1 @node certtool Invocation
2 @subsection Invoking certtool
5 # -*- buffer-read-only: t -*- vi: set ro:
7 # DO NOT EDIT THIS FILE (invoke-certtool.texi)
9 # It has been AutoGen-ed
10 # From the definitions ../src/certtool-args.def
11 # and the template file agtexi-cmd.tpl
15 Tool to parse and generate X.509 certificates, requests and private keys.
16 It can be used interactively or non interactively by
17 specifying the template command line option.
19 The tool accepts files or URLs supported by GnuTLS. In case PIN is required for the URL
20 access you can provide it using the environment variables GNUTLS_PIN and GNUTLS_SO_PIN.
23 This section was generated by @strong{AutoGen},
24 using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program.
25 This software is released under the GNU General Public License, version 3 or later.
28 @anchor{certtool usage}
29 @subsubheading certtool help/usage (@option{--help})
32 This is the automatically generated usage text for certtool.
34 The text printed is the same whether selected with the @code{help} option
35 (@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
36 the usage text by passing it through a pager program.
37 @code{more-help} is disabled on platforms without a working
38 @code{fork(2)} function. The @code{PAGER} environment variable is
39 used to select the program, defaulting to @file{more}. Both will exit
40 with a status code of 0.
44 certtool - GnuTLS certificate tool
45 Usage: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
47 -d, --debug=num Enable debugging
48 - it must be in the range:
50 -V, --verbose More verbose output
51 - may appear multiple times
52 --infile=file Input file
54 --outfile=str Output file
55 -s, --generate-self-signed Generate a self-signed certificate
56 -c, --generate-certificate Generate a signed certificate
57 --generate-proxy Generates a proxy certificate
58 --generate-crl Generate a CRL
59 -u, --update-certificate Update a signed certificate
60 -p, --generate-privkey Generate a private key
61 --provable Generate a private key or parameters from a seed using a provable method
62 --verify-provable-privkey Verify a private key generated from a seed using a provable method
63 --seed=str When generating a private key use the given hex-encoded seed
64 -q, --generate-request Generate a PKCS #10 certificate request
65 - prohibits the option 'infile'
66 -e, --verify-chain Verify a PEM encoded certificate chain
67 --verify Verify a PEM encoded certificate chain using a trusted list
68 --verify-crl Verify a CRL using a trusted list
69 - requires the option 'load-ca-certificate'
70 --verify-hostname=str Specify a hostname to be used for certificate chain verification
71 --verify-email=str Specify a email to be used for certificate chain verification
72 - prohibits the option 'verify-hostname'
73 --verify-purpose=str Specify a purpose OID to be used for certificate chain verification
74 --verify-allow-broken Allow broken algorithms, such as MD5 for verification
75 --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters
76 --get-dh-params Get the included PKCS #3 encoded Diffie-Hellman parameters
77 --dh-info Print information PKCS #3 encoded Diffie-Hellman parameters
78 --load-privkey=str Loads a private key file
79 --load-pubkey=str Loads a public key file
80 --load-request=str Loads a certificate request file
81 --load-certificate=str Loads a certificate file
82 --load-ca-privkey=str Loads the certificate authority's private key file
83 --load-ca-certificate=str Loads the certificate authority's certificate file
84 --load-crl=str Loads the provided CRL
85 --load-data=str Loads auxiliary data
86 --password=str Password to use
87 --null-password Enforce a NULL password
88 --empty-password Enforce an empty password
89 --hex-numbers Print big number in an easier format to parse
90 --cprint In certain operations it prints the information in C-friendly format
91 -i, --certificate-info Print information on the given certificate
92 --fingerprint Print the fingerprint of the given certificate
93 --key-id Print the key ID of the given certificate
94 --certificate-pubkey Print certificate's public key
95 --pgp-certificate-info Print information on the given OpenPGP certificate
96 --pgp-ring-info Print information on the given OpenPGP keyring structure
97 -l, --crl-info Print information on the given CRL structure
98 --crq-info Print information on the given certificate request
99 --no-crq-extensions Do not use extensions in certificate requests
100 --p12-info Print information on a PKCS #12 structure
101 --p12-name=str The PKCS #12 friendly name to use
102 --p7-generate Generate a PKCS #7 structure
103 --p7-sign Signs using a PKCS #7 structure
104 --p7-detached-sign Signs using a detached PKCS #7 structure
105 --p7-include-cert The signer's certificate will be included in the cert list.
106 - disabled as '--no-p7-include-cert'
108 --p7-time Will include a timestamp in the PKCS #7 structure
109 - disabled as '--no-p7-time'
110 --p7-show-data Will show the embedded data in the PKCS #7 structure
111 - disabled as '--no-p7-show-data'
112 --p7-info Print information on a PKCS #7 structure
113 --p7-verify Verify the provided PKCS #7 structure
114 --p8-info Print information on a PKCS #8 structure
115 --smime-to-p7 Convert S/MIME to PKCS #7 structure
116 -k, --key-info Print information on a private key
117 --pgp-key-info Print information on an OpenPGP private key
118 --pubkey-info Print information on a public key
119 --v1 Generate an X.509 version 1 certificate (with no extensions)
120 --to-p12 Generate a PKCS #12 structure
121 --to-p8 Generate a PKCS #8 structure
122 -8, --pkcs8 Use PKCS #8 format for private keys
123 --rsa Generate RSA key
124 --dsa Generate DSA key
125 --ecc Generate ECC (ECDSA) key
126 --ecdsa an alias for the 'ecc' option
127 --hash=str Hash algorithm to use for signing
128 --inder Use DER format for input certificates, private keys, and DH parameters
129 - disabled as '--no-inder'
130 --inraw an alias for the 'inder' option
131 --outder Use DER format for output certificates, private keys, and DH parameters
132 - disabled as '--no-outder'
133 --outraw an alias for the 'outder' option
134 --bits=num Specify the number of bits for key generate
135 --curve=str Specify the curve used for EC key generation
136 --sec-param=str Specify the security level [low, legacy, medium, high, ultra]
137 --disable-quick-random No effect
138 --template=str Template file to use for non-interactive operation
139 --stdout-info Print information to stdout instead of stderr
140 --ask-pass Enable interaction for entering password when in batch mode.
141 --pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
142 --provider=str Specify the PKCS #11 provider library
143 -v, --version[=arg] output version information and exit
144 -h, --help display extended usage information and exit
145 -!, --more-help extended usage information passed thru pager
147 Options are specified by doubled hyphens and their name or by a single
148 hyphen and the flag character.
150 Tool to parse and generate X.509 certificates, requests and private keys.
151 It can be used interactively or non interactively by specifying the
152 template command line option.
154 The tool accepts files or URLs supported by GnuTLS. In case PIN is
155 required for the URL access you can provide it using the environment
156 variables GNUTLS_PIN and GNUTLS_SO_PIN.
161 @anchor{certtool debug}
162 @subsubheading debug option (-d)
164 This is the ``enable debugging'' option.
165 This option takes a number argument.
166 Specifies the debug level.
167 @anchor{certtool generate-request}
168 @subsubheading generate-request option (-q)
170 This is the ``generate a pkcs #10 certificate request'' option.
173 This option has some usage constraints. It:
176 must not appear in combination with any of the following options:
180 Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.
181 @anchor{certtool verify-chain}
182 @subsubheading verify-chain option (-e)
184 This is the ``verify a pem encoded certificate chain'' option.
185 The last certificate in the chain must be a self signed one.
186 @anchor{certtool verify}
187 @subsubheading verify option
189 This is the ``verify a pem encoded certificate chain using a trusted list'' option.
190 The trusted certificate list can be loaded with --load-ca-certificate. If no
191 certificate list is provided, then the system's certificate list is used.
192 @anchor{certtool verify-crl}
193 @subsubheading verify-crl option
195 This is the ``verify a crl using a trusted list'' option.
198 This option has some usage constraints. It:
201 must appear in combination with the following options:
205 The trusted certificate list must be loaded with --load-ca-certificate.
206 @anchor{certtool get-dh-params}
207 @subsubheading get-dh-params option
209 This is the ``get the included pkcs #3 encoded diffie-hellman parameters'' option.
210 Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
211 are more efficient since GnuTLS 3.0.9.
212 @anchor{certtool load-privkey}
213 @subsubheading load-privkey option
215 This is the ``loads a private key file'' option.
216 This option takes a string argument.
217 This can be either a file or a PKCS #11 URL
218 @anchor{certtool load-pubkey}
219 @subsubheading load-pubkey option
221 This is the ``loads a public key file'' option.
222 This option takes a string argument.
223 This can be either a file or a PKCS #11 URL
224 @anchor{certtool load-request}
225 @subsubheading load-request option
227 This is the ``loads a certificate request file'' option.
228 This option takes a string argument.
229 This option can be used with a file
230 @anchor{certtool load-certificate}
231 @subsubheading load-certificate option
233 This is the ``loads a certificate file'' option.
234 This option takes a string argument.
235 This option can be used with a file
236 @anchor{certtool load-ca-privkey}
237 @subsubheading load-ca-privkey option
239 This is the ``loads the certificate authority's private key file'' option.
240 This option takes a string argument.
241 This can be either a file or a PKCS #11 URL
242 @anchor{certtool load-ca-certificate}
243 @subsubheading load-ca-certificate option
245 This is the ``loads the certificate authority's certificate file'' option.
246 This option takes a string argument.
247 This option can be used with a file
248 @anchor{certtool password}
249 @subsubheading password option
251 This is the ``password to use'' option.
252 This option takes a string argument.
253 You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password.
254 @anchor{certtool null-password}
255 @subsubheading null-password option
257 This is the ``enforce a null password'' option.
258 This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8.
259 @anchor{certtool empty-password}
260 @subsubheading empty-password option
262 This is the ``enforce an empty password'' option.
263 This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8.
264 @anchor{certtool cprint}
265 @subsubheading cprint option
267 This is the ``in certain operations it prints the information in c-friendly format'' option.
268 In certain operations it prints the information in C-friendly format, suitable for including into C programs.
269 @anchor{certtool p12-name}
270 @subsubheading p12-name option
272 This is the ``the pkcs #12 friendly name to use'' option.
273 This option takes a string argument.
274 The name to be used for the primary certificate and private key in a PKCS #12 file.
275 @anchor{certtool pubkey-info}
276 @subsubheading pubkey-info option
278 This is the ``print information on a public key'' option.
279 The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.
280 @anchor{certtool to-p12}
281 @subsubheading to-p12 option
283 This is the ``generate a pkcs #12 structure'' option.
286 This option has some usage constraints. It:
289 must appear in combination with the following options:
293 It requires a certificate, a private key and possibly a CA certificate to be specified.
294 @anchor{certtool rsa}
295 @subsubheading rsa option
297 This is the ``generate rsa key'' option.
298 When combined with --generate-privkey generates an RSA private key.
299 @anchor{certtool dsa}
300 @subsubheading dsa option
302 This is the ``generate dsa key'' option.
303 When combined with --generate-privkey generates a DSA private key.
304 @anchor{certtool ecc}
305 @subsubheading ecc option
307 This is the ``generate ecc (ecdsa) key'' option.
308 When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.
309 @anchor{certtool ecdsa}
310 @subsubheading ecdsa option
312 This is an alias for the @code{ecc} option,
313 @pxref{certtool ecc, the ecc option documentation}.
315 @anchor{certtool hash}
316 @subsubheading hash option
318 This is the ``hash algorithm to use for signing'' option.
319 This option takes a string argument.
320 Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
321 @anchor{certtool inder}
322 @subsubheading inder option
324 This is the ``use der format for input certificates, private keys, and dh parameters '' option.
327 This option has some usage constraints. It:
330 can be disabled with --no-inder.
333 The input files will be assumed to be in DER or RAW format.
334 Unlike options that in PEM input would allow multiple input data (e.g. multiple
335 certificates), when reading in DER format a single data structure is read.
336 @anchor{certtool inraw}
337 @subsubheading inraw option
339 This is an alias for the @code{inder} option,
340 @pxref{certtool inder, the inder option documentation}.
342 @anchor{certtool outder}
343 @subsubheading outder option
345 This is the ``use der format for output certificates, private keys, and dh parameters'' option.
348 This option has some usage constraints. It:
351 can be disabled with --no-outder.
354 The output will be in DER or RAW format.
355 @anchor{certtool outraw}
356 @subsubheading outraw option
358 This is an alias for the @code{outder} option,
359 @pxref{certtool outder, the outder option documentation}.
361 @anchor{certtool curve}
362 @subsubheading curve option
364 This is the ``specify the curve used for ec key generation'' option.
365 This option takes a string argument.
366 Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.
367 @anchor{certtool sec-param}
368 @subsubheading sec-param option
370 This is the ``specify the security level [low, legacy, medium, high, ultra]'' option.
371 This option takes a string argument @file{Security parameter}.
372 This is alternative to the bits option.
373 @anchor{certtool ask-pass}
374 @subsubheading ask-pass option
376 This is the ``enable interaction for entering password when in batch mode.'' option.
377 This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified.
378 @anchor{certtool pkcs-cipher}
379 @subsubheading pkcs-cipher option
381 This is the ``cipher to use for pkcs #8 and #12 operations'' option.
382 This option takes a string argument @file{Cipher}.
383 Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
384 @anchor{certtool provider}
385 @subsubheading provider option
387 This is the ``specify the pkcs #11 provider library'' option.
388 This option takes a string argument.
389 This will override the default options in /etc/gnutls/pkcs11.conf
390 @anchor{certtool exit status}
391 @subsubheading certtool exit status
393 One of the following exit values will be returned:
395 @item 0 (EXIT_SUCCESS)
396 Successful program execution.
397 @item 1 (EXIT_FAILURE)
398 The operation failed or the command syntax was not valid.
400 @anchor{certtool See Also}
401 @subsubheading certtool See Also
403 @anchor{certtool Examples}
404 @subsubheading certtool Examples
405 @subsubheading Generating private keys
406 To create an RSA private key, run:
408 $ certtool --generate-privkey --outfile key.pem --rsa
411 To create a DSA or elliptic curves (ECDSA) private key use the
412 above command combined with 'dsa' or 'ecc' options.
414 @subsubheading Generating certificate requests
415 To create a certificate request (needed when the certificate is issued by
418 certtool --generate-request --load-privkey key.pem \
419 --outfile request.pem
422 If the private key is stored in a smart card you can generate
423 a request by specifying the private key object URL.
425 $ ./certtool --generate-request --load-privkey "pkcs11:..." \
426 --load-pubkey "pkcs11:..." --outfile request.pem
430 @subsubheading Generating a self-signed certificate
431 To create a self signed certificate, use the command:
433 $ certtool --generate-privkey --outfile ca-key.pem
434 $ certtool --generate-self-signed --load-privkey ca-key.pem \
435 --outfile ca-cert.pem
438 Note that a self-signed certificate usually belongs to a certificate
439 authority, that signs other certificates.
441 @subsubheading Generating a certificate
442 To generate a certificate using the previous request, use the command:
444 $ certtool --generate-certificate --load-request request.pem \
445 --outfile cert.pem --load-ca-certificate ca-cert.pem \
446 --load-ca-privkey ca-key.pem
449 To generate a certificate using the private key only, use the command:
451 $ certtool --generate-certificate --load-privkey key.pem \
452 --outfile cert.pem --load-ca-certificate ca-cert.pem \
453 --load-ca-privkey ca-key.pem
456 @subsubheading Certificate information
457 To view the certificate information, use:
459 $ certtool --certificate-info --infile cert.pem
462 @subsubheading PKCS #12 structure generation
463 To generate a PKCS #12 structure using the previous key and certificate,
466 $ certtool --load-certificate cert.pem --load-privkey key.pem \
467 --to-p12 --outder --outfile key.p12
470 Some tools (reportedly web browsers) have problems with that file
471 because it does not contain the CA certificate for the certificate.
472 To work around that problem in the tool, you can use the
473 --load-ca-certificate parameter as follows:
476 $ certtool --load-ca-certificate ca.pem \
477 --load-certificate cert.pem --load-privkey key.pem \
478 --to-p12 --outder --outfile key.p12
481 @subsubheading Diffie-Hellman parameter generation
482 To generate parameters for Diffie-Hellman key exchange, use the command:
484 $ certtool --generate-dh-params --outfile dh.pem --sec-param medium
487 @subsubheading Proxy certificate generation
488 Proxy certificate can be used to delegate your credential to a
489 temporary, typically short-lived, certificate. To create one from the
490 previously created certificate, first create a temporary key and then
491 generate a proxy certificate for it, using the commands:
494 $ certtool --generate-privkey > proxy-key.pem
495 $ certtool --generate-proxy --load-ca-privkey key.pem \
496 --load-privkey proxy-key.pem --load-certificate cert.pem \
497 --outfile proxy-cert.pem
500 @subsubheading Certificate revocation list generation
501 To create an empty Certificate Revocation List (CRL) do:
504 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
505 --load-ca-certificate x509-ca.pem
508 To create a CRL that contains some revoked certificates, place the
509 certificates in a file and use @code{--load-certificate} as follows:
512 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
513 --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
516 To verify a Certificate Revocation List (CRL) do:
519 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
521 @anchor{certtool Files}
522 @subsubheading certtool Files
523 @subsubheading Certtool's template file format
524 A template file can be used to avoid the interactive questions of
525 certtool. Initially create a file named 'cert.cfg' that contains the information
526 about the certificate. The template can be used as below:
529 $ certtool --generate-certificate --load-privkey key.pem \
530 --template cert.cfg --outfile cert.pem \
531 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
534 An example certtool template file that can be used to generate a certificate
535 request or a self signed certificate follows.
538 # X.509 Certificate options
542 # The organization of the subject.
543 organization = "Koko inc."
545 # The organizational unit of the subject.
546 unit = "sleeping dept."
548 # The locality of the subject.
551 # The state of the certificate owner.
554 # The country of the subject. Two letter code.
557 # The common name of the certificate owner.
560 # A user id of the certificate owner.
563 # Set domain components
567 # If the supported DN OIDs are not adequate you can set
569 # For example set the X.520 Title and the X.520 Pseudonym
570 # by using OID and string pairs.
571 #dn_oid = 2.5.4.12 Dr.
572 #dn_oid = 2.5.4.65 jackal
574 # This is deprecated and should not be used in new
576 # pkcs9_email = "none@@none.org"
578 # An alternative way to set the certificate's distinguished name directly
579 # is with the "dn" option. The attribute names allowed are:
580 # C (country), street, O (organization), OU (unit), title, CN (common name),
581 # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
582 # countryOfResidence, serialNumber, telephoneNumber, surName, initials,
583 # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
584 # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
585 # jurisdictionOfIncorporationStateOrProvinceName,
586 # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
588 #dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
590 # The serial number of the certificate
591 # Comment the field for a time-based serial number.
594 # In how many days, counting from today, this certificate will expire.
595 # Use -1 if there is no expiration date.
596 expiration_days = 700
598 # Alternatively you may set concrete dates and time. The GNU date string
599 # formats are accepted. See:
600 # http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
602 #activation_date = "2004-02-29 16:21:42"
603 #expiration_date = "2025-02-29 16:24:41"
605 # X.509 v3 extensions
607 # A dnsname in case of a WWW server.
608 #dns_name = "www.none.org"
609 #dns_name = "www.morethanone.org"
611 # A subject alternative name URI
612 #uri = "http://www.example.com"
614 # An IP address in case of a server.
615 #ip_address = "192.168.1.1"
617 # An email in case of a person
618 email = "none@@none.org"
620 # Challenge password used in certificate requests
621 challenge_password = 123456
623 # Password when encrypting a private key
626 # An URL that has CRLs (certificate revocation lists)
627 # available. Needed in CA certificates.
628 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
630 # Whether this is a CA certificate or not
633 # Subject Unique ID (in hex)
634 #subject_unique_id = 00153224
636 # Issuer Unique ID (in hex)
637 #issuer_unique_id = 00153225
639 # for microsoft smart card logon
640 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
642 ### Other predefined key purpose OIDs
644 # Whether this certificate will be used for a TLS client
647 # Whether this certificate will be used for a TLS server
650 # Whether this certificate will be used to sign data (needed
651 # in TLS DHE ciphersuites).
654 # Whether this certificate will be used to encrypt data (needed
655 # in TLS RSA ciphersuites). Note that it is preferred to use different
656 # keys for encryption and signing.
659 # Whether this key will be used to sign other certificates.
662 # Whether this key will be used to sign CRLs.
665 # Whether this key will be used to sign code.
668 # Whether this key will be used to sign OCSP data.
671 # Whether this key will be used for time stamping.
674 # Whether this key will be used for IPsec IKE operations.
677 ### end of key purpose OIDs
679 # When generating a certificate from a certificate
680 # request, then honor the extensions stored in the request
681 # and store them in the real certificate.
682 #honor_crq_extensions
684 # Path length contraint. Sets the maximum number of
685 # certificates that can be used to certify this certificate.
686 # (i.e. the certificate chain length)
691 # ocsp_uri = http://my.ocsp.server/ocsp
694 # ca_issuers_uri = http://my.ca.issuer
696 # Certificate policies
697 #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
698 #policy1_txt = "This is a long policy to summarize"
699 #policy1_url = http://www.example.com/a-policy-to-read
701 #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
702 #policy2_txt = "This is a short policy"
703 #policy2_url = http://www.example.com/another-policy-to-read
708 #nc_permit_dns = example.com
709 #nc_exclude_dns = test.example.com
712 #nc_permit_email = "nmav@@ex.net"
714 # Exclude subdomains of example.com
715 #nc_exclude_email = .example.com
717 # Exclude all e-mail addresses of example.com
718 #nc_exclude_email = example.com
721 # Options for proxy certificates
722 #proxy_policy_language = 1.3.6.1.5.5.7.21.1
725 # Options for generating a CRL
727 # The number of days the next CRL update will be due.
728 # next CRL update will be in 43 days
729 #crl_next_update = 43
731 # this is the 5th CRL by this CA
732 # Comment the field for a time-based number.