8.1 Invoking certtool

This is a program to generate X.509 certificates, certificate requests, CRLs and private keys.

Certtool help
Usage: certtool [options]
     -s, --generate-self-signed
                              Generate a self-signed certificate.
     -c, --generate-certificate
                              Generate a signed certificate.
     --generate-proxy         Generate a proxy certificate.
     --generate-crl           Generate a CRL.
     -u, --update-certificate
                              Update a signed certificate.
     -p, --generate-privkey   Generate a private key.
     -q, --generate-request   Generate a PKCS #10 certificate
                              request.
     -e, --verify-chain       Verify a PEM encoded certificate chain.
                              The last certificate in the chain must
                              be a self signed one.
     --verify-crl             Verify a CRL.
     --generate-dh-params     Generate PKCS #3 encoded Diffie Hellman
                              parameters.
     --get-dh-params          Get the included PKCS #3 encoded Diffie
                              Hellman parameters.
     --load-privkey FILE      Private key file to use.
     --load-request FILE      Certificate request file to use.
     --load-certificate FILE
                              Certificate file to use.
     --load-ca-privkey FILE   Certificate authority's private key
                              file to use.
     --load-ca-certificate FILE
                              Certificate authority's certificate
                              file to use.
     --password PASSWORD      Password to use.
     -i, --certificate-info   Print information on a certificate.
     -l, --crl-info           Print information on a CRL.
     --p12-info               Print information on a PKCS #12
                              structure.
     --p7-info                Print information on a PKCS #7
                              structure.
     --smime-to-p7            Convert S/MIME to PKCS #7 structure.
     -k, --key-info           Print information on a private key.
     --fix-key                Regenerate the parameters in a private
                              key.
     --to-p12                 Generate a PKCS #12 structure.
     -8, --pkcs8              Use PKCS #8 format for private keys.
     --dsa                    Use DSA keys.
     --hash STR               Hash algorithm to use for signing
                              (MD5,SHA1,RMD160).
     --export-ciphers         Use weak encryption algorithms.
     --inder                  Use DER format for input certificates
                              and private keys.
     --outder                 Use DER format for output certificates
                              and private keys.
     --bits BITS              specify the number of bits for key
                              generation.
     --outfile FILE           Output file.
     --infile FILE            Input file.
     --template FILE          Template file to use for non
                              interactive operation.
     -d, --debug LEVEL        specify the debug level. Default is 1.
     -h, --help               shows this help text
     -v, --version            shows the program's version
     --copyright              shows the program's license

The program can be used interactively or non interactively by specifying the --template command line option. See below for an example of a template file.

How to use certtool interactively:

• To generate parameters for Diffie Hellman key exchange, use the command:

            $ certtool --generate-dh-params --outfile dh.pem
  

• To generate parameters for the RSA-EXPORT key exchange, use the command:

            $ certtool --generate-privkey --bits 512 --outfile rsa.pem
  

• To create a self signed certificate, use the command:

            $ certtool --generate-privkey --outfile ca-key.pem
            $ certtool --generate-self-signed --load-privkey ca-key.pem \
               --outfile ca-cert.pem
  

  Note that a self-signed certificate usually belongs to a certificate authority, that signs other certificates.

• To create a private key, run:

            $ certtool --generate-privkey --outfile key.pem
  

• To generate a certificate using the private key, use the command:

            $ certtool --generate-certificate --load-privkey key.pem \
               --outfile cert.pem --load-ca-certificate ca-cert.pem \
               --load-ca-privkey ca-key.pem
  

• To create a certificate request (needed when the certificate is issued by another party), run:

            $ certtool --generate-request --load-privkey key.pem \
              --outfile request.pem
  

• To generate a certificate using the previous request, use the command:

            $ certtool --generate-certificate --load-request request.pem \
               --outfile cert.pem \
               --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
  

• To view the certificate information, use:

            $ certtool --certificate-info --infile cert.pem
  

• To generate a PKCS #12 structure using the previous key and certificate, use the command:

            $ certtool --load-certificate cert.pem --load-privkey key.pem \
              --to-p12 --outder --outfile key.p12
  

• Proxy certificate can be used to delegate your credential to a temporary, typically short-lived, certificate. To create one from the previously created certificate, first create a temporary key and then generate a proxy certificate for it, using the commands:

            $ certtool --generate-privkey > proxy-key.pem
            $ certtool --generate-proxy --load-ca-privkey key.pem \
              --load-privkey proxy-key.pem --load-certificate cert.pem \
              --outfile proxy-cert.pem
  

• To create an empty Certificate Revocation List (CRL) do:

            $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
  

  To create a CRL that contains some revoked certificates, place the certificates in a file and use --load-certificate as follows:

            $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
  

• To verify a Certificate Revocation List (CRL) do:

            $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
  

Certtool's template file format:

• Firstly create a file named 'cert.cfg' that contains the information about the certificate. An example file is listed below.
• Then execute:

            $ certtool --generate-certificate cert.pem --load-privkey key.pem  \
               --template cert.cfg \
               --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
  

An example certtool template file:

     # X.509 Certificate options
     #
     # DN options
     
     # The organization of the subject.
     organization = "Koko inc."
     
     # The organizational unit of the subject.
     unit = "sleeping dept."
     
     # The locality of the subject.
     # locality =
     
     # The state of the certificate owner.
     state = "Attiki"
     
     # The country of the subject. Two letter code.
     country = GR
     
     # The common name of the certificate owner.
     cn = "Cindy Lauper"
     
     # A user id of the certificate owner.
     #uid = "clauper"
     
     # If the supported DN OIDs are not adequate you can set
     # any OID here.
     # For example set the X.520 Title and the X.520 Pseudonym
     # by using OID and string pairs.
     #dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
     
     # This is deprecated and should not be used in new
     # certificates.
     # pkcs9_email = "none@none.org"
     
     # The serial number of the certificate
     serial = 007
     
     # In how many days, counting from today, this certificate will expire.
     expiration_days = 700
     
     # X.509 v3 extensions
     
     # A dnsname in case of a WWW server.
     #dns_name = "www.none.org"
     
     # An IP address in case of a server.
     #ip_address = "192.168.1.1"
     
     # An email in case of a person
     email = "none@none.org"
     
     # An URL that has CRLs (certificate revocation lists)
     # available. Needed in CA certificates.
     #crl_dist_points = "http://www.getcrl.crl/getcrl/"
     
     # Whether this is a CA certificate or not
     #ca
     
     # Whether this certificate will be used for a TLS client
     #tls_www_client
     
     # Whether this certificate will be used for a TLS server
     #tls_www_server
     
     # Whether this certificate will be used to sign data (needed
     # in TLS DHE ciphersuites).
     signing_key
     
     # Whether this certificate will be used to encrypt data (needed
     # in TLS RSA ciphersuites). Note that it is prefered to use different
     # keys for encryption and signing.
     #encryption_key
     
     # Whether this key will be used to sign other certificates.
     #cert_signing_key
     
     # Whether this key will be used to sign CRLs.
     #crl_signing_key
     
     # Whether this key will be used to sign code.
     #code_signing_key
     
     # Whether this key will be used to sign OCSP data.
     #ocsp_signing_key
     
     # Whether this key will be used for time stamping.
     #time_stamping_key