1TOR-GENCERT(1) Tor Manual TOR-GENCERT(1)
2
3
4
6 tor-gencert - Generate certs and keys for Tor directory authorities
7
9 tor-gencert [-h|--help] [-v] [-r|--reuse] [--create-identity-key] [-i
10 id_file] [-c cert_file] [-m num] [-a address:port]
11
13 tor-gencert generates certificates and private keys for use by Tor
14 directory authorities running the v3 Tor directory protocol, as used by
15 Tor 0.2.0 and later. If you are not running a directory authority, you
16 don’t need to use tor-gencert.
17
18 Every directory authority has a long term authority identity key (which
19 is distinct from the identity key it uses as a Tor server); this key
20 should be kept offline in a secure location. It is used to certify
21 shorter-lived signing keys, which are kept online and used by the
22 directory authority to sign votes and consensus documents.
23
24 After you use this program to generate a signing key and a certificate,
25 copy those files to the keys subdirectory of your Tor process, and send
26 Tor a SIGHUP signal. DO NOT COPY THE IDENTITY KEY.
27
29 -v
30 Display verbose output.
31
32 -h or --help
33 Display help text and exit.
34
35 -r or --reuse
36 Generate a new certificate, but not a new signing key. This can be
37 used to change the address or lifetime associated with a given key.
38
39 --create-identity-key
40 Generate a new identity key. You should only use this option the
41 first time you run tor-gencert; in the future, you should use the
42 identity key that’s already there.
43
44 -i FILENAME
45 Read the identity key from the specified file. If the file is not
46 present and --create-identity-key is provided, create the identity
47 key in the specified file. Default: "./authority_identity_key"
48
49 -s FILENAME
50 Write the signing key to the specified file. Default:
51 "./authority_signing_key"
52
53 -c FILENAME
54 Write the certificate to the specified file. Default:
55 "./authority_certificate"
56
57 -m NUM
58 Number of months that the certificate should be valid. Default: 12.
59
60 --passphrase-fd FILEDES
61 Filedescriptor to read the passphrase from. Ends at the first NUL
62 or newline. Default: read from the terminal.
63
64 -a address:port
65 If provided, advertise the address:port combination as this
66 authority’s preferred directory port in its certificate. If the
67 address is a hostname, the hostname is resolved to an IP before
68 it’s published.
69
71 This probably doesn’t run on Windows. That’s not a big issue, since we
72 don’t really want authorities to be running on Windows anyway.
73
75 tor(1)
76
77 See also the "dir-spec.txt" file, distributed with Tor.
78
80 Roger Dingledine <arma@mit.edu>, Nick Mathewson <nickm@alum.mit.edu>.
81
83 Nick Mathewson
84 Author.
85
86
87
88Tor 11/07/2018 TOR-GENCERT(1)