certtool — Manipulate certificates and keys.
−−copyright
Shows the program's license
−d,
−−debug LEVEL
Specify the debug level. Default is 1.
−h,
−−help
Shows this help text
−v,
−−version
Shows the program's version
−i,
−−certificate−info
Print information on a certificate.
−k,
−−key−info
Print information on a private key.
−l,
−−crl−info
Print information on a CRL.
−−p12−info
Print information on a PKCS #12 structure.
−c,
−−generate−certificate
Generate a signed certificate.
−e,
−−verify−chain
Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one.
−−generate−dh−params
Generate PKCS #3 encoded Diffie Hellman parameters.
−−load−ca−certificate
FILE
Certificate authority's certificate file to use.
−−load−ca−privkey
FILE
Certificate authority's private key file to use.
−−load−certificate
FILE
Certificate file to use.
−−load−privkey
FILE
Private key file to use.
−−load−request
FILE
Certificate request file to use.
−p,
−−generate−privkey
Generate a private key.
−q,
−−generate−request
Generate a PKCS #10 certificate request.
−s,
−−generate−self−signed
Generate a self-signed certificate.
−u,
−−update−certificate
Update a signed certificate.
Use PKCS #8 format for private keys.
−−dsa
Generate a DSA key.
−−bits BITS
Specify the number of bits for key generation.
−−export−ciphers
Use weak encryption algorithms.
−−inder
Use DER format for input certificates and private keys.
−−infile FILE
Input file.
−−outder
Use DER format for output certificates and private keys.
−−outfile FILE
Output file.
−−password
PASSWORD
Password to use.
−−to−p12
Generate a PKCS #12 structure.
−−template
Use a template file to read input. See the doc/certtool.cfg in the distribution, for an example.
−−fix−key
Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use −−key−info in combination with this parameter.
−−v1
When generating a certificate use the X.509 version 1 format. This does not add any extensions (such as indication for a CA) but some programs do need these.
To create a private key, run:
$ certtool −−generate−privkey −−outfile key.pem
To create a certificate request (needed when the certificate is issued by another party), run:
$ certtool −−generate−request −−load−privkey key.pem \ −−outfile request.pem
To generate a certificate using the previous request, use the command:
$ certtool −−generate−certificate −−load−request request.pem \ −−outfile cert.pem −−load−ca−certificate ca−cert.pem \ −−load−ca−privkey ca−key.pem
To generate a certificate using the private key only, use the command:
$ certtool −−generate−certificate −−load−privkey key.pem \ −−outfile cert.pem −−load−ca−certificate ca−cert.pem \ −−load−ca−privkey ca−key.pem
To view the certificate information, use:
$ certtool −−certificate−info −−infile cert.pem
To generate a PKCS #12 structure using the previous key and certificate, use the command:
$ certtool −−load−certificate cert.pem −−load−privkey key.pem \ −−to−p12 −−outder −−outfile key.p12