certtool(1) — Linux manual pages

Linux manual pages	Section 1

Name

certtool — Manipulate certificates and keys.

DESCRIPTION

Generate X.509 certificates, certificate requests, and private keys.

OPTIONS

Program control options

−d, −−debug LEVEL: Specify the debug level. Default is 1.
−h, −−help: Shows this help text
−v, −−version: Shows the program's version

Getting information on X.509 certificates

−i, −−certificate−info: Print information on a certificate.
−k, −−key−info: Print information on a private key.
−l, −−crl−info: Print information on a CRL.
−−p12−info: Print information on a PKCS #12 structure.

Getting information on Openpgp certificates

−−pgp−−certificate−info: Print information on an OpenPGP certificate.
−−pgp−−key−info: Print information on an OpenPGP private key.
−−pgp−−ring−info: Print information on a keyring.

Generating/verifying X.509 certificates/keys

−c, −−generate−certificate: Generate a signed certificate.
−e, −−verify−chain: Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one.
−−generate−dh−params: Generate PKCS #3 encoded Diffie-Hellman parameters.
−−load−ca−certificate FILE: Certificate authority's certificate file to use.
−−load−ca−privkey FILE: Certificate authority's private key file to use.
−−load−certificate FILE: Certificate file to use.
−−load−privkey FILE: Private key file to use.
−−load−request FILE: Certificate request file to use.
−p, −−generate−privkey: Generate a private key.
−q, −−generate−request: Generate a PKCS #10 certificate request.
−s, −−generate−self−signed: Generate a self-signed certificate.
−u, −−update−certificate: Update a signed certificate.

Controlling output

−8, −−pkcs8: Use PKCS #8 format for private keys.
−−pkcs−cipher: The cipher to use when doing pkcs encryption. Valid options are 3des,aes-128,aes-192,aes-256,rc2-40
−−dsa: Generate a DSA key.
−−bits BITS: Specify the number of bits for key generation.
−−export−ciphers: Use weak encryption algorithms.
−−inraw: Use RAW/DER format for input certificates and private keys.
−−infile FILE: Input file.
−−outraw: Use RAW/DER format for output certificates and private keys.
−−outfile FILE: Output file.
−−password PASSWORD: Password to use.
−−to−p12: Generate a PKCS #12 structure.
−−template: Use a template file to read input. See the doc/certtool.cfg in the distribution, for an example.
−−fix−key: Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use −−key−info in combination with this parameter.
−−v1: When generating a certificate use the X.509 version 1 format. This does not add any extensions (such as indication for a CA) but some programs do need these.

EXAMPLES

To create a private key, run:

$ certtool −−generate−privkey −−outfile key.pem

To create a certificate request (needed when the certificate is issued by another party), run:

$ certtool −−generate−request −−load−privkey key.pem \
   −−outfile request.pem

To generate a certificate using the previous request, use the command:

$ certtool −−generate−certificate −−load−request request.pem \
   −−outfile cert.pem −−load−ca−certificate ca−cert.pem \
   −−load−ca−privkey ca−key.pem

To generate a certificate using the private key only, use the command:

$ certtool −−generate−certificate −−load−privkey key.pem \
   −−outfile cert.pem −−load−ca−certificate ca−cert.pem \
   −−load−ca−privkey ca−key.pem

To view the certificate information, use:

$ certtool −−certificate−info −−infile cert.pem

To generate a PKCS #12 structure using the previous key and certificate, use the command:

$ certtool −−load−certificate cert.pem −−load−privkey key.pem \
   −−to−p12 −−outder −−outfile key.p12

AUTHOR

Nikos Mavroyanopoulos <[email protected]> and others; see /usr/share/doc/gnutls−bin/AUTHORS for a complete list.

This manual page was written by Ivo Timmermans <[email protected]>, for the Debian GNU/Linux system (but may be used by others).