Name

certtool — Manipulate certificates and keys.

DESCRIPTION

Generate X.509 certificates, certificate requests, and private keys.

OPTIONS

Program control options

−−copyright

Shows the program's license

−d, −−debug LEVEL

Specify the debug level. Default is 1.

−h, −−help

Shows this help text

−v, −−version

Shows the program's version

Getting information

−i, −−certificate−info

Print information on a certificate.

−k, −−key−info

Print information on a private key.

−l, −−crl−info

Print information on a CRL.

−−p12−info

Print information on a PKCS #12 structure.

Generating/verifying certificates/keys

−c, −−generate−certificate

Generate a signed certificate.

−e, −−verify−chain

Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one.

−−generate−dh−params

Generate PKCS #3 encoded Diffie Hellman parameters.

−−load−ca−certificate FILE

Certificate authority's certificate file to use.

−−load−ca−privkey FILE

Certificate authority's private key file to use.

−−load−certificate FILE

Certificate file to use.

−−load−privkey FILE

Private key file to use.

−−load−request FILE

Certificate request file to use.

−p, −−generate−privkey

Generate a private key.

−q, −−generate−request

Generate a PKCS #10 certificate request.

−s, −−generate−self−signed

Generate a self-signed certificate.

−u, −−update−certificate

Update a signed certificate.

Controlling output

−8, −−pkcs8

Use PKCS #8 format for private keys.

−−dsa

Generate a DSA key.

−−bits BITS

Specify the number of bits for key generation.

−−export−ciphers

Use weak encryption algorithms.

−−inder

Use DER format for input certificates and private keys.

−−infile FILE

Input file.

−−outder

Use DER format for output certificates and private keys.

−−outfile FILE

Output file.

−−password PASSWORD

Password to use.

−−to−p12

Generate a PKCS #12 structure.

−−template

Use a template file to read input. See the doc/certtool.cfg in the distribution, for an example.

−−fix−key

Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use −−key−info in combination with this parameter.

−−v1

When generating a certificate use the X.509 version 1 format. This does not add any extensions (such as indication for a CA) but some programs do need these.

EXAMPLES

To create a private key, run:

$ certtool −−generate−privkey −−outfile key.pem

To create a certificate request (needed when the certificate is issued by another party), run:

$ certtool −−generate−request −−load−privkey key.pem \
   −−outfile request.pem

To generate a certificate using the previous request, use the command:

$ certtool −−generate−certificate −−load−request request.pem \
   −−outfile cert.pem −−load−ca−certificate ca−cert.pem \
   −−load−ca−privkey ca−key.pem

To generate a certificate using the private key only, use the command:

$ certtool −−generate−certificate −−load−privkey key.pem \
   −−outfile cert.pem −−load−ca−certificate ca−cert.pem \
   −−load−ca−privkey ca−key.pem

To view the certificate information, use:

$ certtool −−certificate−info −−infile cert.pem

To generate a PKCS #12 structure using the previous key and certificate, use the command:

$ certtool −−load−certificate cert.pem −−load−privkey key.pem \
   −−to−p12 −−outder −−outfile key.p12

AUTHOR

Nikos Mavroyanopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls−bin/AUTHORS for a complete list.

This manual page was written by Ivo Timmermans <ivo@debian.org>, for the Debian GNU/Linux system (but may be used by others).