path: root/manual/html_node/certtool-Invocation.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.4.9 of GnuTLS.

Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.0, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.4.9: certtool Invocation</title>

<meta name="description" content="GnuTLS 3.4.9: certtool Invocation">
<meta name="keywords" content="GnuTLS 3.4.9: certtool Invocation">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="More-on-certificate-authentication.html#More-on-certificate-authentication" rel="up" title="More on certificate authentication">
<link href="ocsptool-Invocation.html#ocsptool-Invocation" rel="next" title="ocsptool Invocation">
<link href="Managing-encrypted-keys.html#Managing-encrypted-keys" rel="prev" title="Managing encrypted keys">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space: nowrap}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: serif; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body { 
	margin: 2%;
	padding: 0 5%;
	background: #ffffff;
}
h1,h2,h3,h4,h5 {
    font-weight: bold;
    padding: 5px 5px 5px 5px;
    background-color: #c2e0ff;
    color: #336699;
}
h1 {
    padding: 2em 2em 2em 5%;
    color: white;
    background: #336699;
    text-align: center;
    letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
  margin: 0 5%;
  padding: 0.5em;
}
pre.example,pre.verbatim {
  padding-bottom: 1em;

  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 1px 1px 1px 5px;
  margin: 1em auto;
  width: 90%;
}

div.node {
  margin: 0 -5% 0 -2%;
  padding: 0.5em 0.5em;
  margin-top: 0.5em;
  margin-bottom: 0.5em;
  font-weight: bold;
}
dd, li {
  padding-top: 0.1em;
  padding-bottom: 0.1em;
}
div.float {

  margin-bottom: 0.5em;
  text-align: center;
}

table {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  border-spacing: 7px;
  width: 50%;
}

th {
  padding: 0;
  color: #336699;
  background-color: #c2e0ff;
  border: solid #000000;
  border-width: 0px;
  margin: 1em auto;
  text-align: center;
  margin-left:auto;
  margin-right:auto;
}

td {
  padding: 0;
  border: solid #000000;
  background-color: #f0faff;
  border-width: 0px;
  margin: 1em auto;
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  padding-left: 1em;
}

dl {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  width: 50%;

  padding-left: 1em;
  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 5px 1px 1px 1px;
  margin: 1em auto;
}

-->
</style>


</head>

<body lang="en">
<a name="certtool-Invocation"></a>
<div class="header">
<p>
Next: <a href="ocsptool-Invocation.html#ocsptool-Invocation" accesskey="n" rel="next">ocsptool Invocation</a>, Previous: <a href="Managing-encrypted-keys.html#Managing-encrypted-keys" accesskey="p" rel="prev">Managing encrypted keys</a>, Up: <a href="More-on-certificate-authentication.html#More-on-certificate-authentication" accesskey="u" rel="up">More on certificate authentication</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Invoking-certtool"></a>
<h4 class="subsection">4.2.5 Invoking certtool</h4>
<a name="index-certtool"></a>


<p>Tool to parse and generate X.509 certificates, requests and private keys.
It can be used interactively or non interactively by
specifying the template command line option.
</p>
<p>The tool accepts files or URLs supported by GnuTLS. In case PIN is required for the URL
access you can provide it using the environment variables GNUTLS_PIN and GNUTLS_SO_PIN.
</p>

<p>This section was generated by <strong>AutoGen</strong>,
using the <code>agtexi-cmd</code> template and the option descriptions for the <code>certtool</code> program.
This software is released under the GNU General Public License, version 3 or later.
</p>

<a name="certtool-usage"></a><a name="certtool-help_002fusage-_0028_002d_002dhelp_0029"></a>
<h4 class="subsubheading">certtool help/usage (<samp>--help</samp>)</h4>
<a name="index-certtool-help"></a>

<p>This is the automatically generated usage text for certtool.
</p>
<p>The text printed is the same whether selected with the <code>help</code> option
(<samp>--help</samp>) or the <code>more-help</code> option (<samp>--more-help</samp>).  <code>more-help</code> will print
the usage text by passing it through a pager program.
<code>more-help</code> is disabled on platforms without a working
<code>fork(2)</code> function.  The <code>PAGER</code> environment variable is
used to select the program, defaulting to <samp>more</samp>.  Both will exit
with a status code of 0.
</p>
<div class="example">
<pre class="example">certtool - GnuTLS certificate tool
Usage:  certtool [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...

   -d, --debug=num            Enable debugging
                                - it must be in the range:
                                  0 to 9999
   -V, --verbose              More verbose output
                                - may appear multiple times
       --infile=file          Input file
                                - file must pre-exist
       --outfile=str          Output file
   -s, --generate-self-signed  Generate a self-signed certificate
   -c, --generate-certificate  Generate a signed certificate
       --generate-proxy       Generates a proxy certificate
       --generate-crl         Generate a CRL
   -u, --update-certificate   Update a signed certificate
   -p, --generate-privkey     Generate a private key
   -q, --generate-request     Generate a PKCS #10 certificate request
                                - prohibits the option 'infile'
   -e, --verify-chain         Verify a PEM encoded certificate chain
       --verify               Verify a PEM encoded certificate chain using a trusted list
       --verify-crl           Verify a CRL using a trusted list
                                - requires the option 'load-ca-certificate'
       --generate-dh-params   Generate PKCS #3 encoded Diffie-Hellman parameters
       --get-dh-params        Get the included PKCS #3 encoded Diffie-Hellman parameters
       --dh-info              Print information PKCS #3 encoded Diffie-Hellman parameters
       --load-privkey=str     Loads a private key file
       --load-pubkey=str      Loads a public key file
       --load-request=str     Loads a certificate request file
       --load-certificate=str Loads a certificate file
       --load-ca-privkey=str  Loads the certificate authority's private key file
       --load-ca-certificate=str Loads the certificate authority's certificate file
       --password=str         Password to use
       --null-password        Enforce a NULL password
       --empty-password       Enforce an empty password
       --hex-numbers          Print big number in an easier format to parse
       --cprint               In certain operations it prints the information in C-friendly format
   -i, --certificate-info     Print information on the given certificate
       --certificate-pubkey   Print certificate's public key
       --pgp-certificate-info  Print information on the given OpenPGP certificate
       --pgp-ring-info        Print information on the given OpenPGP keyring structure
   -l, --crl-info             Print information on the given CRL structure
       --crq-info             Print information on the given certificate request
       --no-crq-extensions    Do not use extensions in certificate requests
       --p12-info             Print information on a PKCS #12 structure
       --p12-name=str         The PKCS #12 friendly name to use
       --p7-info              Print information on a PKCS #7 structure
       --smime-to-p7          Convert S/MIME to PKCS #7 structure
   -k, --key-info             Print information on a private key
       --pgp-key-info         Print information on an OpenPGP private key
       --pubkey-info          Print information on a public key
       --v1                   Generate an X.509 version 1 certificate (with no extensions)
   -!, --to-p12               Generate a PKCS #12 structure
                                - requires the option 'load-certificate'
   -&quot;, --to-p8                Generate a PKCS #8 structure
   -8, --pkcs8                Use PKCS #8 format for private keys
   -#, --rsa                  Generate RSA key
   -$, --dsa                  Generate DSA key
   -%, --ecc                  Generate ECC (ECDSA) key
   -&amp;, --ecdsa                an alias for the 'ecc' option
   -', --hash=str             Hash algorithm to use for signing
   -(, --inder                Use DER format for input certificates, private keys, and DH parameters
                                - disabled as '--no-inder'
   -), --inraw                an alias for the 'inder' option
   -*, --outder               Use DER format for output certificates, private keys, and DH parameters
                                - disabled as '--no-outder'
   -+, --outraw               an alias for the 'outder' option
   -,, --bits=num             Specify the number of bits for key generate
   --, --curve=str            Specify the curve used for EC key generation
   -., --sec-param=str        Specify the security level [low, legacy, medium, high, ultra]
   -/, --disable-quick-random  No effect
   -0, --template=str         Template file to use for non-interactive operation
   -1, --stdout-info          Print information to stdout instead of stderr
   -2, --ask-pass             Enable interaction for entering password when in batch mode.
   -3, --pkcs-cipher=str      Cipher to use for PKCS #8 and #12 operations
   -4, --provider=str         Specify the PKCS #11 provider library
   -v, --version[=arg]        output version information and exit
   -h, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.

Tool to parse and generate X.509 certificates, requests and private keys.
It can be used interactively or non interactively by specifying the
template command line option.

The tool accepts files or URLs supported by GnuTLS.  In case PIN is
required for the URL access you can provide it using the environment
variables GNUTLS_PIN and GNUTLS_SO_PIN.

</pre></div>

<a name="certtool-debug"></a><a name="debug-option-_0028_002dd_0029-1"></a>
<h4 class="subsubheading">debug option (-d)</h4>

<p>This is the &ldquo;enable debugging&rdquo; option.
This option takes a number argument.
Specifies the debug level.
<a name="certtool-generate_002dcrl"></a></p><a name="generate_002dcrl-option"></a>
<h4 class="subsubheading">generate-crl option</h4>

<p>This is the &ldquo;generate a crl&rdquo; option.
This option generates a CRL. When combined with &ndash;load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).
<a name="certtool-generate_002drequest"></a></p><a name="generate_002drequest-option-_0028_002dq_0029"></a>
<h4 class="subsubheading">generate-request option (-q)</h4>

<p>This is the &ldquo;generate a pkcs #10 certificate request&rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> must not appear in combination with any of the following options:
infile.
</li></ul>

<p>Will generate a PKCS #10 certificate request. To specify a private key use &ndash;load-privkey.
<a name="certtool-verify_002dchain"></a></p><a name="verify_002dchain-option-_0028_002de_0029"></a>
<h4 class="subsubheading">verify-chain option (-e)</h4>

<p>This is the &ldquo;verify a pem encoded certificate chain&rdquo; option.
The last certificate in the chain must be a self signed one. It can be combined with &ndash;verify-purpose or &ndash;verify-hostname.
<a name="certtool-verify"></a></p><a name="verify-option"></a>
<h4 class="subsubheading">verify option</h4>

<p>This is the &ldquo;verify a pem encoded certificate chain using a trusted list&rdquo; option.
The trusted certificate list can be loaded with &ndash;load-ca-certificate. If no
certificate list is provided, then the system&rsquo;s certificate list is used. Note that
during verification multiple paths may be explored. On a successful verification
the successful path will be the last one. It can be combined with &ndash;verify-purpose or &ndash;verify-hostname.
<a name="certtool-verify_002dcrl"></a></p><a name="verify_002dcrl-option"></a>
<h4 class="subsubheading">verify-crl option</h4>

<p>This is the &ldquo;verify a crl using a trusted list&rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> must appear in combination with the following options:
load-ca-certificate.
</li></ul>

<p>The trusted certificate list must be loaded with &ndash;load-ca-certificate.
<a name="certtool-verify_002dhostname"></a></p><a name="verify_002dhostname-option"></a>
<h4 class="subsubheading">verify-hostname option</h4>

<p>This is the &ldquo;specify a hostname to be used for certificate chain verification&rdquo; option.
This option takes a string argument.
This is to be combined with one of the verify certificate options.
<a name="certtool-verify_002demail"></a></p><a name="verify_002demail-option"></a>
<h4 class="subsubheading">verify-email option</h4>

<p>This is the &ldquo;specify a email to be used for certificate chain verification&rdquo; option.
This option takes a string argument.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> must not appear in combination with any of the following options:
verify-hostname.
</li></ul>

<p>This is to be combined with one of the verify certificate options.
<a name="certtool-verify_002dpurpose"></a></p><a name="verify_002dpurpose-option"></a>
<h4 class="subsubheading">verify-purpose option</h4>

<p>This is the &ldquo;specify a purpose oid to be used for certificate chain verification&rdquo; option.
This option takes a string argument.
This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.
<a name="certtool-get_002ddh_002dparams"></a></p><a name="get_002ddh_002dparams-option"></a>
<h4 class="subsubheading">get-dh-params option</h4>

<p>This is the &ldquo;get the included pkcs #3 encoded diffie-hellman parameters&rdquo; option.
Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
are more efficient since GnuTLS 3.0.9.
<a name="certtool-load_002dprivkey"></a></p><a name="load_002dprivkey-option"></a>
<h4 class="subsubheading">load-privkey option</h4>

<p>This is the &ldquo;loads a private key file&rdquo; option.
This option takes a string argument.
This can be either a file or a PKCS #11 URL
<a name="certtool-load_002dpubkey"></a></p><a name="load_002dpubkey-option"></a>
<h4 class="subsubheading">load-pubkey option</h4>

<p>This is the &ldquo;loads a public key file&rdquo; option.
This option takes a string argument.
This can be either a file or a PKCS #11 URL
<a name="certtool-load_002dcertificate"></a></p><a name="load_002dcertificate-option"></a>
<h4 class="subsubheading">load-certificate option</h4>

<p>This is the &ldquo;loads a certificate file&rdquo; option.
This option takes a string argument.
This can be either a file or a PKCS #11 URL
<a name="certtool-load_002dca_002dprivkey"></a></p><a name="load_002dca_002dprivkey-option"></a>
<h4 class="subsubheading">load-ca-privkey option</h4>

<p>This is the &ldquo;loads the certificate authority&rsquo;s private key file&rdquo; option.
This option takes a string argument.
This can be either a file or a PKCS #11 URL
<a name="certtool-load_002dca_002dcertificate"></a></p><a name="load_002dca_002dcertificate-option"></a>
<h4 class="subsubheading">load-ca-certificate option</h4>

<p>This is the &ldquo;loads the certificate authority&rsquo;s certificate file&rdquo; option.
This option takes a string argument.
This can be either a file or a PKCS #11 URL
<a name="certtool-password"></a></p><a name="password-option"></a>
<h4 class="subsubheading">password option</h4>

<p>This is the &ldquo;password to use&rdquo; option.
This option takes a string argument.
You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as &rdquo; is the same as specifying no password.
<a name="certtool-null_002dpassword"></a></p><a name="null_002dpassword-option"></a>
<h4 class="subsubheading">null-password option</h4>

<p>This is the &ldquo;enforce a null password&rdquo; option.
This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8.
<a name="certtool-empty_002dpassword"></a></p><a name="empty_002dpassword-option"></a>
<h4 class="subsubheading">empty-password option</h4>

<p>This is the &ldquo;enforce an empty password&rdquo; option.
This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8.
<a name="certtool-cprint"></a></p><a name="cprint-option"></a>
<h4 class="subsubheading">cprint option</h4>

<p>This is the &ldquo;in certain operations it prints the information in c-friendly format&rdquo; option.
In certain operations it prints the information in C-friendly format, suitable for including into C programs.
<a name="certtool-fingerprint"></a></p><a name="fingerprint-option"></a>
<h4 class="subsubheading">fingerprint option</h4>

<p>This is the &ldquo;print the fingerprint of the given certificate&rdquo; option.
This is a simple hash of the DER encoding of the certificate. It can be combined with the &ndash;hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate&rsquo;s key.
<a name="certtool-key_002did"></a></p><a name="key_002did-option"></a>
<h4 class="subsubheading">key-id option</h4>

<p>This is the &ldquo;print the key id of the given certificate&rdquo; option.
This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate.
<a name="certtool-p12_002dinfo"></a></p><a name="p12_002dinfo-option"></a>
<h4 class="subsubheading">p12-info option</h4>

<p>This is the &ldquo;print information on a pkcs #12 structure&rdquo; option.
This option will dump the contents and print the metadata of the provided PKCS #12 structure.
<a name="certtool-p12_002dname"></a></p><a name="p12_002dname-option"></a>
<h4 class="subsubheading">p12-name option</h4>

<p>This is the &ldquo;the pkcs #12 friendly name to use&rdquo; option.
This option takes a string argument.
The name to be used for the primary certificate and private key in a PKCS #12 file.
<a name="certtool-p7_002dgenerate"></a></p><a name="p7_002dgenerate-option"></a>
<h4 class="subsubheading">p7-generate option</h4>

<p>This is the &ldquo;generate a pkcs #7 structure&rdquo; option.
This option generates a PKCS #7 certificate container structure. To add certificates in the structure use &ndash;load-certificate and &ndash;load-crl.
<a name="certtool-p7_002dsign"></a></p><a name="p7_002dsign-option"></a>
<h4 class="subsubheading">p7-sign option</h4>

<p>This is the &ldquo;signs using a pkcs #7 structure&rdquo; option.
This option generates a PKCS #7 structure containing a signature for the provided data. The data are stored within the structure. The signer certificate has to be specified using &ndash;load-certificate and &ndash;load-privkey.
<a name="certtool-p7_002ddetached_002dsign"></a></p><a name="p7_002ddetached_002dsign-option"></a>
<h4 class="subsubheading">p7-detached-sign option</h4>

<p>This is the &ldquo;signs using a detached pkcs #7 structure&rdquo; option.
This option generates a PKCS #7 structure containing a signature for the provided data. The signer certificate has to be specified using &ndash;load-certificate and &ndash;load-privkey.
<a name="certtool-p7_002dinclude_002dcert"></a></p><a name="p7_002dinclude_002dcert-option"></a>
<h4 class="subsubheading">p7-include-cert option</h4>

<p>This is the &ldquo;the signer&rsquo;s certificate will be included in the cert list.&rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> can be disabled with &ndash;no-p7-include-cert.
</li><li> It is enabled by default.
</li></ul>

<p>This options works with &ndash;p7-sign or &ndash;p7-detached-sign and will include or exclude the signer&rsquo;s certificate into the generated signature.
<a name="certtool-p7_002dtime"></a></p><a name="p7_002dtime-option"></a>
<h4 class="subsubheading">p7-time option</h4>

<p>This is the &ldquo;will include a timestamp in the pkcs #7 structure&rdquo; option.
This option will include a timestamp in the generated signature
<a name="certtool-p7_002dshow_002ddata"></a></p><a name="p7_002dshow_002ddata-option"></a>
<h4 class="subsubheading">p7-show-data option</h4>

<p>This is the &ldquo;will show the embedded data in the pkcs #7 structure&rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> can be disabled with &ndash;no-p7-show-data.
</li></ul>

<p>This option can be combined with &ndash;p7-verify and will display the embedded signed data in the PKCS #7 structure.
<a name="certtool-p7_002dverify"></a></p><a name="p7_002dverify-option"></a>
<h4 class="subsubheading">p7-verify option</h4>

<p>This is the &ldquo;verify the provided pkcs #7 structure&rdquo; option.
This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with &ndash;load-ca-certificate. When no certificate list is provided, then the system&rsquo;s certificate list is used. Alternatively a direct signer can be provided using &ndash;load-certificate. A key purpose can be enforced with the &ndash;verify-purpose option, and the &ndash;load-data option will utilize detached data.
<a name="certtool-p8_002dinfo"></a></p><a name="p8_002dinfo-option"></a>
<h4 class="subsubheading">p8-info option</h4>

<p>This is the &ldquo;print information on a pkcs #8 structure&rdquo; option.
This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure.
<a name="certtool-pubkey_002dinfo"></a></p><a name="pubkey_002dinfo-option"></a>
<h4 class="subsubheading">pubkey-info option</h4>

<p>This is the &ldquo;print information on a public key&rdquo; option.
The option combined with &ndash;load-request, &ndash;load-pubkey, &ndash;load-privkey and &ndash;load-certificate will extract the public key of the object in question.
<a name="certtool-to_002dp12"></a></p><a name="to_002dp12-option"></a>
<h4 class="subsubheading">to-p12 option</h4>

<p>This is the &ldquo;generate a pkcs #12 structure&rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> must appear in combination with the following options:
load-certificate.
</li></ul>

<p>It requires a certificate, a private key and possibly a CA certificate to be specified.
<a name="certtool-rsa"></a></p><a name="rsa-option"></a>
<h4 class="subsubheading">rsa option</h4>

<p>This is the &ldquo;generate rsa key&rdquo; option.
When combined with &ndash;generate-privkey generates an RSA private key.
<a name="certtool-dsa"></a></p><a name="dsa-option"></a>
<h4 class="subsubheading">dsa option</h4>

<p>This is the &ldquo;generate dsa key&rdquo; option.
When combined with &ndash;generate-privkey generates a DSA private key.
<a name="certtool-ecc"></a></p><a name="ecc-option"></a>
<h4 class="subsubheading">ecc option</h4>

<p>This is the &ldquo;generate ecc (ecdsa) key&rdquo; option.
When combined with &ndash;generate-privkey generates an elliptic curve private key to be used with ECDSA.
<a name="certtool-ecdsa"></a></p><a name="ecdsa-option"></a>
<h4 class="subsubheading">ecdsa option</h4>

<p>This is an alias for the <code>ecc</code> option,
see <a href="#certtool-ecc">the ecc option documentation</a>.
</p>
<a name="certtool-hash"></a><a name="hash-option"></a>
<h4 class="subsubheading">hash option</h4>

<p>This is the &ldquo;hash algorithm to use for signing&rdquo; option.
This option takes a string argument.
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
<a name="certtool-inder"></a></p><a name="inder-option-1"></a>
<h4 class="subsubheading">inder option</h4>

<p>This is the &ldquo;use der format for input certificates, private keys, and dh parameters &rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> can be disabled with &ndash;no-inder.
</li></ul>

<p>The input files will be assumed to be in DER or RAW format. 
Unlike options that in PEM input would allow multiple input data (e.g. multiple 
certificates), when reading in DER format a single data structure is read.
<a name="certtool-inraw"></a></p><a name="inraw-option"></a>
<h4 class="subsubheading">inraw option</h4>

<p>This is an alias for the <code>inder</code> option,
see <a href="#certtool-inder">the inder option documentation</a>.
</p>
<a name="certtool-outder"></a><a name="outder-option-1"></a>
<h4 class="subsubheading">outder option</h4>

<p>This is the &ldquo;use der format for output certificates, private keys, and dh parameters&rdquo; option.
</p>
<p>This option has some usage constraints.  It:
</p><ul>
<li> can be disabled with &ndash;no-outder.
</li></ul>

<p>The output will be in DER or RAW format.
<a name="certtool-outraw"></a></p><a name="outraw-option"></a>
<h4 class="subsubheading">outraw option</h4>

<p>This is an alias for the <code>outder</code> option,
see <a href="#certtool-outder">the outder option documentation</a>.
</p>
<a name="certtool-curve"></a><a name="curve-option"></a>
<h4 class="subsubheading">curve option</h4>

<p>This is the &ldquo;specify the curve used for ec key generation&rdquo; option.
This option takes a string argument.
Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.
<a name="certtool-sec_002dparam"></a></p><a name="sec_002dparam-option-1"></a>
<h4 class="subsubheading">sec-param option</h4>

<p>This is the &ldquo;specify the security level [low, legacy, medium, high, ultra]&rdquo; option.
This option takes a string argument <samp>Security parameter</samp>.
This is alternative to the bits option.
<a name="certtool-ask_002dpass"></a></p><a name="ask_002dpass-option"></a>
<h4 class="subsubheading">ask-pass option</h4>

<p>This is the &ldquo;enable interaction for entering password when in batch mode.&rdquo; option.
This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified.
<a name="certtool-pkcs_002dcipher"></a></p><a name="pkcs_002dcipher-option"></a>
<h4 class="subsubheading">pkcs-cipher option</h4>

<p>This is the &ldquo;cipher to use for pkcs #8 and #12 operations&rdquo; option.
This option takes a string argument <samp>Cipher</samp>.
Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
<a name="certtool-provider"></a></p><a name="provider-option"></a>
<h4 class="subsubheading">provider option</h4>

<p>This is the &ldquo;specify the pkcs #11 provider library&rdquo; option.
This option takes a string argument.
This will override the default options in /etc/gnutls/pkcs11.conf
<a name="certtool-exit-status"></a></p><a name="certtool-exit-status-1"></a>
<h4 class="subsubheading">certtool exit status</h4>

<p>One of the following exit values will be returned:
</p><dl compact="compact">
<dt>&lsquo;<samp>0 (EXIT_SUCCESS)</samp>&rsquo;</dt>
<dd><p>Successful program execution.
</p></dd>
<dt>&lsquo;<samp>1 (EXIT_FAILURE)</samp>&rsquo;</dt>
<dd><p>The operation failed or the command syntax was not valid.
</p></dd>
</dl>
<a name="certtool-See-Also"></a><a name="certtool-See-Also-1"></a>
<h4 class="subsubheading">certtool See Also</h4>
<p>p11tool (1)
<a name="certtool-Examples"></a></p><a name="certtool-Examples-1"></a>
<h4 class="subsubheading">certtool Examples</h4>
<a name="Generating-private-keys"></a>
<h4 class="subsubheading">Generating private keys</h4>
<p>To create an RSA private key, run:
</p><div class="example">
<pre class="example">$ certtool --generate-privkey --outfile key.pem --rsa
</pre></div>

<p>To create a DSA or elliptic curves (ECDSA) private key use the
above command combined with &rsquo;dsa&rsquo; or &rsquo;ecc&rsquo; options.
</p>
<a name="Generating-certificate-requests"></a>
<h4 class="subsubheading">Generating certificate requests</h4>
<p>To create a certificate request (needed when the certificate is  issued  by
another party), run:
</p><div class="example">
<pre class="example">certtool --generate-request --load-privkey key.pem \
   --outfile request.pem
</pre></div>

<p>If the private key is stored in a smart card you can generate
a request by specifying the private key object URL.
</p><div class="example">
<pre class="example">$ ./certtool --generate-request --load-privkey &quot;pkcs11:...&quot; \
  --load-pubkey &quot;pkcs11:...&quot; --outfile request.pem
</pre></div>


<a name="Generating-a-self_002dsigned-certificate"></a>
<h4 class="subsubheading">Generating a self-signed certificate</h4>
<p>To create a self signed certificate, use the command:
</p><div class="example">
<pre class="example">$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem \
   --outfile ca-cert.pem
</pre></div>

<p>Note that a self-signed certificate usually belongs to a certificate
authority, that signs other certificates.
</p>
<a name="Generating-a-certificate"></a>
<h4 class="subsubheading">Generating a certificate</h4>
<p>To generate a certificate using the previous request, use the command:
</p><div class="example">
<pre class="example">$ certtool --generate-certificate --load-request request.pem \
   --outfile cert.pem --load-ca-certificate ca-cert.pem \
   --load-ca-privkey ca-key.pem
</pre></div>

<p>To generate a certificate using the private key only, use the command:
</p><div class="example">
<pre class="example">$ certtool --generate-certificate --load-privkey key.pem \
   --outfile cert.pem --load-ca-certificate ca-cert.pem \
   --load-ca-privkey ca-key.pem
</pre></div>

<a name="Certificate-information"></a>
<h4 class="subsubheading">Certificate information</h4>
<p>To view the certificate information, use:
</p><div class="example">
<pre class="example">$ certtool --certificate-info --infile cert.pem
</pre></div>

<a name="PKCS-_002312-structure-generation"></a>
<h4 class="subsubheading">PKCS #12 structure generation</h4>
<p>To generate a PKCS #12 structure using the previous key and certificate,
use the command:
</p><div class="example">
<pre class="example">$ certtool --load-certificate cert.pem --load-privkey key.pem \
   --to-p12 --outder --outfile key.p12
</pre></div>

<p>Some tools (reportedly web browsers) have problems with that file
because it does not contain the CA certificate for the certificate.
To work around that problem in the tool, you can use the
&ndash;load-ca-certificate parameter as follows:
</p>
<div class="example">
<pre class="example">$ certtool --load-ca-certificate ca.pem \
  --load-certificate cert.pem --load-privkey key.pem \
  --to-p12 --outder --outfile key.p12
</pre></div>

<a name="Diffie_002dHellman-parameter-generation"></a>
<h4 class="subsubheading">Diffie-Hellman parameter generation</h4>
<p>To generate parameters for Diffie-Hellman key exchange, use the command:
</p><div class="example">
<pre class="example">$ certtool --generate-dh-params --outfile dh.pem --sec-param medium
</pre></div>

<a name="Proxy-certificate-generation"></a>
<h4 class="subsubheading">Proxy certificate generation</h4>
<p>Proxy certificate can be used to delegate your credential to a
temporary, typically short-lived, certificate.  To create one from the
previously created certificate, first create a temporary key and then
generate a proxy certificate for it, using the commands:
</p>
<div class="example">
<pre class="example">$ certtool --generate-privkey &gt; proxy-key.pem
$ certtool --generate-proxy --load-ca-privkey key.pem \
  --load-privkey proxy-key.pem --load-certificate cert.pem \
  --outfile proxy-cert.pem
</pre></div>

<a name="Certificate-revocation-list-generation"></a>
<h4 class="subsubheading">Certificate revocation list generation</h4>
<p>To create an empty Certificate Revocation List (CRL) do:
</p>
<div class="example">
<pre class="example">$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
           --load-ca-certificate x509-ca.pem
</pre></div>

<p>To create a CRL that contains some revoked certificates, place the
certificates in a file and use <code>--load-certificate</code> as follows:
</p>
<div class="example">
<pre class="example">$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
  --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
</pre></div>

<p>To verify a Certificate Revocation List (CRL) do:
</p>
<div class="example">
<pre class="example">$ certtool --verify-crl --load-ca-certificate x509-ca.pem &lt; crl.pem
</pre></div>
<a name="certtool-Files"></a><a name="certtool-Files-1"></a>
<h4 class="subsubheading">certtool Files</h4>
<a name="Certtool_0027s-template-file-format"></a>
<h4 class="subsubheading">Certtool&rsquo;s template file format</h4>
<p>A template file can be used to avoid the interactive questions of
certtool. Initially create a file named &rsquo;cert.cfg&rsquo; that contains the information
about the certificate. The template can be used as below:
</p>
<div class="example">
<pre class="example">$ certtool --generate-certificate --load-privkey key.pem  \
   --template cert.cfg --outfile cert.pem \
   --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
</pre></div>

<p>An example certtool template file that can be used to generate a certificate
request or a self signed certificate follows.
</p>
<div class="example">
<pre class="example"># X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = &quot;Koko inc.&quot;

# The organizational unit of the subject.
unit = &quot;sleeping dept.&quot;

# The locality of the subject.
# locality =

# The state of the certificate owner.
state = &quot;Attiki&quot;

# The country of the subject. Two letter code.
country = GR

# The common name of the certificate owner.
cn = &quot;Cindy Lauper&quot;

# A user id of the certificate owner.
#uid = &quot;clauper&quot;

# Set domain components
#dc = &quot;name&quot;
#dc = &quot;domain&quot;

# If the supported DN OIDs are not adequate you can set
# any OID here.
# For example set the X.520 Title and the X.520 Pseudonym
# by using OID and string pairs.
#dn_oid = 2.5.4.12 Dr. 
#dn_oid = 2.5.4.65 jackal

# This is deprecated and should not be used in new
# certificates.
# pkcs9_email = &quot;none@none.org&quot;

# An alternative way to set the certificate's distinguished name directly
# is with the &quot;dn&quot; option. The attribute names allowed are:
# C (country), street, O (organization), OU (unit), title, CN (common name),
# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, 
# countryOfResidence, serialNumber, telephoneNumber, surName, initials, 
# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, 
# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, 
# jurisdictionOfIncorporationStateOrProvinceName,
# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.

#dn = &quot;cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias&quot;

# The serial number of the certificate
# Comment the field for a time-based serial number.
serial = 007

# In how many days, counting from today, this certificate will expire.
# Use -1 if there is no expiration date.
expiration_days = 700

# Alternatively you may set concrete dates and time. The GNU date string 
# formats are accepted. See:
# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html

#activation_date = &quot;2004-02-29 16:21:42&quot;
#expiration_date = &quot;2025-02-29 16:24:41&quot;

# X.509 v3 extensions

# A dnsname in case of a WWW server.
#dns_name = &quot;www.none.org&quot;
#dns_name = &quot;www.morethanone.org&quot;

# A subject alternative name URI
#uri = &quot;http://www.example.com&quot;

# An IP address in case of a server.
#ip_address = &quot;192.168.1.1&quot;

# An email in case of a person
email = &quot;none@none.org&quot;

# Challenge password used in certificate requests
challenge_password = 123456

# Password when encrypting a private key
#password = secret

# An URL that has CRLs (certificate revocation lists)
# available. Needed in CA certificates.
#crl_dist_points = &quot;http://www.getcrl.crl/getcrl/&quot;

# Whether this is a CA certificate or not
#ca

# Subject Unique ID (in hex)
#subject_unique_id = 00153224

# Issuer Unique ID (in hex)
#issuer_unique_id = 00153225

#### Key usage

# The following key usage flags are used by CAs and end certificates

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites). This is the digitalSignature flag
# in RFC5280 terminology.
signing_key

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing. This is the keyEncipherment flag
# in RFC5280 terminology.
encryption_key

# Whether this key will be used to sign other certificates. The
# keyCertSign flag in RFC5280 terminology.
#cert_signing_key

# Whether this key will be used to sign CRLs. The
# cRLSign flag in RFC5280 terminology.
#crl_signing_key

# The keyAgreement flag of RFC5280. It's purpose is loosely
# defined. Not use it unless required by a protocol.
#key_agreement

# The dataEncipherment flag of RFC5280. It's purpose is loosely
# defined. Not use it unless required by a protocol.
#data_encipherment

# The nonRepudiation flag of RFC5280. It's purpose is loosely
# defined. Not use it unless required by a protocol.
#non_repudiation

#### Extended key usage (key purposes)

# The following extensions are used in an end certificate
# to clarify its purpose. Some CAs also use it to indicate
# the types of certificates they are purposed to sign.


# Whether this certificate will be used for a TLS client;
# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of 
# extended key usage.
#tls_www_client

# Whether this certificate will be used for a TLS server;
# This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of 
# extended key usage.
#tls_www_server

# Whether this key will be used to sign code. This sets the
# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
# extension.
#code_signing_key

# Whether this key will be used to sign OCSP data. This sets the
# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
#ocsp_signing_key

# Whether this key will be used for time stamping. This sets the
# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
#time_stamping_key

# Whether this key will be used for email protection. This sets the
# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
#email_protection_key

# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
#ipsec_ike_key

## adding custom key purpose OIDs

# for microsoft smart card logon
# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2

# for email protection
# key_purpose_oid = 1.3.6.1.5.5.7.3.4

# for any purpose (must not be used in intermediate CA certificates)
# key_purpose_oid = 2.5.29.37.0

### end of key purpose OIDs

# When generating a certificate from a certificate
# request, then honor the extensions stored in the request
# and store them in the real certificate.
#honor_crq_extensions

# Path length contraint. Sets the maximum number of
# certificates that can be used to certify this certificate.
# (i.e. the certificate chain length)
#path_len = -1
#path_len = 2

# OCSP URI
# ocsp_uri = http://my.ocsp.server/ocsp

# CA issuers URI
# ca_issuers_uri = http://my.ca.issuer

# Certificate policies
#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
#policy1_txt = &quot;This is a long policy to summarize&quot;
#policy1_url = http://www.example.com/a-policy-to-read

#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
#policy2_txt = &quot;This is a short policy&quot;
#policy2_url = http://www.example.com/another-policy-to-read

# Name constraints

# DNS
#nc_permit_dns = example.com
#nc_exclude_dns = test.example.com

# EMAIL
#nc_permit_email = &quot;nmav@ex.net&quot;

# Exclude subdomains of example.com
#nc_exclude_email = .example.com

# Exclude all e-mail addresses of example.com
#nc_exclude_email = example.com


# Options for proxy certificates
#proxy_policy_language = 1.3.6.1.5.5.7.21.1


# Options for generating a CRL

# The number of days the next CRL update will be due.
# next CRL update will be in 43 days
#crl_next_update = 43

# this is the 5th CRL by this CA
# Comment the field for a time-based number.
#crl_number = 5

# Specify the update dates more precisely.
#crl_this_update_date = &quot;2004-02-29 16:21:42&quot;
#crl_next_update_date = &quot;2025-02-29 16:24:41&quot;

# The date that the certificates will be made seen as
# being revoked.
#crl_revocation_date = &quot;2025-02-29 16:24:41&quot;

</pre></div>

<hr>
<div class="header">
<p>
Next: <a href="ocsptool-Invocation.html#ocsptool-Invocation" accesskey="n" rel="next">ocsptool Invocation</a>, Previous: <a href="Managing-encrypted-keys.html#Managing-encrypted-keys" accesskey="p" rel="prev">Managing encrypted keys</a>, Up: <a href="More-on-certificate-authentication.html#More-on-certificate-authentication" accesskey="u" rel="up">More on certificate authentication</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>