summaryrefslogtreecommitdiff
path: root/doc/manpages/certtool.1
blob: 895e309b6e08d618ab804a20cc86688607f97d11 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
.TH certtool 1 "May 23rd 2005"
.SH NAME
certtool \- Manipulate certificates and keys.
.SH SYNOPSIS
certtool [\fIoptions\fR]
.SH DESCRIPTION
Generate X.509 certificates, certificate requests, and private keys.
.SH OPTIONS
.SS Program control options
.IP "\-d, \-\-debug LEVEL"
Specify the debug level. Default is 1.
.IP "\-h, \-\-help"
Shows this help text
.IP "\-v, \-\-version"
Shows the program's version

.SS Getting information on X.509 certificates
.IP "\-i, \-\-certificate\-info"
Print information on a certificate.
.IP "\-k, \-\-key\-info"
Print information on a private key.
.IP "\-l, \-\-crl\-info"
Print information on a CRL.
.IP "\-\-p12\-info"
Print information on a PKCS #12 structure.

.SS Getting information on Openpgp certificates
.IP "\-\-pgp\-\-certificate\-info"
Print information on an OpenPGP certificate.
.IP "\-\-pgp\-\-key\-info"
Print information on an OpenPGP private key.
.IP "\-\-pgp\-\-ring\-info"
Print information on a keyring.

.SS Generating/verifying X.509 certificates/keys
.IP "\-c, \-\-generate\-certificate"
Generate a signed certificate.
.IP "\-e, \-\-verify\-chain"
Verify a PEM encoded certificate chain.  The last certificate in the chain must be a self signed one.
.IP "\-\-generate\-dh\-params"
Generate PKCS #3 encoded Diffie-Hellman parameters.
.IP "\-\-load\-ca\-certificate FILE"
Certificate authority's certificate file to use.
.IP "\-\-load\-ca\-privkey FILE"
Certificate authority's private key file or PKCS #11 URL to use.
.IP "\-\-load\-certificate FILE"
Certificate file to use.
.IP "\-\-load\-privkey FILE"
Private key file  or PKCS #11 URL to use.
.IP "\-\-load\-pubkey FILE"
Public key file  or PKCS #11 URL to use.
.IP "\-\-load\-request FILE"
Certificate request file to use.
.IP "\-p, \-\-generate\-privkey"
Generate a private key.
.IP "\-q, \-\-generate\-request"
Generate a PKCS #10 certificate request.
.IP "\-s, \-\-generate\-self\-signed"
Generate a self-signed certificate.
.IP "\-u, \-\-update\-certificate"
Update a signed certificate.

.SS Controlling output
.IP "\-8, \-\-pkcs8"
Use PKCS #8 format for private keys.
.IP "\-\-pkcs-cipher"
The cipher to use when doing pkcs encryption. Valid options are
3des,aes-128,aes-192,aes-256,rc2-40
.IP "\-\-dsa"
Generate a DSA key.
.IP "\-\-bits BITS"
Specify the number of bits for key generation.
.IP "\-\-export\-ciphers"
Use weak encryption algorithms.
.IP "\-\-inraw"
Use RAW/DER format for input certificates and private keys.
.IP "\-\-infile FILE"
Input file.
.IP "\-\-outraw"
Use RAW/DER format for output certificates and private keys.
.IP "\-\-outfile FILE"
Output file.
.IP "\-\-password PASSWORD"
Password to use.
.IP "\-\-to\-p12"
Generate a PKCS #12 structure.
.IP "\-\-template"
Use a template file to read input. See the doc/certtool.cfg
in the distribution, for an example.
.IP "\-\-fix\-key"
Some previous versions of certtool generated wrongly the
optional parameters in a private key. This may affect
programs that used them. To fix an old private key use
\-\-key\-info in combination with this parameter.
.IP "\-\-v1"
When generating a certificate use the X.509 version 1 format.
This does not add any extensions (such as indication for a CA)
but some programs do need these.

.SH EXAMPLES
To create a private key, run:

.RS
.nf
$ certtool \-\-generate\-privkey \-\-outfile key.pem
.fi
.RE

To create a certificate request (needed when the certificate is issued by
another party), run:

.RS
.nf
$ certtool \-\-generate\-request \-\-load\-privkey key.pem \\
   \-\-outfile request.pem
.fi
.RE

To create a certificate request using a key stored in a PKCS #11
token, run:

.RS
.nf
$ ./certtool \-\-generate-request \-\-load-privkey "pkcs11:..." \\
  \-\-load-pubkey "pkcs11:..." \-\-outfile request.pem
.fi
.RE

To generate a certificate using the previous request, use the command:

.RS
.nf
$ certtool \-\-generate\-certificate \-\-load\-request request.pem \\
   \-\-outfile cert.pem \-\-load\-ca\-certificate ca\-cert.pem \\
   \-\-load\-ca\-privkey ca\-key.pem
.fi
.RE

To generate a certificate using the private key only, use the command:

.RS
.nf
$ certtool \-\-generate\-certificate \-\-load\-privkey key.pem \\
   \-\-outfile cert.pem \-\-load\-ca\-certificate ca\-cert.pem \\
   \-\-load\-ca\-privkey ca\-key.pem
.fi
.RE

To view the certificate information, use:

.RS
.nf
$ certtool \-\-certificate\-info \-\-infile cert.pem
.fi
.RE

To generate a PKCS #12 structure using the previous key and certificate, use the command:

.RS
.nf
$ certtool \-\-load\-certificate cert.pem \-\-load\-privkey key.pem \\
   \-\-to\-p12 \-\-outder \-\-outfile key.p12
.fi
.RE

.SH AUTHOR
.PP
Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see
/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.
.PP
This manual page was written by Ivo Timmermans <ivo@debian.org>, for
the Debian GNU/Linux system (but may be used by others).