1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
|
@node certtool Invocation
@subsection Invoking certtool
@pindex certtool
@ignore
# -*- buffer-read-only: t -*- vi: set ro:
#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
#
# It has been AutoGen-ed December 29, 2012 at 01:05:07 PM by AutoGen 5.12
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
Tool to parse and generate X.509 certificates, requests and private keys.
It can be used interactively or non interactively by
specifying the template command line option.
This section was generated by @strong{AutoGen},
using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program.
This software is released under the GNU General Public License.
@anchor{certtool usage}
@subsubheading certtool usage help (-?)
This is the automatically generated usage text for certtool:
@exampleindent 0
@example
certtool - GnuTLS certificate tool - Ver. @@VERSION@@
USAGE: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-d, --debug=num Enable debugging.
- It must be in the range:
0 to 9999
-V, --verbose More verbose output
- may appear multiple times
--infile=file Input file
- file must pre-exist
--outfile=str Output file
-s, --generate-self-signed Generate a self-signed certificate
-c, --generate-certificate Generate a signed certificate
--generate-proxy Generates a proxy certificate
--generate-crl Generate a CRL
-u, --update-certificate Update a signed certificate
-p, --generate-privkey Generate a private key
-q, --generate-request Generate a PKCS #10 certificate request
- prohibits these options:
infile
-e, --verify-chain Verify a PEM encoded certificate chain.
--verify Verify a PEM encoded certificate chain using a trusted list.
- requires these options:
load-ca-certificate
--verify-crl Verify a CRL using a trusted list.
- requires these options:
load-ca-certificate
--generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters.
--get-dh-params Get the included PKCS #3 encoded Diffie-Hellman parameters.
--dh-info Print information PKCS #3 encoded Diffie-Hellman parameters
--load-privkey=str Loads a private key file
--load-pubkey=str Loads a public key file
--load-request=file Loads a certificate request file
- file must pre-exist
--load-certificate=str Loads a certificate file
--load-ca-privkey=str Loads the certificate authority's private key file
--load-ca-certificate=str Loads the certificate authority's certificate file
--password=str Password to use
--hex-numbers Print big number in an easier format to parse
--null-password Enforce a NULL password
-i, --certificate-info Print information on the given certificate
--certificate-pubkey Print certificate's public key
--pgp-certificate-info Print information on the given OpenPGP certificate
--pgp-ring-info Print information on the given OpenPGP keyring structure
-l, --crl-info Print information on the given CRL structure
--crq-info Print information on the given certificate request
--no-crq-extensions Do not use extensions in certificate requests
--p12-info Print information on a PKCS #12 structure
--p7-info Print information on a PKCS #7 structure
--smime-to-p7 Convert S/MIME to PKCS #7 structure
-k, --key-info Print information on a private key
--pgp-key-info Print information on an OpenPGP private key
--pubkey-info Print information on a public key
--v1 Generate an X.509 version 1 certificate (with no extensions)
--to-p12 Generate a PKCS #12 structure
- requires these options:
load-certificate
--to-p8 Generate a PKCS #8 structure
-8, --pkcs8 Use PKCS #8 format for private keys
--rsa Generate RSA key
--dsa Generate DSA key
--ecc Generate ECC (ECDSA) key
--ecdsa This is an alias for 'ecc'
--hash=str Hash algorithm to use for signing.
--inder Use DER format for input certificates and private keys.
- disabled as --no-inder
--inraw This is an alias for 'inder'
--outder Use DER format for output certificates and private keys
- disabled as --no-outder
--outraw This is an alias for 'outder'
--bits=num Specify the number of bits for key generate
--sec-param=str Specify the security level [low, legacy, normal, high, ultra].
--disable-quick-random No effect
--template=file Template file to use for non-interactive operation
- file must pre-exist
--pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
-v, --version[=arg] Output version information and exit
-h, --help Display extended usage information and exit
-!, --more-help Extended usage information passed thru pager
Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
Tool to parse and generate X.509 certificates, requests and private keys.
It can be used interactively or non interactively by specifying the
template command line option.
please send bug reports to: bug-gnutls@@gnu.org
@end example
@exampleindent 4
@anchor{certtool bits}
@subsubheading bits option
This is the ``specify the number of bits for key generate'' option.
@anchor{certtool certificate-info}
@subsubheading certificate-info option (-i)
This is the ``print information on the given certificate'' option.
@anchor{certtool certificate-pubkey}
@subsubheading certificate-pubkey option
This is the ``print certificate's public key'' option.
@anchor{certtool crl-info}
@subsubheading crl-info option (-l)
This is the ``print information on the given crl structure'' option.
@anchor{certtool crq-info}
@subsubheading crq-info option
This is the ``print information on the given certificate request'' option.
@anchor{certtool debug}
@subsubheading debug option (-d)
This is the ``enable debugging.'' option.
Specifies the debug level.
@anchor{certtool dh-info}
@subsubheading dh-info option
This is the ``print information pkcs #3 encoded diffie-hellman parameters'' option.
@anchor{certtool disable-quick-random}
@subsubheading disable-quick-random option
This is the ``no effect'' option.
@anchor{certtool dsa}
@subsubheading dsa option
This is the ``generate dsa key'' option.
When combined with --generate-privkey generates a DSA private key.
@anchor{certtool ecc}
@subsubheading ecc option
This is the ``generate ecc (ecdsa) key'' option.
When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.
@anchor{certtool ecdsa}
@subsubheading ecdsa option
This is the ``'' option.
This option has no @samp{doc} documentation.
@anchor{certtool generate-certificate}
@subsubheading generate-certificate option (-c)
This is the ``generate a signed certificate'' option.
@anchor{certtool generate-crl}
@subsubheading generate-crl option
This is the ``generate a crl'' option.
@anchor{certtool generate-dh-params}
@subsubheading generate-dh-params option
This is the ``generate pkcs #3 encoded diffie-hellman parameters.'' option.
@anchor{certtool generate-privkey}
@subsubheading generate-privkey option (-p)
This is the ``generate a private key'' option.
@anchor{certtool generate-proxy}
@subsubheading generate-proxy option
This is the ``generates a proxy certificate'' option.
@anchor{certtool generate-request}
@subsubheading generate-request option (-q)
This is the ``generate a pkcs #10 certificate request'' option.
This option has some usage constraints. It:
@itemize @bullet
@item
must not appear in combination with any of the following options:
infile.
@end itemize
Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.
@anchor{certtool generate-self-signed}
@subsubheading generate-self-signed option (-s)
This is the ``generate a self-signed certificate'' option.
@anchor{certtool get-dh-params}
@subsubheading get-dh-params option
This is the ``get the included pkcs #3 encoded diffie-hellman parameters.'' option.
Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
are more efficient since GnuTLS 3.0.9.
@anchor{certtool hash}
@subsubheading hash option
This is the ``hash algorithm to use for signing.'' option.
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
@anchor{certtool hex-numbers}
@subsubheading hex-numbers option
This is the ``print big number in an easier format to parse'' option.
@anchor{certtool inder}
@subsubheading inder option
This is the ``use der format for input certificates and private keys.'' option.
The input files will be assumed to be in DER or RAW format.
Unlike options that in PEM input would allow multiple input data (e.g. multiple
certificates), when reading in DER format a single data structure is read.
@anchor{certtool infile}
@subsubheading infile option
This is the ``input file'' option.
@anchor{certtool inraw}
@subsubheading inraw option
This is the ``'' option.
This option has no @samp{doc} documentation.
@anchor{certtool key-info}
@subsubheading key-info option (-k)
This is the ``print information on a private key'' option.
@anchor{certtool load-ca-certificate}
@subsubheading load-ca-certificate option
This is the ``loads the certificate authority's certificate file'' option.
This can be either a file or a PKCS #11 URL
@anchor{certtool load-ca-privkey}
@subsubheading load-ca-privkey option
This is the ``loads the certificate authority's private key file'' option.
This can be either a file or a PKCS #11 URL
@anchor{certtool load-certificate}
@subsubheading load-certificate option
This is the ``loads a certificate file'' option.
This can be either a file or a PKCS #11 URL
@anchor{certtool load-privkey}
@subsubheading load-privkey option
This is the ``loads a private key file'' option.
This can be either a file or a PKCS #11 URL
@anchor{certtool load-pubkey}
@subsubheading load-pubkey option
This is the ``loads a public key file'' option.
This can be either a file or a PKCS #11 URL
@anchor{certtool load-request}
@subsubheading load-request option
This is the ``loads a certificate request file'' option.
@anchor{certtool no-crq-extensions}
@subsubheading no-crq-extensions option
This is the ``do not use extensions in certificate requests'' option.
@anchor{certtool null-password}
@subsubheading null-password option
This is the ``enforce a null password'' option.
This option enforces a NULL password. This may be different than the empty password in some schemas.
@anchor{certtool outder}
@subsubheading outder option
This is the ``use der format for output certificates and private keys'' option.
The output will be in DER or RAW format.
@anchor{certtool outfile}
@subsubheading outfile option
This is the ``output file'' option.
@anchor{certtool outraw}
@subsubheading outraw option
This is the ``'' option.
This option has no @samp{doc} documentation.
@anchor{certtool p12-info}
@subsubheading p12-info option
This is the ``print information on a pkcs #12 structure'' option.
@anchor{certtool p7-info}
@subsubheading p7-info option
This is the ``print information on a pkcs #7 structure'' option.
@anchor{certtool password}
@subsubheading password option
This is the ``password to use'' option.
@anchor{certtool pgp-certificate-info}
@subsubheading pgp-certificate-info option
This is the ``print information on the given openpgp certificate'' option.
@anchor{certtool pgp-key-info}
@subsubheading pgp-key-info option
This is the ``print information on an openpgp private key'' option.
@anchor{certtool pgp-ring-info}
@subsubheading pgp-ring-info option
This is the ``print information on the given openpgp keyring structure'' option.
@anchor{certtool pkcs8}
@subsubheading pkcs8 option (-8)
This is the ``use pkcs #8 format for private keys'' option.
@anchor{certtool pkcs-cipher}
@subsubheading pkcs-cipher option
This is the ``cipher to use for pkcs #8 and #12 operations'' option.
Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
@anchor{certtool pubkey-info}
@subsubheading pubkey-info option
This is the ``print information on a public key'' option.
The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.
@anchor{certtool rsa}
@subsubheading rsa option
This is the ``generate rsa key'' option.
When combined with --generate-privkey generates an RSA private key.
@anchor{certtool sec-param}
@subsubheading sec-param option
This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
This is alternative to the bits option.
@anchor{certtool smime-to-p7}
@subsubheading smime-to-p7 option
This is the ``convert s/mime to pkcs #7 structure'' option.
@anchor{certtool template}
@subsubheading template option
This is the ``template file to use for non-interactive operation'' option.
@anchor{certtool to-p12}
@subsubheading to-p12 option
This is the ``generate a pkcs #12 structure'' option.
This option has some usage constraints. It:
@itemize @bullet
@item
must appear in combination with the following options:
load-certificate.
@end itemize
It requires a certificate, a private key and possibly a CA certificate to be specified.
@anchor{certtool to-p8}
@subsubheading to-p8 option
This is the ``generate a pkcs #8 structure'' option.
@anchor{certtool update-certificate}
@subsubheading update-certificate option (-u)
This is the ``update a signed certificate'' option.
@anchor{certtool v1}
@subsubheading v1 option
This is the ``generate an x.509 version 1 certificate (with no extensions)'' option.
@anchor{certtool verbose}
@subsubheading verbose option (-V)
This is the ``more verbose output'' option.
This option has some usage constraints. It:
@itemize @bullet
@item
may appear an unlimited number of times.
@end itemize
@anchor{certtool verify}
@subsubheading verify option
This is the ``verify a pem encoded certificate chain using a trusted list.'' option.
This option has some usage constraints. It:
@itemize @bullet
@item
must appear in combination with the following options:
load-ca-certificate.
@end itemize
The trusted certificate list must be loaded with --load-ca-certificate.
@anchor{certtool verify-chain}
@subsubheading verify-chain option (-e)
This is the ``verify a pem encoded certificate chain.'' option.
The last certificate in the chain must be a self signed one.
@anchor{certtool verify-crl}
@subsubheading verify-crl option
This is the ``verify a crl using a trusted list.'' option.
This option has some usage constraints. It:
@itemize @bullet
@item
must appear in combination with the following options:
load-ca-certificate.
@end itemize
The trusted certificate list must be loaded with --load-ca-certificate.
@anchor{certtool exit status}
@subsubheading certtool exit status
One of the following exit values will be returned:
@table @samp
@item 0
Successful program execution.
@item 1
The operation failed or the command syntax was not valid.
@end table
@anchor{certtool See Also}
@subsubheading certtool See Also
@anchor{certtool Examples}
@subsubheading certtool Examples
@anchor{certtool Files}
@subsubheading certtool Files
|
