1SSCG(8) System Administration Utilities SSCG(8)
2
6 sscg - Tool for generating x.509 certificates
7
9 sscg [OPTION...]
10
12 -q, --quiet
13 Display no output unless there is an error.
14 -v, --verbose
16 Display progress messages.
17 -d, --debug
19 Enable logging of debug messages. Implies verbose. Warning!
20 This will print private key information to the screen!
21 -V, --version
23 Display the version number and exit.
24 -f, --force
26 Overwrite any pre-existing files in the requested locations
27 --lifetime=1-3650
29 Certificate lifetime (days). (default: 398)
30 --country=US, CZ, etc.
32 Certificate DN: Country (C). (default: "US")
33 --state=Massachusetts, British Columbia, etc.
35 Certificate DN: State or Province (ST).
36 --locality=Westford, Paris, etc.
38 Certificate DN: Locality (L).
39 --organization=My Company
41 Certificate DN: Organization (O). (default: "Unspecified")
42 --organizational-unit=Engineering, etc.
44 Certificate DN: Organizational Unit (OU).
45 --email=myname@example.com
47 Certificate DN: Email Address (Email).
48 --hostname=server.example.com
50 The valid hostname of the certificate. Must be an FQDN. (de‐
51 fault: current system FQDN)
52 --subject-alt-name alt.example.com
54 Optional additional valid hostnames for the certificate. In ad‐
55 dition to hostnames, this option also accepts explicit values
56 supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy
57 May be specified multiple times.
58 --package=STRING
60 Unused. Retained for compatibility with earlier versions of
61 sscg.
62 --key-strength=2048 or larger
64 Strength of the certificate private keys in bits. (default:
65 2048)
66 --hash-alg={sha256,sha384,sha512}
68 Hashing algorithm to use for signing. (default: "sha256")
69 --cipher-alg={des-ede3-cbc,aes-256-cbc}
71 Cipher to use for encrypting key files. (default:
72 "aes-256-cbc")
73 --ca-file=STRING
75 Path where the public CA certificate will be stored. (default:
76 "./ca.crt")
77 --ca-mode=0644
79 File mode of the created CA certificate.
80 --ca-key-file=STRING
82 Path where the CA's private key will be stored. If unspecified,
83 the key will be destroyed rather than written to the disk.
84 --ca-key-mode=0600
86 File mode of the created CA key.
87 --ca-key-password=STRING
89 Provide a password for the CA key file. Note that this will be
90 visible in the process table for all users, so it should be used
91 for testing purposes only. Use --ca-keypassfile or
92 --ca-key-password-prompt for secure password entry.
93 --ca-key-passfile=STRING
95 A file containing the password to encrypt the CA key file.
96 -C, --ca-key-password-prompt
98 Prompt to enter a password for the CA key file.
99 --crl-file=STRING
101 Path where an (empty) Certificate Revocation List file will be
102 created, for applications that expect such a file to exist. If
103 unspecified, no such file will be created.
104 --crl-mode=0644
106 File mode of the created Certificate Revocation List.
107 --cert-file=STRING
109 Path where the public service certificate will be stored. (de‐
110 fault "./service.pem")
111 --cert-mode=0644
113 File mode of the created certificate.
114 --cert-key-file=STRING
116 Path where the service's private key will be stored. (default
117 "service-key.pem")
118 --cert-key-mode=0600
120 File mode of the created certificate key.
121 -p, --cert-key-password=STRING
123 Provide a password for the service key file. Note that this
124 will be visible in the process table for all users, so this flag
125 should be used for testing purposes only. Use --cert-keypassfile
126 or --cert-key-password-prompt for secure password entry.
127 --cert-key-passfile=STRING
129 A file containing the password to encrypt the service key file.
130 -P, --cert-key-password-prompt
132 Prompt to enter a password for the service key file.
133 --client-file=STRING
135 Path where a client authentication certificate will be stored.
136 --client-mode=0644
138 File mode of the created certificate.
139 --client-key-file=STRING
141 Path where the client's private key will be stored. (default is
142 the client-file)
143 --client-key-mode=0600
145 File mode of the created certificate key.
146 --client-key-password=STRING
148 Provide a password for the client key file. Note that this will
149 be visible in the process table for all users, so this flag
150 should be used for testing purposes only. Use --client-keypass‐
151 file or --client-key-password-prompt for secure password entry.
152 --client-key-passfile=STRING
154 A file containing the password to encrypt the client key file.
155 --client-key-password-prompt
157 Prompt to enter a password for the client key file.
158 --dhparams-file=STRING
160 A file to contain a set of Diffie-Hellman parameters. (Default:
161 "./dhparams.pem")
162 --no-dhparams-file
164 Do not create the dhparams file
165 --dhparams-named-group=STRING
167 Output well-known DH parameters. The available named groups are:
168 ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192,
169 modp_2048, modp_3072, modp_4096, modp_6144, modp_8192,
170 modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default:
171 "ffdhe4096")
172 --dhparams-prime-len=INT
174 The length of the prime number to generate for dhparams, in
175 bits. If set to non-zero, the parameters will be generated
176 rather than using a well-known group. (default: 0)
177 --dhparams-generator={2,3,5}
179 The generator value for dhparams. (default: 2)
180 Help options:
182 -?, --help
183 Show this help message
184 --usage
186 Display brief usage message
187sscg 3.0.3 January 2023 SSCG(8)