certtool(1) — Linux manual pages

DESCRIPTION

Generate X.509 certificates, certificate requests, and private keys.

OPTIONS

Program control options

−−copyright: Shows the program's license
−d, −−debug LEVEL: Specify the debug level. Default is 1.
−h, −−help: Shows this help text
−v, −−version: Shows the program's version

Getting information

−i, −−certificate−info: Print information on a certificate.
−k, −−key−info: Print information on a private key.
−l, −−crl−info: Print information on a CRL.
−−p12−info: Print information on a PKCS #12 structure.

Generating/verifying certificates/keys

−c, −−generate−certificate: Generate a signed certificate.
−e, −−verify−chain: Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one.
−−generate−dh−params: Generate PKCS #3 encoded Diffie Hellman parameters.
−−load−ca−certificate FILE: Certificate authority's certificate file to use.
−−load−ca−privkey FILE: Certificate authority's private key file to use.
−−load−certificate FILE: Certificate file to use.
−−load−privkey FILE: Private key file to use.
−−load−request FILE: Certificate request file to use.
−p, −−generate−privkey: Generate a private key.
−q, −−generate−request: Generate a PKCS #10 certificate request.
−s, −−generate−self−signed: Generate a self-signed certificate.
−u, −−update−certificate: Update a signed certificate.

Controlling output

−8, −−pkcs8: Use PKCS #8 format for private keys.
−−dsa: Generate a DSA key.
−−bits BITS: Specify the number of bits for key generation.
−−export−ciphers: Use weak encryption algorithms.
−−inder: Use DER format for input certificates and private keys.
−−infile FILE: Input file.
−−outder: Use DER format for output certificates and private keys.
−−outfile FILE: Output file.
−−password PASSWORD: Password to use.
−−to−p12: Generate a PKCS #12 structure.
−−template: Use a template file to read input. See the doc/certtool.cfg in the distribution, for an example.
−−fix−key: Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use −−key−info in combination with this parameter.

EXAMPLES

To create a private key, run:

$ certtool −−generate−privkey −−outfile key.pem

To create a certificate request, run:

$ certtool −−generate−request −−load−privkey key.pem \
   −−outfile request.pem

To generate a certificate using the previous request, use the command:

$ certtool −−generate−certificate −−load−request request.pem \
   −−outfile cert.pem −−load−ca−certificate ca−cert.pem \
   −−load−ca−privkey ca−key.pem

To view the certificate information, use:

$ certtool −−certificate−info −−infile cert.pem

To generate a PKCS #12 structure using the previous key and certificate, use the command:

$ certtool −−load−certificate cert.pem −−load−privkey key.pem \
   −−to−p12 −−outder −−outfile key.p12

AUTHOR

Nikos Mavroyanopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls−bin/AUTHORS for a complete list.

This manual page was written by Ivo Timmermans <ivo@debian.org>, for the Debian GNU/Linux system (but may be used by others).

Name