1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
.TH certtool 1 "December 1st 2003"
.SH NAME
certtool \- Manipulate certificates and keys.
.SH SYNOPSIS
certtool [\fIoptions\fR]
.SH DESCRIPTION
Generate X.509 certificates, certificate requests, and private keys.
.SH OPTIONS
.SS Program control options
.IP "\-\-copyright"
Shows the program's license
.IP "\-d, \-\-debug LEVEL"
Specify the debug level. Default is 1.
.IP "\-h, \-\-help"
Shows this help text
.IP "\-v, \-\-version"
Shows the program's version
.SS Getting information
.IP "\-i, \-\-certificate\-info"
Print information on a certificate.
.IP "\-k, \-\-key\-info"
Print information on a private key.
.IP "\-l, \-\-crl\-info"
Print information on a CRL.
.IP "\-\-p12\-info"
Print information on a PKCS #12 structure.
.SS Generating/verifying certificates/keys
.IP "\-c, \-\-generate\-certificate"
Generate a signed certificate.
.IP "\-e, \-\-verify\-chain"
Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one.
.IP "\-\-generate\-dh\-params"
Generate PKCS #3 encoded Diffie Hellman parameters.
.IP "\-\-load\-ca\-certificate FILE"
Certificate authority's certificate file to use.
.IP "\-\-load\-ca\-privkey FILE"
Certificate authority's private key file to use.
.IP "\-\-load\-certificate FILE"
Certificate file to use.
.IP "\-\-load\-privkey FILE"
Private key file to use.
.IP "\-\-load\-request FILE"
Certificate request file to use.
.IP "\-p, \-\-generate\-privkey"
Generate a private key.
.IP "\-q, \-\-generate\-request"
Generate a PKCS #10 certificate request.
.IP "\-s, \-\-generate\-self\-signed"
Generate a self-signed certificate.
.IP "\-u, \-\-update\-certificate"
Update a signed certificate.
.SS Controlling output
.IP "\-8, \-\-pkcs8"
Use PKCS #8 format for private keys.
.IP "\-\-dsa"
Generate a DSA key.
.IP "\-\-bits BITS"
Specify the number of bits for key generation.
.IP "\-\-export\-ciphers"
Use weak encryption algorithms.
.IP "\-\-inder"
Use DER format for input certificates and private keys.
.IP "\-\-infile FILE"
Output file.
.IP "\-\-outder"
Use DER format for output certificates and private keys.
.IP "\-\-outfile FILE"
Output file.
.IP "\-\-password PASSWORD"
Password to use.
.IP "\-\-to\-p12"
Generate a PKCS #12 structure.
.SH EXAMPLES
To create a private key, run:
.RS
.nf
$ certtool \-\-generate\-privkey \-\-outfile key.pem
.fi
.RE
To create a certificate request, run:
.RS
.nf
$ certtool \-\-generate\-request \-\-load\-privkey key.pem \\
\-\-outfile request.pem
.fi
.RE
To generate a certificate using the previous request, use the command:
.RS
.nf
$ certtool \-\-generate\-certificate \-\-load\-request request.pem \\
\-\-outfile cert.pem \-\-load\-ca\-certificate ca\-cert.pem \\
\-\-load\-ca\-privkey ca\-key.pem
.fi
.RE
To view the certificate information, use:
.RS
.nf
$ certtool \-\-certificate\-info \-\-infile cert.pem
.fi
.RE
To generate a PKCS #12 structure using the previous key and certificate, use the command:
.RS
.nf
$ certtool \-\-load\-certificate cert.pem \-\-load\-privkey key.pem \\
\-\-to\-p12 \-\-outder \-\-outfile key.p12
.fi
.RE
.SH AUTHOR
.PP
Nikos Mavroyanopoulos <nmav@gnutls.org> and others; see
/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.
.PP
This manual page was written by Ivo Timmermans <ivo@debian.org>, for
the Debian GNU/Linux system (but may be used by others).
|
