descriptionCreate various types of certificates
last changeMon, 9 Jan 2017 12:38:27 +0000 (9 04:38 -0800)
content tags

The CACreateCert certificate utility was developed in order to facilitate using X509 client certificates for authentication with a web server over the https protocol when all the user has uploaded to the server for identification is an OpenSSH RSA public key (e.g.

(In other words, the user pastes an OpenSSH RSA public key into a form on the web server and the web server responds with a client certificate that the user can then download and use together with the corresponding private key to authenticate to that web server.)

However, the CACreateCert utility has grown a number of additional options making it useful for creation of several other kinds of X509 certificates.

It may be helpful to first view the Example.html page to see how a full set of certificates and keys for a complete certificate chain may be generated (including individual user client authentication certificates). If more detail is needed on the veritable plethora of options available when running the CACreateCert utility, look at the output of the CACreateCert -h command.

A ConvertPubKey utility is also provided that can convert between OpenSSH and X.509 public key formats without using OpenSSH or OpenSSL.

This software is licensed under the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. See the included file LICENSE.txt or the web site

2017-01-09 Kyle J. McKayCACreateCert: mention openssl -x509toreq in TIPSmaster
2017-01-06 Kyle J. McKayCACreateCert: improve features for use with --email
2016-10-27 Kyle J. McKayConvertPubKey: tolerate any $PATH location for perl
2016-04-28 Kyle J. McKayCACreateCert: support LibreSSL's openssl command
2015-02-10 Kyle J. McKayREADME: add some headings and .md alias
2015-02-10 Kyle J. McKayCACreateCert: let --dni serial=# relocate the random...
2015-02-10 Kyle J. McKayCACreateCert: Acme Certificate Co.
2015-02-10 Kyle J. McKayCACreateCert: add support for including arbitrary disti...
2015-02-05 Kyle J. McKayCACreateCert: various minor cleanups and elucidations
2014-11-30 Kyle J. McKayCACreateCert: add some additional explanatory comments
2014-11-09 Kyle J. McKayCACreateCert: add some warning text about --dns usage
2014-11-08 Kyle J. McKayCACreateCert: never default to less than sha-256 if...
2014-11-06 Kyle J. McKayCACreateCert: tweak the documentation a bit
2014-11-02 Kyle J. McKayCACreateCert: make --root + --other-type do the right...
2014-11-02 Kyle J. McKayCACreateCert: add support for --dns option
2014-11-02 Kyle J. McKayCACreateCert: choose a stronger default hash for longer...
3 months ago master