1certtool(1) User Commands certtool(1)
2
6 certtool - GnuTLS certificate tool
7
9 certtool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 All arguments must be options.
12
15 Tool to parse and generate X.509 certificates, requests and private
16 keys. It can be used interactively or non interactively by specifying
17 the template command line option.
18 The tool accepts files or supported URIs via the --infile option. In
20 case PIN is required for URI access you can provide it using the envi‐
21 ronment variables GNUTLS_PIN and GNUTLS_SO_PIN.
22
25 -d number, --debug=number
26 Enable debugging. This option takes an integer number as its
27 argument. The value of number is constrained to being:
28 in the range 0 through 9999
29 Specifies the debug level.
31 -V, --verbose
33 More verbose output. This option may appear an unlimited number
34 of times.
35 --infile=file
38 Input file.
39 --outfile=string
42 Output file.
43 Certificate related options
46 -i, --certificate-info
47 Print information on the given certificate.
48 --pubkey-info
51 Print information on a public key.
52 The option combined with --load-request, --load-pubkey, --load-
54 privkey and --load-certificate will extract the public key of
55 the object in question.
56 -s, --generate-self-signed
58 Generate a self-signed certificate.
59 -c, --generate-certificate
62 Generate a signed certificate.
63 --generate-proxy
66 Generates a proxy certificate.
67 -u, --update-certificate
70 Update a signed certificate.
71 --fingerprint
74 Print the fingerprint of the given certificate.
75 This is a simple hash of the DER encoding of the certificate. It
77 can be combined with the --hash parameter. However, it is recom‐
78 mended for identification to use the key-id which depends only
79 on the certificate's key.
80 --key-id
82 Print the key ID of the given certificate.
83 This is a hash of the public key of the given certificate. It
85 identifies the key uniquely, remains the same on a certificate
86 renewal and depends only on signed fields of the certificate.
87 --certificate-pubkey
89 Print certificate's public key.
90 This option is deprecated as a duplicate of --pubkey-info
92 NOTE: THIS OPTION IS DEPRECATED
94 --v1 Generate an X.509 version 1 certificate (with no extensions).
96 --sign-params=string
99 Sign a certificate with a specific signature algorithm.
100 This option can be combined with --generate-certificate, to sign
102 the certificate with a specific signature algorithm variant. The
103 only option supported is 'RSA-PSS', and should be specified when
104 the signer does not have a certificate which is marked for RSA-
105 PSS use only.
106 Certificate request related options
108 --crq-info
109 Print information on the given certificate request.
110 -q, --generate-request
113 Generate a PKCS #10 certificate request. This option must not
114 appear in combination with any of the following options: infile.
115 Will generate a PKCS #10 certificate request. To specify a pri‐
117 vate key use --load-privkey.
118 --no-crq-extensions
120 Do not use extensions in certificate requests.
121 PKCS#12 file related options
124 --p12-info
125 Print information on a PKCS #12 structure.
126 This option will dump the contents and print the metadata of the
128 provided PKCS #12 structure.
129 --p12-name=string
131 The PKCS #12 friendly name to use.
132 The name to be used for the primary certificate and private key
134 in a PKCS #12 file.
135 --to-p12
137 Generate a PKCS #12 structure.
138 It requires a certificate, a private key and possibly a CA cer‐
140 tificate to be specified.
141 Private key related options
143 -k, --key-info
144 Print information on a private key.
145 --p8-info
148 Print information on a PKCS #8 structure.
149 This option will print information about encrypted PKCS #8
151 structures. That option does not require the decryption of the
152 structure.
153 --to-rsa
155 Convert an RSA-PSS key to raw RSA format.
156 It requires an RSA-PSS key as input and will output a raw RSA
158 key. This command is necessary for compatibility with applica‐
159 tions that cannot read RSA-PSS keys.
160 -p, --generate-privkey
162 Generate a private key.
163 When generating RSA-PSS private keys, the --hash option will
165 restrict the allowed hash for the key; in the same keys the
166 --salt-size option is also acceptable.
167 --key-type=string
169 Specify the key type to use on key generation.
170 This option can be combined with --generate-privkey, to specify
172 the key type to be generated. Valid options are, 'rsa', 'rsa-
173 pss', 'dsa', 'ecdsa', and 'ed25519'. When combined with cer‐
174 tificate generation it can be used to specify an RSA-PSS cer‐
175 tificate when an RSA key is given.
176 --bits=number
178 Specify the number of bits for key generation. This option
179 takes an integer number as its argument.
180 --curve=string
183 Specify the curve used for EC key generation.
184 Supported values are secp192r1, secp224r1, secp256r1, secp384r1
186 and secp521r1.
187 --sec-param=security parameter
189 Specify the security level [low, legacy, medium, high, ultra].
190 This is alternative to the bits option.
192 --to-p8
194 Convert a given key to a PKCS #8 structure.
195 This needs to be combined with --load-privkey.
197 -8, --pkcs8
199 Use PKCS #8 format for private keys.
200 --provable
203 Generate a private key or parameters from a seed using a prov‐
204 able method.
205 This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor)
207 for provable key generation. When specified the private keys or
208 parameters will be generated from a seed, and can be later vali‐
209 dated with --verify-provable-privkey to be correctly generated
210 from the seed. You may specify --seed or allow GnuTLS to gener‐
211 ate one (recommended). This option can be combined with --gener‐
212 ate-privkey or --generate-dh-params.
213 That option applies to RSA and DSA keys. On the DSA keys the PQG
215 parameters are generated using the seed, and on RSA the two
216 primes.
217 --verify-provable-privkey
219 Verify a private key generated from a seed using a provable
220 method.
221 This will use the FIPS-186-4 algorithms for provable key genera‐
223 tion. You may specify --seed or use the seed stored in the pri‐
224 vate key structure.
225 --seed=string
227 When generating a private key use the given hex-encoded seed.
228 The seed acts as a security parameter for the private key, and
230 thus a seed size which corresponds to the security level of the
231 private key should be provided (e.g., 256-bits seed).
232 CRL related options
234 -l, --crl-info
235 Print information on the given CRL structure.
236 --generate-crl
239 Generate a CRL.
240 This option generates a Certificate Revocation List. When com‐
242 bined with --load-crl it would use the loaded CRL as base for
243 the generated (i.e., all revoked certificates in the base will
244 be copied to the new CRL). To add new certificates to the CRL
245 use --load-certificate.
246 --verify-crl
248 Verify a Certificate Revocation List using a trusted list. This
249 option must appear in combination with the following options:
250 load-ca-certificate.
251 The trusted certificate list must be loaded with --load-ca-cer‐
253 tificate.
254 Certificate verification related options
256 -e, --verify-chain
257 Verify a PEM encoded certificate chain.
258 Verifies the validity of a certificate chain. That is, an
260 ordered set of certificates where each one is the issuer of the
261 previous, and the first is the end-certificate to be validated.
262 In a proper chain the last certificate is a self signed one. It
263 can be combined with --verify-purpose or --verify-hostname.
264 --verify
266 Verify a PEM encoded certificate (chain) against a trusted set.
267 The trusted certificate list can be loaded with --load-ca-cer‐
269 tificate. If no certificate list is provided, then the system's
270 trusted certificate list is used. Note that during verification
271 multiple paths may be explored. On a successful verification the
272 successful path will be the last one. It can be combined with
273 --verify-purpose or --verify-hostname.
274 --verify-hostname=string
276 Specify a hostname to be used for certificate chain verifica‐
277 tion.
278 This is to be combined with one of the verify certificate
280 options.
281 --verify-email=string
283 Specify a email to be used for certificate chain verification.
284 This option must not appear in combination with any of the fol‐
285 lowing options: verify-hostname.
286 This is to be combined with one of the verify certificate
288 options.
289 --verify-purpose=string
291 Specify a purpose OID to be used for certificate chain verifica‐
292 tion.
293 This object identifier restricts the purpose of the certificates
295 to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS
296 WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate
297 without a purpose set (extended key usage) is valid for any pur‐
298 pose.
299 --verify-allow-broken
301 Allow broken algorithms, such as MD5 for verification.
302 This can be combined with --p7-verify, --verify or --verify-
304 chain.
305 PKCS#7 structure options
307 --p7-generate
308 Generate a PKCS #7 structure.
309 This option generates a PKCS #7 certificate container structure.
311 To add certificates in the structure use --load-certificate and
312 --load-crl.
313 --p7-sign
315 Signs using a PKCS #7 structure.
316 This option generates a PKCS #7 structure containing a signature
318 for the provided data from infile. The data are stored within
319 the structure. The signer certificate has to be specified using
320 --load-certificate and --load-privkey. The input to --load-cer‐
321 tificate can be a list of certificates. In case of a list, the
322 first certificate is used for signing and the other certificates
323 are included in the structure.
324 --p7-detached-sign
326 Signs using a detached PKCS #7 structure.
327 This option generates a PKCS #7 structure containing a signature
329 for the provided data from infile. The signer certificate has to
330 be specified using --load-certificate and --load-privkey. The
331 input to --load-certificate can be a list of certificates. In
332 case of a list, the first certificate is used for signing and
333 the other certificates are included in the structure.
334 --p7-include-cert, --no-p7-include-cert
336 The signer's certificate will be included in the cert list..
337 The no-p7-include-cert form will disable the option. This
338 option is enabled by default.
339 This options works with --p7-sign or --p7-detached-sign and will
341 include or exclude the signer's certificate into the generated
342 signature.
343 --p7-time, --no-p7-time
345 Will include a timestamp in the PKCS #7 structure. The
346 no-p7-time form will disable the option.
347 This option will include a timestamp in the generated signature
349 --p7-show-data, --no-p7-show-data
351 Will show the embedded data in the PKCS #7 structure. The
352 no-p7-show-data form will disable the option.
353 This option can be combined with --p7-verify or --p7-info and
355 will display the embedded signed data in the PKCS #7 structure.
356 --p7-info
358 Print information on a PKCS #7 structure.
359 --p7-verify
362 Verify the provided PKCS #7 structure.
363 This option verifies the signed PKCS #7 structure. The certifi‐
365 cate list to use for verification can be specified with --load-
366 ca-certificate. When no certificate list is provided, then the
367 system's certificate list is used. Alternatively a direct signer
368 can be provided using --load-certificate. A key purpose can be
369 enforced with the --verify-purpose option, and the --load-data
370 option will utilize detached data.
371 --smime-to-p7
373 Convert S/MIME to PKCS #7 structure.
374 Other options
377 --generate-dh-params
378 Generate PKCS #3 encoded Diffie-Hellman parameters.
379 The will generate random parameters to be used with Diffie-Hell‐
381 man key exchange. The output parameters will be in PKCS #3 for‐
382 mat. Note that it is recommended to use the --get-dh-params
383 option instead.
384 NOTE: THIS OPTION IS DEPRECATED
386 --get-dh-params
388 List the included PKCS #3 encoded Diffie-Hellman parameters.
389 Returns stored DH parameters in GnuTLS. Those parameters
391 returned are defined in RFC7919, and can be considered standard
392 parameters for a TLS key exchange. This option is provided for
393 old applications which require DH parameters to be specified;
394 modern GnuTLS applications should not require them.
395 --dh-info
397 Print information PKCS #3 encoded Diffie-Hellman parameters.
398 --load-privkey=string
401 Loads a private key file.
402 This can be either a file or a PKCS #11 URL
404 --load-pubkey=string
406 Loads a public key file.
407 This can be either a file or a PKCS #11 URL
409 --load-request=string
411 Loads a certificate request file.
412 This option can be used with a file
414 --load-certificate=string
416 Loads a certificate file.
417 This option can be used with a file
419 --load-ca-privkey=string
421 Loads the certificate authority's private key file.
422 This can be either a file or a PKCS #11 URL
424 --load-ca-certificate=string
426 Loads the certificate authority's certificate file.
427 This can be either a file or a PKCS #11 URL
429 --load-crl=string
431 Loads the provided CRL.
432 This option can be used with a file
434 --load-data=string
436 Loads auxiliary data.
437 This option can be used with a file
439 --password=string
441 Password to use.
442 You can use this option to specify the password in the command
444 line instead of reading it from the tty. Note, that the command
445 line arguments are available for view in others in the system.
446 Specifying password as '' is the same as specifying no password.
447 --null-password
449 Enforce a NULL password.
450 This option enforces a NULL password. This is different than the
452 empty or no password in schemas like PKCS #8.
453 --empty-password
455 Enforce an empty password.
456 This option enforces an empty password. This is different than
458 the NULL or no password in schemas like PKCS #8.
459 --hex-numbers
461 Print big number in an easier format to parse.
462 --cprint
465 In certain operations it prints the information in C-friendly
466 format.
467 In certain operations it prints the information in C-friendly
469 format, suitable for including into C programs.
470 --rsa Generate RSA key.
472 When combined with --generate-privkey generates an RSA private
474 key.
475 NOTE: THIS OPTION IS DEPRECATED
477 --dsa Generate DSA key.
479 When combined with --generate-privkey generates a DSA private
481 key.
482 NOTE: THIS OPTION IS DEPRECATED
484 --ecc Generate ECC (ECDSA) key.
486 When combined with --generate-privkey generates an elliptic
488 curve private key to be used with ECDSA.
489 NOTE: THIS OPTION IS DEPRECATED
491 --ecdsa
493 This is an alias for the --ecc option.
494 NOTE: THIS OPTION IS DEPRECATED
496 --hash=string
498 Hash algorithm to use for signing.
499 Available hash functions are SHA1, RMD160, SHA256, SHA384,
501 SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
502 --salt-size=number
504 Specify the RSA-PSS key default salt size. This option takes an
505 integer number as its argument.
506 Typical keys shouldn't set or restrict this option.
508 --inder, --no-inder
510 Use DER format for input certificates, private keys, and DH
511 parameters . The no-inder form will disable the option.
512 The input files will be assumed to be in DER or RAW format.
514 Unlike options that in PEM input would allow multiple input data
515 (e.g. multiple certificates), when reading in DER format a sin‐
516 gle data structure is read.
517 --inraw
519 This is an alias for the --inder option.
520 --outder, --no-outder
522 Use DER format for output certificates, private keys, and DH
523 parameters. The no-outder form will disable the option.
524 The output will be in DER or RAW format.
526 --outraw
528 This is an alias for the --outder option.
529 --disable-quick-random
531 No effect.
532 NOTE: THIS OPTION IS DEPRECATED
535 --template=string
537 Template file to use for non-interactive operation.
538 --stdout-info
541 Print information to stdout instead of stderr.
542 --ask-pass
545 Enable interaction for entering password when in batch mode..
546 This option will enable interaction to enter password when in
548 batch mode. That is useful when the template option has been
549 specified.
550 --pkcs-cipher=cipher
552 Cipher to use for PKCS #8 and #12 operations.
553 Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
555 aes-256, rc2-40, arcfour.
556 --provider=string
558 Specify the PKCS #11 provider library.
559 This will override the default options in
561 /etc/gnutls/pkcs11.conf
562 --text, --no-text
564 Output textual information before PEM-encoded certificates, pri‐
565 vate keys, etc. The no-text form will disable the option. This
566 option is enabled by default.
567 Output textual information before PEM-encoded data
569 -h, --help
571 Display usage information and exit.
572 -!, --more-help
574 Pass the extended usage information through a pager.
575 -v [{v|c|n --version [{v|c|n}]}]
577 Output version of program and exit. The default mode is `v', a
578 simple version. The `c' mode will print copyright information
579 and `n' will print the full copyright notice.
580
582 Certtool's template file format
583 A template file can be used to avoid the interactive questions of cert‐
584 tool. Initially create a file named 'cert.cfg' that contains the infor‐
585 mation about the certificate. The template can be used as below:
586 $ certtool --generate-certificate --load-privkey key.pem --template cert.cfg --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
588 An example certtool template file that can be used to generate a cer‐
590 tificate request or a self signed certificate follows.
591 # X.509 Certificate options
593 #
594 # DN options
595 # The organization of the subject.
597 organization = "Koko inc."
598 # The organizational unit of the subject.
600 unit = "sleeping dept."
601 # The locality of the subject.
603 # locality =
604 # The state of the certificate owner.
606 state = "Attiki"
607 # The country of the subject. Two letter code.
609 country = GR
610 # The common name of the certificate owner.
612 cn = "Cindy Lauper"
613 # A user id of the certificate owner.
615 #uid = "clauper"
616 # Set domain components
618 #dc = "name"
619 #dc = "domain"
620 # If the supported DN OIDs are not adequate you can set
622 # any OID here.
623 # For example set the X.520 Title and the X.520 Pseudonym
624 # by using OID and string pairs.
625 #dn_oid = "2.5.4.12 Dr."
626 #dn_oid = "2.5.4.65 jackal"
627 # This is deprecated and should not be used in new
629 # certificates.
630 # pkcs9_email = "none@none.org"
631 # An alternative way to set the certificate's distinguished name directly
633 # is with the "dn" option. The attribute names allowed are:
634 # C (country), street, O (organization), OU (unit), title, CN (common name),
635 # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
636 # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
637 # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
638 # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
639 # jurisdictionOfIncorporationStateOrProvinceName,
640 # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
641 #dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
643 # The serial number of the certificate
645 # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
646 # Comment the field for a random serial number.
647 serial = 007
648 # In how many days, counting from today, this certificate will expire.
650 # Use -1 if there is no expiration date.
651 expiration_days = 700
652 # Alternatively you may set concrete dates and time. The GNU date string
654 # formats are accepted. See:
655 # https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
656 #activation_date = "2004-02-29 16:21:42"
658 #expiration_date = "2025-02-29 16:24:41"
659 # X.509 v3 extensions
661 # A dnsname in case of a WWW server.
663 #dns_name = "www.none.org"
664 #dns_name = "www.morethanone.org"
665 # An othername defined by an OID and a hex encoded string
667 #other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
668 #other_name_utf8 = "1.2.4.5.6 A UTF8 string"
669 #other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
670 # Allows writing an XmppAddr Identifier
672 #xmpp_name = juliet@im.example.com
673 # Names used in PKINIT
675 #krb5_principal = user@REALM.COM
676 #krb5_principal = HTTP/user@REALM.COM
677 # A subject alternative name URI
679 #uri = "https://www.example.com"
680 # An IP address in case of a server.
682 #ip_address = "192.168.1.1"
683 # An email in case of a person
685 email = "none@none.org"
686 # TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
688 # extension features to be provided by the server. In practice this is used
689 # to require the Status Request (extid: 5) extension from the server. That is,
690 # to require the server holding this certificate to provide a stapled OCSP response.
691 # You can have multiple lines for multiple TLS features.
692 # To ask for OCSP status request use:
694 #tls_feature = 5
695 # Challenge password used in certificate requests
697 challenge_password = 123456
698 # Password when encrypting a private key
700 #password = secret
701 # An URL that has CRLs (certificate revocation lists)
703 # available. Needed in CA certificates.
704 #crl_dist_points = "https://www.getcrl.crl/getcrl/"
705 # Whether this is a CA certificate or not
707 #ca
708 # Subject Unique ID (in hex)
710 #subject_unique_id = 00153224
711 # Issuer Unique ID (in hex)
713 #issuer_unique_id = 00153225
714 #### Key usage
716 # The following key usage flags are used by CAs and end certificates
718 # Whether this certificate will be used to sign data (needed
720 # in TLS DHE ciphersuites). This is the digitalSignature flag
721 # in RFC5280 terminology.
722 signing_key
723 # Whether this certificate will be used to encrypt data (needed
725 # in TLS RSA ciphersuites). Note that it is preferred to use different
726 # keys for encryption and signing. This is the keyEncipherment flag
727 # in RFC5280 terminology.
728 encryption_key
729 # Whether this key will be used to sign other certificates. The
731 # keyCertSign flag in RFC5280 terminology.
732 #cert_signing_key
733 # Whether this key will be used to sign CRLs. The
735 # cRLSign flag in RFC5280 terminology.
736 #crl_signing_key
737 # The keyAgreement flag of RFC5280. It's purpose is loosely
739 # defined. Not use it unless required by a protocol.
740 #key_agreement
741 # The dataEncipherment flag of RFC5280. It's purpose is loosely
743 # defined. Not use it unless required by a protocol.
744 #data_encipherment
745 # The nonRepudiation flag of RFC5280. It's purpose is loosely
747 # defined. Not use it unless required by a protocol.
748 #non_repudiation
749 #### Extended key usage (key purposes)
751 # The following extensions are used in an end certificate
753 # to clarify its purpose. Some CAs also use it to indicate
754 # the types of certificates they are purposed to sign.
755 # Whether this certificate will be used for a TLS client;
758 # this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
759 # extended key usage.
760 #tls_www_client
761 # Whether this certificate will be used for a TLS server;
763 # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
764 # extended key usage.
765 #tls_www_server
766 # Whether this key will be used to sign code. This sets the
768 # id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
769 # extension.
770 #code_signing_key
771 # Whether this key will be used to sign OCSP data. This sets the
773 # id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
774 #ocsp_signing_key
775 # Whether this key will be used for time stamping. This sets the
777 # id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
778 #time_stamping_key
779 # Whether this key will be used for email protection. This sets the
781 # id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
782 #email_protection_key
783 # Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
785 #ipsec_ike_key
786 ## adding custom key purpose OIDs
788 # for microsoft smart card logon
790 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
791 # for email protection
793 # key_purpose_oid = 1.3.6.1.5.5.7.3.4
794 # for any purpose (must not be used in intermediate CA certificates)
796 # key_purpose_oid = 2.5.29.37.0
797 ### end of key purpose OIDs
799 ### Adding arbitrary extensions
801 # This requires to provide the extension OIDs, as well as the extension data in
802 # hex format. The following two options are available since GnuTLS 3.5.3.
803 #add_extension = "1.2.3.4 0x0AAB01ACFE"
804 # As above but encode the data as an octet string
806 #add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
807 # For portability critical extensions shouldn't be set to certificates.
809 #add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
810 # When generating a certificate from a certificate
812 # request, then honor the extensions stored in the request
813 # and store them in the real certificate.
814 #honor_crq_extensions
815 # Alternatively only specific extensions can be copied.
817 #honor_crq_ext = 2.5.29.17
818 #honor_crq_ext = 2.5.29.15
819 # Path length contraint. Sets the maximum number of
821 # certificates that can be used to certify this certificate.
822 # (i.e. the certificate chain length)
823 #path_len = -1
824 #path_len = 2
825 # OCSP URI
827 # ocsp_uri = https://my.ocsp.server/ocsp
828 # CA issuers URI
830 # ca_issuers_uri = https://my.ca.issuer
831 # Certificate policies
833 #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
834 #policy1_txt = "This is a long policy to summarize"
835 #policy1_url = https://www.example.com/a-policy-to-read
836 #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
838 #policy2_txt = "This is a short policy"
839 #policy2_url = https://www.example.com/another-policy-to-read
840 # The number of additional certificates that may appear in a
842 # path before the anyPolicy is no longer acceptable.
843 #inhibit_anypolicy_skip_certs 1
844 # Name constraints
846 # DNS
848 #nc_permit_dns = example.com
849 #nc_exclude_dns = test.example.com
850 # EMAIL
852 #nc_permit_email = "nmav@ex.net"
853 # Exclude subdomains of example.com
855 #nc_exclude_email = .example.com
856 # Exclude all e-mail addresses of example.com
858 #nc_exclude_email = example.com
859 # IP
861 #nc_permit_ip = 192.168.0.0/16
862 #nc_exclude_ip = 192.168.5.0/24
863 #nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
864 # Options for proxy certificates
867 #proxy_policy_language = 1.3.6.1.5.5.7.21.1
868 # Options for generating a CRL
871 # The number of days the next CRL update will be due.
873 # next CRL update will be in 43 days
874 #crl_next_update = 43
875 # this is the 5th CRL by this CA
877 # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
878 # Comment the field for a time-based number.
879 # Time-based CRL numbers generated in GnuTLS 3.6.3 and later
880 # are significantly larger than those generated in previous
881 # versions. Since CRL numbers need to be monotonic, you need
882 # to specify the CRL number here manually if you intend to
883 # downgrade to an earlier version than 3.6.3 after publishing
884 # the CRL as it is not possible to specify CRL numbers greater
885 # than 263-2 using hex notation in those versions.
886 #crl_number = 5
887 # Specify the update dates more precisely.
889 #crl_this_update_date = "2004-02-29 16:21:42"
890 #crl_next_update_date = "2025-02-29 16:24:41"
891 # The date that the certificates will be made seen as
893 # being revoked.
894 #crl_revocation_date = "2025-02-29 16:24:41"
895
899 Generating private keys
900 To create an RSA private key, run:
901 $ certtool --generate-privkey --outfile key.pem --rsa
902 To create a DSA or elliptic curves (ECDSA) private key use the above
904 command combined with 'dsa' or 'ecc' options.
905 Generating certificate requests
907 To create a certificate request (needed when the certificate is issued
908 by another party), run:
909 certtool --generate-request --load-privkey key.pem --outfile request.pem
910 If the private key is stored in a smart card you can generate a request
912 by specifying the private key object URL.
913 $ ./certtool --generate-request --load-privkey "pkcs11:..." --load-pubkey "pkcs11:..." --outfile request.pem
914 Generating a self-signed certificate
917 To create a self signed certificate, use the command:
918 $ certtool --generate-privkey --outfile ca-key.pem
919 $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
920 Note that a self-signed certificate usually belongs to a certificate
922 authority, that signs other certificates.
923 Generating a certificate
925 To generate a certificate using the previous request, use the command:
926 $ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
927 To generate a certificate using the private key only, use the command:
929 $ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
930 Certificate information
932 To view the certificate information, use:
933 $ certtool --certificate-info --infile cert.pem
934 Changing the certificate format
936 To convert the certificate from PEM to DER format, use:
937 $ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
938 PKCS #12 structure generation
940 To generate a PKCS #12 structure using the previous key and certifi‐
941 cate, use the command:
942 $ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
943 Some tools (reportedly web browsers) have problems with that file
945 because it does not contain the CA certificate for the certificate. To
946 work around that problem in the tool, you can use the --load-ca-cer‐
947 tificate parameter as follows:
948 $ certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
950 Obtaining Diffie-Hellman parameters
952 To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use
953 the command:
954 $ certtool --get-dh-params --outfile dh.pem --sec-param medium
955 Verifying a certificate
957 To verify a certificate in a file against the system's CA trust store
958 use the following command:
959 $ certtool --verify --infile cert.pem
960 It is also possible to simulate hostname verification with the follow‐
962 ing options:
963 $ certtool --verify --verify-hostname www.example.com --infile cert.pem
964 Proxy certificate generation
967 Proxy certificate can be used to delegate your credential to a tempo‐
968 rary, typically short-lived, certificate. To create one from the pre‐
969 viously created certificate, first create a temporary key and then gen‐
970 erate a proxy certificate for it, using the commands:
971 $ certtool --generate-privkey > proxy-key.pem
973 $ certtool --generate-proxy --load-ca-privkey key.pem --load-privkey proxy-key.pem --load-certificate cert.pem --outfile proxy-cert.pem
974 Certificate revocation list generation
976 To create an empty Certificate Revocation List (CRL) do:
977 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
979 To create a CRL that contains some revoked certificates, place the cer‐
981 tificates in a file and use --load-certificate as follows:
982 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
984 To verify a Certificate Revocation List (CRL) do:
986 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
988
990 One of the following exit values will be returned:
991 0 (EXIT_SUCCESS)
993 Successful program execution.
994 1 (EXIT_FAILURE)
996 The operation failed or the command syntax was not valid.
997 70 (EX_SOFTWARE)
999 libopts had an internal operational error. Please report it to
1000 autogen-users@lists.sourceforge.net. Thank you.
1001
1003 p11tool (1), psktool (1), srptool (1)
1004
1006 Nikos Mavrogiannopoulos, Simon Josefsson and others; see
1007 /usr/share/doc/gnutls/AUTHORS for a complete list.
1008
1010 Copyright (C) 2000-2019 Free Software Foundation, and others all rights
1011 reserved. This program is released under the terms of the GNU General
1012 Public License, version 3 or later.
1013
1015 Please send bug reports to: bugs@gnutls.org
1016
1018 This manual page was AutoGen-erated from the certtool option defini‐
1019 tions.
10203.6.8 25 May 2019 certtool(1)