Scroll to navigation

certtool(1) General Commands Manual certtool(1)

NAME

certtool - Manipulate certificates and keys.

SYNOPSIS

certtool [options]

DESCRIPTION

Generate X.509 certificates, certificate requests, and private keys.

OPTIONS

Program control options

Specify the debug level. Default is 1.
Shows this help text
Shows the program's version

Getting information on X.509 certificates

Print information on a certificate.
Print information on a private key.
Print information on a CRL.
Print information on a PKCS #12 structure.

Getting information on Openpgp certificates

Print information on an OpenPGP certificate.
Print information on an OpenPGP private key.
Print information on a keyring.

Generating/verifying X.509 certificates/keys

Generate a signed certificate.
Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one.
Generate PKCS #3 encoded Diffie-Hellman parameters.
Certificate authority's certificate file to use.
Certificate authority's private key file or PKCS #11 URL to use.
Certificate file to use.
Private key file or PKCS #11 URL to use.
Public key file or PKCS #11 URL to use.
Certificate request file to use.
Generate a private key.
Generate a PKCS #10 certificate request.
Generate a self-signed certificate.
Update a signed certificate.

Controlling output

-8, --pkcs8
Use PKCS #8 format for private keys.
The cipher to use when doing pkcs encryption. Valid options are 3des,aes-128,aes-192,aes-256,rc2-40
Generate a DSA key.
Specify the number of bits for key generation.
Use weak encryption algorithms.
Use RAW/DER format for input certificates and private keys.
Input file.
Use RAW/DER format for output certificates and private keys.
Output file.
Password to use.
Generate a PKCS #12 structure.
Use a template file to read input. See the doc/certtool.cfg in the distribution, for an example.
Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use --key-info in combination with this parameter.
When generating a certificate use the X.509 version 1 format. This does not add any extensions (such as indication for a CA) but some programs do need these.

EXAMPLES

To create a private key, run:

$ certtool --generate-privkey --outfile key.pem

To create a certificate request (needed when the certificate is issued by another party), run:

$ certtool --generate-request --load-privkey key.pem \

--outfile request.pem

To create a certificate request using a key stored in a PKCS #11 token, run:

$ ./certtool --generate-request --load-privkey "pkcs11:..." \

--load-pubkey "pkcs11:..." --outfile request.pem

To generate a certificate using the previous request, use the command:

$ certtool --generate-certificate --load-request request.pem \

--outfile cert.pem --load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem

To generate a certificate using the private key only, use the command:

$ certtool --generate-certificate --load-privkey key.pem \

--outfile cert.pem --load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem

To view the certificate information, use:

$ certtool --certificate-info --infile cert.pem

To generate a PKCS #12 structure using the previous key and certificate, use the command:

$ certtool --load-certificate cert.pem --load-privkey key.pem \

--to-p12 --outder --outfile key.p12

AUTHOR

Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.

This manual page was written by Ivo Timmermans <ivo@debian.org>, for the Debian GNU/Linux system (but may be used by others).

May 23rd 2005