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
644 # Comment the field for a random serial number.
645 serial = 007
646 # In how many days, counting from today, this certificate will expire.
648 # Use -1 if there is no expiration date.
649 expiration_days = 700
650 # Alternatively you may set concrete dates and time. The GNU date string
652 # formats are accepted. See:
653 # https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
654 #activation_date = "2004-02-29 16:21:42"
656 #expiration_date = "2025-02-29 16:24:41"
657 # X.509 v3 extensions
659 # A dnsname in case of a WWW server.
661 #dns_name = "www.none.org"
662 #dns_name = "www.morethanone.org"
663 # An othername defined by an OID and a hex encoded string
665 #other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
666 #other_name_utf8 = "1.2.4.5.6 A UTF8 string"
667 #other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
668 # Allows writing an XmppAddr Identifier
670 #xmpp_name = juliet@im.example.com
671 # Names used in PKINIT
673 #krb5_principal = user@REALM.COM
674 #krb5_principal = HTTP/user@REALM.COM
675 # A subject alternative name URI
677 #uri = "https://www.example.com"
678 # An IP address in case of a server.
680 #ip_address = "192.168.1.1"
681 # An email in case of a person
683 email = "none@none.org"
684 # TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
686 # extension features to be provided by the server. In practice this is used
687 # to require the Status Request (extid: 5) extension from the server. That is,
688 # to require the server holding this certificate to provide a stapled OCSP response.
689 # You can have multiple lines for multiple TLS features.
690 # To ask for OCSP status request use:
692 #tls_feature = 5
693 # Challenge password used in certificate requests
695 challenge_password = 123456
696 # Password when encrypting a private key
698 #password = secret
699 # An URL that has CRLs (certificate revocation lists)
701 # available. Needed in CA certificates.
702 #crl_dist_points = "https://www.getcrl.crl/getcrl/"
703 # Whether this is a CA certificate or not
705 #ca
706 # Subject Unique ID (in hex)
708 #subject_unique_id = 00153224
709 # Issuer Unique ID (in hex)
711 #issuer_unique_id = 00153225
712 #### Key usage
714 # The following key usage flags are used by CAs and end certificates
716 # Whether this certificate will be used to sign data (needed
718 # in TLS DHE ciphersuites). This is the digitalSignature flag
719 # in RFC5280 terminology.
720 signing_key
721 # Whether this certificate will be used to encrypt data (needed
723 # in TLS RSA ciphersuites). Note that it is preferred to use different
724 # keys for encryption and signing. This is the keyEncipherment flag
725 # in RFC5280 terminology.
726 encryption_key
727 # Whether this key will be used to sign other certificates. The
729 # keyCertSign flag in RFC5280 terminology.
730 #cert_signing_key
731 # Whether this key will be used to sign CRLs. The
733 # cRLSign flag in RFC5280 terminology.
734 #crl_signing_key
735 # The keyAgreement flag of RFC5280. It's purpose is loosely
737 # defined. Not use it unless required by a protocol.
738 #key_agreement
739 # The dataEncipherment flag of RFC5280. It's purpose is loosely
741 # defined. Not use it unless required by a protocol.
742 #data_encipherment
743 # The nonRepudiation flag of RFC5280. It's purpose is loosely
745 # defined. Not use it unless required by a protocol.
746 #non_repudiation
747 #### Extended key usage (key purposes)
749 # The following extensions are used in an end certificate
751 # to clarify its purpose. Some CAs also use it to indicate
752 # the types of certificates they are purposed to sign.
753 # Whether this certificate will be used for a TLS client;
756 # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
757 # extended key usage.
758 #tls_www_client
759 # Whether this certificate will be used for a TLS server;
761 # This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
762 # extended key usage.
763 #tls_www_server
764 # Whether this key will be used to sign code. This sets the
766 # id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
767 # extension.
768 #code_signing_key
769 # Whether this key will be used to sign OCSP data. This sets the
771 # id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
772 #ocsp_signing_key
773 # Whether this key will be used for time stamping. This sets the
775 # id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
776 #time_stamping_key
777 # Whether this key will be used for email protection. This sets the
779 # id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
780 #email_protection_key
781 # Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
783 #ipsec_ike_key
784 ## adding custom key purpose OIDs
786 # for microsoft smart card logon
788 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
789 # for email protection
791 # key_purpose_oid = 1.3.6.1.5.5.7.3.4
792 # for any purpose (must not be used in intermediate CA certificates)
794 # key_purpose_oid = 2.5.29.37.0
795 ### end of key purpose OIDs
797 ### Adding arbitrary extensions
799 # This requires to provide the extension OIDs, as well as the extension data in
800 # hex format. The following two options are available since GnuTLS 3.5.3.
801 #add_extension = "1.2.3.4 0x0AAB01ACFE"
802 # As above but encode the data as an octet string
804 #add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
805 # For portability critical extensions shouldn't be set to certificates.
807 #add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
808 # When generating a certificate from a certificate
810 # request, then honor the extensions stored in the request
811 # and store them in the real certificate.
812 #honor_crq_extensions
813 # Alternatively only specific extensions can be copied.
815 #honor_crq_ext = 2.5.29.17
816 #honor_crq_ext = 2.5.29.15
817 # Path length contraint. Sets the maximum number of
819 # certificates that can be used to certify this certificate.
820 # (i.e. the certificate chain length)
821 #path_len = -1
822 #path_len = 2
823 # OCSP URI
825 # ocsp_uri = https://my.ocsp.server/ocsp
826 # CA issuers URI
828 # ca_issuers_uri = https://my.ca.issuer
829 # Certificate policies
831 #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
832 #policy1_txt = "This is a long policy to summarize"
833 #policy1_url = https://www.example.com/a-policy-to-read
834 #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
836 #policy2_txt = "This is a short policy"
837 #policy2_url = https://www.example.com/another-policy-to-read
838 # The number of additional certificates that may appear in a
840 # path before the anyPolicy is no longer acceptable.
841 #inhibit_anypolicy_skip_certs 1
842 # Name constraints
844 # DNS
846 #nc_permit_dns = example.com
847 #nc_exclude_dns = test.example.com
848 # EMAIL
850 #nc_permit_email = "nmav@ex.net"
851 # Exclude subdomains of example.com
853 #nc_exclude_email = .example.com
854 # Exclude all e-mail addresses of example.com
856 #nc_exclude_email = example.com
857 # IP
859 #nc_permit_ip = 192.168.0.0/16
860 #nc_exclude_ip = 192.168.5.0/24
861 #nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
862 # Options for proxy certificates
865 #proxy_policy_language = 1.3.6.1.5.5.7.21.1
866 # Options for generating a CRL
869 # The number of days the next CRL update will be due.
871 # next CRL update will be in 43 days
872 #crl_next_update = 43
873 # this is the 5th CRL by this CA
875 # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
876 # Comment the field for a time-based number.
877 # Time-based CRL numbers generated in GnuTLS 3.6.3 and later
878 # are significantly larger than those generated in previous
879 # versions. Since CRL numbers need to be monotonic, you need
880 # to specify the CRL number here manually if you intend to
881 # downgrade to an earlier version than 3.6.3 after publishing
882 # the CRL as it is not possible to specify CRL numbers greater
883 # than 263-2 using hex notation in those versions.
884 #crl_number = 5
885 # Specify the update dates more precisely.
887 #crl_this_update_date = "2004-02-29 16:21:42"
888 #crl_next_update_date = "2025-02-29 16:24:41"
889 # The date that the certificates will be made seen as
891 # being revoked.
892 #crl_revocation_date = "2025-02-29 16:24:41"
893
897 Generating private keys
898 To create an RSA private key, run:
899 $ certtool --generate-privkey --outfile key.pem --rsa
900 To create a DSA or elliptic curves (ECDSA) private key use the above
902 command combined with 'dsa' or 'ecc' options.
903 Generating certificate requests
905 To create a certificate request (needed when the certificate is issued
906 by another party), run:
907 certtool --generate-request --load-privkey key.pem --outfile request.pem
908 If the private key is stored in a smart card you can generate a request
910 by specifying the private key object URL.
911 $ ./certtool --generate-request --load-privkey "pkcs11:..." --load-pubkey "pkcs11:..." --outfile request.pem
912 Generating a self-signed certificate
915 To create a self signed certificate, use the command:
916 $ certtool --generate-privkey --outfile ca-key.pem
917 $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
918 Note that a self-signed certificate usually belongs to a certificate
920 authority, that signs other certificates.
921 Generating a certificate
923 To generate a certificate using the previous request, use the command:
924 $ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
925 To generate a certificate using the private key only, use the command:
927 $ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
928 Certificate information
930 To view the certificate information, use:
931 $ certtool --certificate-info --infile cert.pem
932 Changing the certificate format
934 To convert the certificate from PEM to DER format, use:
935 $ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
936 PKCS #12 structure generation
938 To generate a PKCS #12 structure using the previous key and certifi‐
939 cate, use the command:
940 $ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
941 Some tools (reportedly web browsers) have problems with that file
943 because it does not contain the CA certificate for the certificate. To
944 work around that problem in the tool, you can use the --load-ca-cer‐
945 tificate parameter as follows:
946 $ certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
948 Obtaining Diffie-Hellman parameters
950 To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use
951 the command:
952 $ certtool --get-dh-params --outfile dh.pem --sec-param medium
953 Verifying a certificate
955 To verify a certificate in a file against the system's CA trust store
956 use the following command:
957 $ certtool --verify --infile cert.pem
958 It is also possible to simulate hostname verification with the follow‐
960 ing options:
961 $ certtool --verify --verify-hostname www.example.com --infile cert.pem
962 Proxy certificate generation
965 Proxy certificate can be used to delegate your credential to a tempo‐
966 rary, typically short-lived, certificate. To create one from the pre‐
967 viously created certificate, first create a temporary key and then gen‐
968 erate a proxy certificate for it, using the commands:
969 $ certtool --generate-privkey > proxy-key.pem
971 $ certtool --generate-proxy --load-ca-privkey key.pem --load-privkey proxy-key.pem --load-certificate cert.pem --outfile proxy-cert.pem
972 Certificate revocation list generation
974 To create an empty Certificate Revocation List (CRL) do:
975 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
977 To create a CRL that contains some revoked certificates, place the cer‐
979 tificates in a file and use --load-certificate as follows:
980 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
982 To verify a Certificate Revocation List (CRL) do:
984 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
986
988 One of the following exit values will be returned:
989 0 (EXIT_SUCCESS)
991 Successful program execution.
992 1 (EXIT_FAILURE)
994 The operation failed or the command syntax was not valid.
995 70 (EX_SOFTWARE)
997 libopts had an internal operational error. Please report it to
998 autogen-users@lists.sourceforge.net. Thank you.
999
1001 p11tool (1), psktool (1), srptool (1)
1002
1004 Nikos Mavrogiannopoulos, Simon Josefsson and others; see
1005 /usr/share/doc/gnutls/AUTHORS for a complete list.
1006
1008 Copyright (C) 2000-2019 Free Software Foundation, and others all rights
1009 reserved. This program is released under the terms of the GNU General
1010 Public License, version 3 or later.
1011
1013 Please send bug reports to: bugs@gnutls.org
1014
1016 This manual page was AutoGen-erated from the certtool option defini‐
1017 tions.
10183.6.7 27 Mar 2019 certtool(1)