1 AutoGen Definitions options
;
3 prog
-title
= "GnuTLS PKCS #11 tool";
4 prog
-desc
= "Manipulate certificates and private keys.";
5 detail
= "Tool to parse and generate X.509 certificates, requests and private keys.
6 It can be used interactively or non interactively by
7 specifying the template command line option.";
8 short
-usage
= "certtool [options] [url]\ncerttool --help for usage instructions.\n";
16 name
= generate
-self
-signed
;
18 descrip
= "Generate a self-signed certificate";
23 name
= generate
-certificate
;
25 descrip
= "Generate a signed certificate";
30 name
= generate
-proxy
;
31 descrip
= "Generates a proxy certificate";
37 descrip
= "Generate a CRL";
42 name
= update
-certificate
;
44 descrip
= "Update a signed certificate";
49 name
= generate
-privkey
;
51 descrip
= "Generate a private key";
56 name
= generate
-request
;
58 descrip
= "Generate a PKCS #10 certificate request";
65 descrip
= "Verify a PEM encoded certificate chain.";
66 doc
= "The last certificate in the chain must be a self signed one.";
71 descrip
= "Verify a PEM encoded certificate chain using a trusted list.";
72 doc
= "The trusted certificate list must be loaded with --load-ca-certificate.";
73 flags
-must
= load
-ca
-certificate
;
78 descrip
= "Verify a CRL using a trusted list.";
79 doc
= "The trusted certificate list must be loaded with --load-ca-certificate.";
80 flags
-must
= load
-ca
-certificate
;
84 name
= generate
-dh
-params
;
85 descrip
= "Generate PKCS #3 encoded Diffie-Hellman parameters.";
91 descrip
= "Get the included PKCS #3 encoded Diffie-Hellman parameters.";
92 doc
= "Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
93 are more efficient since GnuTLS 3.0.9.";
98 descrip
= "Print information PKCS #3 encoded Diffie-Hellman parameters";
104 descrip
= "Loads a private key file";
106 doc
= "This can be either a file or a PKCS #11 URL";
111 descrip
= "Loads a public key file";
113 doc
= "This can be either a file or a PKCS #11 URL";
118 descrip
= "Loads a certificate request file";
125 name
= load
-certificate
;
126 descrip
= "Loads a certificate file";
128 doc
= "This can be either a file or a PKCS #11 URL";
132 name
= load
-ca
-privkey
;
133 descrip
= "Loads the certificate authority's private key file";
135 doc
= "This can be either a file or a PKCS #11 URL";
139 name
= load
-ca
-certificate
;
140 descrip
= "Loads the certificate authority's certificate file";
142 doc
= "This can be either a file or a PKCS #11 URL";
148 descrip
= "Password to use";
153 name
= certificate
-info
;
155 descrip
= "Print information on the given certificate";
160 name
= certificate
-pubkey
;
161 descrip
= "Print certificate's public key";
166 name
= pgp
-certificate
-info
;
167 descrip
= "Print information on the given OpenPGP certificate";
172 name
= pgp
-ring
-info
;
173 descrip
= "Print information on the given OpenPGP keyring structure";
180 descrip
= "Print information on the given CRL structure";
186 descrip
= "Print information on the given certificate request";
192 name
= no
-crq
-extensions
;
193 descrip
= "Do not use extensions in certificate requests";
199 descrip
= "Print information on a PKCS #12 structure";
205 descrip
= "Print information on a PKCS #7 structure";
211 descrip
= "Convert S/MIME to PKCS #7 structure";
218 descrip
= "Print information on a private key";
224 descrip
= "Print information on an OpenPGP private key";
230 descrip
= "Print information on a public key";
236 descrip
= "Generate an X.509 version 1 certificate (with no extensions)";
242 descrip
= "Generate a PKCS #12 structure";
243 doc
= "It requires a certificate, a private key and possibly a CA certificate to be specified.";
244 flags
-must
= load
-certificate
;
245 flags
-must
= load
-privkey
;
250 descrip
= "Generate a PKCS #8 structure";
257 descrip
= "Use PKCS #8 format for private keys";
263 descrip
= "Generate RSA key";
269 descrip
= "Generate DSA key";
275 descrip
= "Generate ECC (ECDSA) key";
282 descrip
= "Hash algorithm to use for signing.";
283 doc
= "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.";
288 descrip
= "Use DER format for input certificates and private keys.";
301 descrip
= "Use DER format for output certificates and private keys";
315 descrip
= "Specify the number of bits for key generate";
322 arg
-name
= "Security parameter";
323 descrip
= "Specify the security level [low| legacy| normal| high| ultra].";
324 doc
= "This is alternative to the bits option.";
328 name
= disable
-quick
-random
;
329 descrip
= "No effect";
337 descrip
= "Template file to use for non-interactive operation";
345 descrip
= "Cipher to use for PKCS #8 and #12 operations";
346 doc
= "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.";
350 ds
-type
= 'SEE ALSO';
358 ds
-type
= 'EXAMPLES';
361 @subheading Generating private keys
362 To create an RSA private key
, run
:
364 $ certtool
--generate
-privkey
--outfile key.pem
--rsa
367 To create a DSA or elliptic
curves (ECDSA
) private key use the
368 above command combined with
'dsa' or
'ecc' options.
370 @subheading Generating certificate requests
371 To create a certificate
request (needed when the certificate is issued by
374 certtool
--generate
-request
--load
-privkey key.pem \
375 --outfile request.pem
378 If the private key is stored in a smart card you can generate
379 a request by specifying the private key object URL.
381 $ .
/certtool
--generate
-request
--load
-privkey
"pkcs11:..." \
382 --load
-pubkey
"pkcs11:..." --outfile request.pem
386 @subheading Generating a self
-signed certificate
387 To create a self signed certificate
, use the command
:
389 $ certtool
--generate
-privkey
--outfile ca
-key.pem
390 $ certtool
--generate
-self
-signed
--load
-privkey ca
-key.pem \
391 --outfile ca
-cert.pem
394 Note that a self
-signed certificate usually belongs to a certificate
395 authority
, that signs other certificates.
397 @subheading Generating a certificate
398 To generate a certificate using the previous request
, use the command
:
400 $ certtool
--generate
-certificate
--load
-request request.pem \
401 --outfile cert.pem
--load
-ca
-certificate ca
-cert.pem \
402 --load
-ca
-privkey ca
-key.pem
405 To generate a certificate using the private key only
, use the command
:
407 $ certtool
--generate
-certificate
--load
-privkey key.pem \
408 --outfile cert.pem
--load
-ca
-certificate ca
-cert.pem \
409 --load
-ca
-privkey ca
-key.pem
412 @subheading Certificate information
413 To view the certificate information
, use
:
415 $ certtool
--certificate
-info
--infile cert.pem
418 @subheading PKCS #
12 structure generation
419 To generate a PKCS #
12 structure using the previous key and certificate
,
422 $ certtool
--load
-certificate cert.pem
--load
-privkey key.pem \
423 --to
-p12
--outder
--outfile key.p12
426 Some
tools (reportedly web browsers
) have problems with that file
427 because it does not contain the CA certificate for the certificate.
428 To work around that problem in the tool
, you can use the
429 --load
-ca
-certificate parameter as follows
:
432 $ certtool
--load
-ca
-certificate ca.pem \
433 --load
-certificate cert.pem
--load
-privkey key.pem \
434 --to
-p12
--outder
--outfile key.p12
437 @subheading Diffie
-Hellman parameter generation
438 To generate parameters for Diffie
-Hellman key exchange
, use the command
:
440 $ certtool
--generate
-dh
-params
--outfile dh.pem
--sec
-param normal
443 @subheading Proxy certificate generation
444 Proxy certificate can be used to delegate your credential to a
445 temporary
, typically short
-lived
, certificate. To create one from the
446 previously created certificate
, first create a temporary key and then
447 generate a proxy certificate for it
, using the commands
:
450 $ certtool
--generate
-privkey
> proxy
-key.pem
451 $ certtool
--generate
-proxy
--load
-ca
-privkey key.pem \
452 --load
-privkey proxy
-key.pem
--load
-certificate cert.pem \
453 --outfile proxy
-cert.pem
456 @subheading Certificate revocation list generation
457 To create an empty Certificate Revocation
List (CRL
) do
:
460 $ certtool
--generate
-crl
--load
-ca
-privkey x509
-ca
-key.pem \
461 --load
-ca
-certificate x509
-ca.pem
464 To create a CRL that contains some revoked certificates
, place the
465 certificates in a file and use @code
{--load
-certificate
} as follows
:
468 $ certtool
--generate
-crl
--load
-ca
-privkey x509
-ca
-key.pem \
469 --load
-ca
-certificate x509
-ca.pem
--load
-certificate revoked
-certs.pem
472 To verify a Certificate Revocation
List (CRL
) do
:
475 $ certtool
--verify
-crl
--load
-ca
-certificate x509
-ca.pem
< crl.pem
485 @subheading Certtool
's template file format
486 A template file can be used to avoid the interactive questions of
487 certtool. Initially create a file named 'cert.cfg
' that contains the information
488 about the certificate. The template can be used as below:
491 $ certtool --generate-certificate cert.pem --load-privkey key.pem \
492 --template cert.cfg \
493 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
496 An example certtool template file that can be used to generate a certificate
497 request or a self signed certificate follows.
500 # X.509 Certificate options
504 # The organization of the subject.
505 organization = "Koko inc."
507 # The organizational unit of the subject.
508 unit = "sleeping dept."
510 # The locality of the subject.
513 # The state of the certificate owner.
516 # The country of the subject. Two letter code.
519 # The common name of the certificate owner.
522 # A user id of the certificate owner.
525 # Set domain components
529 # If the supported DN OIDs are not adequate you can set
531 # For example set the X.520 Title and the X.520 Pseudonym
532 # by using OID and string pairs.
533 #dn_oid = 2.5.4.12 Dr.
534 #dn_oid = 2.5.4.65 jackal
536 # This is deprecated and should not be used in new
538 # pkcs9_email = "none@@none.org"
540 # The serial number of the certificate
543 # In how many days, counting from today, this certificate will expire.
544 expiration_days = 700
546 # X.509 v3 extensions
548 # A dnsname in case of a WWW server.
549 #dns_name = "www.none.org"
550 #dns_name = "www.morethanone.org"
552 # An IP address in case of a server.
553 #ip_address = "192.168.1.1"
555 # An email in case of a person
556 email = "none@@none.org"
558 # Challenge password used in certificate requests
559 challenge_passwd = 123456
561 # An URL that has CRLs (certificate revocation lists)
562 # available. Needed in CA certificates.
563 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
565 # Whether this is a CA certificate or not
568 # for microsoft smart card logon
569 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
571 ### Other predefined key purpose OIDs
573 # Whether this certificate will be used for a TLS client
576 # Whether this certificate will be used for a TLS server
579 # Whether this certificate will be used to sign data (needed
580 # in TLS DHE ciphersuites).
583 # Whether this certificate will be used to encrypt data (needed
584 # in TLS RSA ciphersuites). Note that it is preferred to use different
585 # keys for encryption and signing.
588 # Whether this key will be used to sign other certificates.
591 # Whether this key will be used to sign CRLs.
594 # Whether this key will be used to sign code.
597 # Whether this key will be used to sign OCSP data.
600 # Whether this key will be used for time stamping.
603 # Whether this key will be used for IPsec IKE operations.
606 ### end of key purpose OIDs
608 # When generating a certificate from a certificate
609 # request, then honor the extensions stored in the request
610 # and store them in the real certificate.
611 #honor_crq_extensions
613 # Path length contraint. Sets the maximum number of
614 # certificates that can be used to certify this certificate.
615 # (i.e. the certificate chain length)
619 # Options for proxy certificates
620 # proxy_policy_language = 1.3.6.1.5.5.7.21.1
622 # Options for generating a CRL
624 # next CRL update will be in 43 days (wow)
625 #crl_next_update = 43
627 # this is the 5th CRL by this CA