|
Packit Service |
4684c1 |
@node certtool Invocation
|
|
Packit Service |
4684c1 |
@subsection Invoking certtool
|
|
Packit Service |
4684c1 |
@pindex certtool
|
|
Packit Service |
4684c1 |
@ignore
|
|
Packit Service |
4684c1 |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# It has been AutoGen-ed
|
|
Packit Service |
4684c1 |
# From the definitions ../src/certtool-args.def
|
|
Packit Service |
4684c1 |
# and the template file agtexi-cmd.tpl
|
|
Packit Service |
4684c1 |
@end ignore
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Tool to parse and generate X.509 certificates, requests and private keys.
|
|
Packit Service |
4684c1 |
It can be used interactively or non interactively by
|
|
Packit Service |
4684c1 |
specifying the template command line option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The tool accepts files or supported URIs via the --infile option. In case PIN
|
|
Packit Service |
4684c1 |
is required for URI access you can provide it using the environment variables GNUTLS_PIN
|
|
Packit Service |
4684c1 |
and GNUTLS_SO_PIN.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This section was generated by @strong{AutoGen},
|
|
Packit Service |
4684c1 |
using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program.
|
|
Packit Service |
4684c1 |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{certtool usage}
|
|
Packit Service |
4684c1 |
@subsubheading certtool help/usage (@option{--help})
|
|
Packit Service |
4684c1 |
@cindex certtool help
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the automatically generated usage text for certtool.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The text printed is the same whether selected with the @code{help} option
|
|
Packit Service |
4684c1 |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit Service |
4684c1 |
the usage text by passing it through a pager program.
|
|
Packit Service |
4684c1 |
@code{more-help} is disabled on platforms without a working
|
|
Packit Service |
4684c1 |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit Service |
4684c1 |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit Service |
4684c1 |
with a status code of 0.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@exampleindent 0
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
certtool - GnuTLS certificate tool
|
|
Packit Service |
4684c1 |
Usage: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-d, --debug=num Enable debugging
|
|
Packit Service |
4684c1 |
- it must be in the range:
|
|
Packit Service |
4684c1 |
0 to 9999
|
|
Packit Service |
4684c1 |
-V, --verbose More verbose output
|
|
Packit Service |
4684c1 |
- may appear multiple times
|
|
Packit Service |
4684c1 |
--infile=file Input file
|
|
Packit Service |
4684c1 |
- file must pre-exist
|
|
Packit Service |
4684c1 |
--outfile=str Output file
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Certificate related options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-i, --certificate-info Print information on the given certificate
|
|
Packit Service |
4684c1 |
--pubkey-info Print information on a public key
|
|
Packit Service |
4684c1 |
-s, --generate-self-signed Generate a self-signed certificate
|
|
Packit Service |
4684c1 |
-c, --generate-certificate Generate a signed certificate
|
|
Packit Service |
4684c1 |
--generate-proxy Generates a proxy certificate
|
|
Packit Service |
4684c1 |
-u, --update-certificate Update a signed certificate
|
|
Packit Service |
4684c1 |
--fingerprint Print the fingerprint of the given certificate
|
|
Packit Service |
4684c1 |
--key-id Print the key ID of the given certificate
|
|
Packit Service |
4684c1 |
--v1 Generate an X.509 version 1 certificate (with no extensions)
|
|
Packit Service |
4684c1 |
--sign-params=str Sign a certificate with a specific signature algorithm
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Certificate request related options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
--crq-info Print information on the given certificate request
|
|
Packit Service |
4684c1 |
-q, --generate-request Generate a PKCS #10 certificate request
|
|
Packit Service |
4684c1 |
- prohibits the option 'infile'
|
|
Packit Service |
4684c1 |
--no-crq-extensions Do not use extensions in certificate requests
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
PKCS#12 file related options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
--p12-info Print information on a PKCS #12 structure
|
|
Packit Service |
4684c1 |
--p12-name=str The PKCS #12 friendly name to use
|
|
Packit Service |
4684c1 |
--to-p12 Generate a PKCS #12 structure
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Private key related options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-k, --key-info Print information on a private key
|
|
Packit Service |
4684c1 |
--p8-info Print information on a PKCS #8 structure
|
|
Packit Service |
4684c1 |
--to-rsa Convert an RSA-PSS key to raw RSA format
|
|
Packit Service |
4684c1 |
-p, --generate-privkey Generate a private key
|
|
Packit Service |
4684c1 |
--key-type=str Specify the key type to use on key generation
|
|
Packit Service |
4684c1 |
--bits=num Specify the number of bits for key generation
|
|
Packit Service |
4684c1 |
--curve=str Specify the curve used for EC key generation
|
|
Packit Service |
4684c1 |
--sec-param=str Specify the security level [low, legacy, medium, high, ultra]
|
|
Packit Service |
4684c1 |
--to-p8 Convert a given key to a PKCS #8 structure
|
|
Packit Service |
4684c1 |
-8, --pkcs8 Use PKCS #8 format for private keys
|
|
Packit Service |
4684c1 |
--provable Generate a private key or parameters from a seed using a provable method
|
|
Packit Service |
4684c1 |
--verify-provable-privkey Verify a private key generated from a seed using a provable method
|
|
Packit Service |
4684c1 |
--seed=str When generating a private key use the given hex-encoded seed
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CRL related options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-l, --crl-info Print information on the given CRL structure
|
|
Packit Service |
4684c1 |
--generate-crl Generate a CRL
|
|
Packit Service |
4684c1 |
--verify-crl Verify a Certificate Revocation List using a trusted list
|
|
Packit Service |
4684c1 |
- requires the option 'load-ca-certificate'
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Certificate verification related options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-e, --verify-chain Verify a PEM encoded certificate chain
|
|
Packit Service |
4684c1 |
--verify Verify a PEM encoded certificate (chain) against a trusted set
|
|
Packit Service |
4684c1 |
--verify-hostname=str Specify a hostname to be used for certificate chain verification
|
|
Packit Service |
4684c1 |
--verify-email=str Specify a email to be used for certificate chain verification
|
|
Packit Service |
4684c1 |
- prohibits the option 'verify-hostname'
|
|
Packit Service |
4684c1 |
--verify-purpose=str Specify a purpose OID to be used for certificate chain verification
|
|
Packit Service |
4684c1 |
--verify-allow-broken Allow broken algorithms, such as MD5 for verification
|
|
Packit Service |
4684c1 |
--verify-profile=str Specify a security level profile to be used for verification
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
PKCS#7 structure options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
--p7-generate Generate a PKCS #7 structure
|
|
Packit Service |
4684c1 |
--p7-sign Signs using a PKCS #7 structure
|
|
Packit Service |
4684c1 |
--p7-detached-sign Signs using a detached PKCS #7 structure
|
|
Packit Service |
4684c1 |
--p7-include-cert The signer's certificate will be included in the cert list.
|
|
Packit Service |
4684c1 |
- disabled as '--no-p7-include-cert'
|
|
Packit Service |
4684c1 |
- enabled by default
|
|
Packit Service |
4684c1 |
--p7-time Will include a timestamp in the PKCS #7 structure
|
|
Packit Service |
4684c1 |
- disabled as '--no-p7-time'
|
|
Packit Service |
4684c1 |
--p7-show-data Will show the embedded data in the PKCS #7 structure
|
|
Packit Service |
4684c1 |
- disabled as '--no-p7-show-data'
|
|
Packit Service |
4684c1 |
--p7-info Print information on a PKCS #7 structure
|
|
Packit Service |
4684c1 |
--p7-verify Verify the provided PKCS #7 structure
|
|
Packit Service |
4684c1 |
--smime-to-p7 Convert S/MIME to PKCS #7 structure
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Other options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
--get-dh-params List the included PKCS #3 encoded Diffie-Hellman parameters
|
|
Packit Service |
4684c1 |
--dh-info Print information PKCS #3 encoded Diffie-Hellman parameters
|
|
Packit Service |
4684c1 |
--load-privkey=str Loads a private key file
|
|
Packit Service |
4684c1 |
--load-pubkey=str Loads a public key file
|
|
Packit Service |
4684c1 |
--load-request=str Loads a certificate request file
|
|
Packit Service |
4684c1 |
--load-certificate=str Loads a certificate file
|
|
Packit Service |
4684c1 |
--load-ca-privkey=str Loads the certificate authority's private key file
|
|
Packit Service |
4684c1 |
--load-ca-certificate=str Loads the certificate authority's certificate file
|
|
Packit Service |
4684c1 |
--load-crl=str Loads the provided CRL
|
|
Packit Service |
4684c1 |
--load-data=str Loads auxiliary data
|
|
Packit Service |
4684c1 |
--password=str Password to use
|
|
Packit Service |
4684c1 |
--null-password Enforce a NULL password
|
|
Packit Service |
4684c1 |
--empty-password Enforce an empty password
|
|
Packit Service |
4684c1 |
--hex-numbers Print big number in an easier format to parse
|
|
Packit Service |
4684c1 |
--cprint In certain operations it prints the information in C-friendly format
|
|
Packit Service |
4684c1 |
--hash=str Hash algorithm to use for signing
|
|
Packit Service |
4684c1 |
--salt-size=num Specify the RSA-PSS key default salt size
|
|
Packit Service |
4684c1 |
--inder Use DER format for input certificates, private keys, and DH parameters
|
|
Packit Service |
4684c1 |
- disabled as '--no-inder'
|
|
Packit Service |
4684c1 |
--inraw an alias for the 'inder' option
|
|
Packit Service |
4684c1 |
--outder Use DER format for output certificates, private keys, and DH parameters
|
|
Packit Service |
4684c1 |
- disabled as '--no-outder'
|
|
Packit Service |
4684c1 |
--outraw an alias for the 'outder' option
|
|
Packit Service |
4684c1 |
--template=str Template file to use for non-interactive operation
|
|
Packit Service |
4684c1 |
--stdout-info Print information to stdout instead of stderr
|
|
Packit Service |
4684c1 |
--ask-pass Enable interaction for entering password when in batch mode.
|
|
Packit Service |
4684c1 |
--pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
|
|
Packit Service |
4684c1 |
--provider=str Specify the PKCS #11 provider library
|
|
Packit Service |
4684c1 |
--text Output textual information before PEM-encoded certificates, private
|
|
Packit Service |
4684c1 |
keys, etc
|
|
Packit Service |
4684c1 |
- disabled as '--no-text'
|
|
Packit Service |
4684c1 |
- enabled by default
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Version, usage and configuration options:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-v, --version[=arg] output version information and exit
|
|
Packit Service |
4684c1 |
-h, --help display extended usage information and exit
|
|
Packit Service |
4684c1 |
-!, --more-help extended usage information passed thru pager
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Options are specified by doubled hyphens and their name or by a single
|
|
Packit Service |
4684c1 |
hyphen and the flag character.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Tool to parse and generate X.509 certificates, requests and private keys.
|
|
Packit Service |
4684c1 |
It can be used interactively or non interactively by specifying the
|
|
Packit Service |
4684c1 |
template command line option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The tool accepts files or supported URIs via the --infile option. In case
|
|
Packit Service |
4684c1 |
PIN is required for URI access you can provide it using the environment
|
|
Packit Service |
4684c1 |
variables GNUTLS_PIN and GNUTLS_SO_PIN.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
@exampleindent 4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{certtool }
|
|
Packit Service |
4684c1 |
@subsubheading Base options
|
|
Packit Service |
4684c1 |
@subsubheading debug option (-d).
|
|
Packit Service |
4684c1 |
@anchor{certtool debug}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable debugging'' option.
|
|
Packit Service |
4684c1 |
This option takes a number argument.
|
|
Packit Service |
4684c1 |
Specifies the debug level.
|
|
Packit Service |
4684c1 |
@anchor{certtool cert-options}
|
|
Packit Service |
4684c1 |
@subsubheading cert-options options
|
|
Packit Service |
4684c1 |
Certificate related options.
|
|
Packit Service |
4684c1 |
@subsubheading pubkey-info option.
|
|
Packit Service |
4684c1 |
@anchor{certtool pubkey-info}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print information on a public key'' option.
|
|
Packit Service |
4684c1 |
The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.
|
|
Packit Service |
4684c1 |
@subsubheading fingerprint option.
|
|
Packit Service |
4684c1 |
@anchor{certtool fingerprint}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print the fingerprint of the given certificate'' option.
|
|
Packit Service |
4684c1 |
This is a simple hash of the DER encoding of the certificate. It can be combined with the --hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate's key.
|
|
Packit Service |
4684c1 |
@subsubheading key-id option.
|
|
Packit Service |
4684c1 |
@anchor{certtool key-id}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print the key id of the given certificate'' option.
|
|
Packit Service |
4684c1 |
This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate.
|
|
Packit Service |
4684c1 |
@subsubheading certificate-pubkey option.
|
|
Packit Service |
4684c1 |
@anchor{certtool certificate-pubkey}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print certificate's public key'' option.
|
|
Packit Service |
4684c1 |
This option is deprecated as a duplicate of --pubkey-info
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@subsubheading sign-params option.
|
|
Packit Service |
4684c1 |
@anchor{certtool sign-params}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``sign a certificate with a specific signature algorithm'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be combined with --generate-certificate, to sign the certificate with
|
|
Packit Service |
4684c1 |
a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be
|
|
Packit Service |
4684c1 |
specified when the signer does not have a certificate which is marked for RSA-PSS use only.
|
|
Packit Service |
4684c1 |
@anchor{certtool crq-options}
|
|
Packit Service |
4684c1 |
@subsubheading crq-options options
|
|
Packit Service |
4684c1 |
Certificate request related options.
|
|
Packit Service |
4684c1 |
@subsubheading generate-request option (-q).
|
|
Packit Service |
4684c1 |
@anchor{certtool generate-request}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate a pkcs #10 certificate request'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
infile.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.
|
|
Packit Service |
4684c1 |
@anchor{certtool pkcs12-options}
|
|
Packit Service |
4684c1 |
@subsubheading pkcs12-options options
|
|
Packit Service |
4684c1 |
PKCS#12 file related options.
|
|
Packit Service |
4684c1 |
@subsubheading p12-info option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p12-info}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print information on a pkcs #12 structure'' option.
|
|
Packit Service |
4684c1 |
This option will dump the contents and print the metadata of the provided PKCS #12 structure.
|
|
Packit Service |
4684c1 |
@subsubheading p12-name option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p12-name}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the pkcs #12 friendly name to use'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
The name to be used for the primary certificate and private key in a PKCS #12 file.
|
|
Packit Service |
4684c1 |
@subsubheading to-p12 option.
|
|
Packit Service |
4684c1 |
@anchor{certtool to-p12}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate a pkcs #12 structure'' option.
|
|
Packit Service |
4684c1 |
It requires a certificate, a private key and possibly a CA certificate to be specified.
|
|
Packit Service |
4684c1 |
@anchor{certtool key-options}
|
|
Packit Service |
4684c1 |
@subsubheading key-options options
|
|
Packit Service |
4684c1 |
Private key related options.
|
|
Packit Service |
4684c1 |
@subsubheading p8-info option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p8-info}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print information on a pkcs #8 structure'' option.
|
|
Packit Service |
4684c1 |
This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure.
|
|
Packit Service |
4684c1 |
@subsubheading to-rsa option.
|
|
Packit Service |
4684c1 |
@anchor{certtool to-rsa}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``convert an rsa-pss key to raw rsa format'' option.
|
|
Packit Service |
4684c1 |
It requires an RSA-PSS key as input and will output a raw RSA
|
|
Packit Service |
4684c1 |
key. This command is necessary for compatibility with applications that
|
|
Packit Service |
4684c1 |
cannot read RSA-PSS keys.
|
|
Packit Service |
4684c1 |
@subsubheading generate-privkey option (-p).
|
|
Packit Service |
4684c1 |
@anchor{certtool generate-privkey}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate a private key'' option.
|
|
Packit Service |
4684c1 |
When generating RSA-PSS private keys, the --hash option will
|
|
Packit Service |
4684c1 |
restrict the allowed hash for the key; in the same keys the --salt-size
|
|
Packit Service |
4684c1 |
option is also acceptable.
|
|
Packit Service |
4684c1 |
@subsubheading key-type option.
|
|
Packit Service |
4684c1 |
@anchor{certtool key-type}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the key type to use on key generation'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be combined with --generate-privkey, to specify
|
|
Packit Service |
4684c1 |
the key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, and 'ed448'.'.
|
|
Packit Service |
4684c1 |
When combined with certificate generation it can be used to specify an
|
|
Packit Service |
4684c1 |
RSA-PSS certificate when an RSA key is given.
|
|
Packit Service |
4684c1 |
@subsubheading curve option.
|
|
Packit Service |
4684c1 |
@anchor{certtool curve}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the curve used for ec key generation'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.
|
|
Packit Service |
4684c1 |
@subsubheading sec-param option.
|
|
Packit Service |
4684c1 |
@anchor{certtool sec-param}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the security level [low, legacy, medium, high, ultra]'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument @file{Security parameter}.
|
|
Packit Service |
4684c1 |
This is alternative to the bits option.
|
|
Packit Service |
4684c1 |
@subsubheading to-p8 option.
|
|
Packit Service |
4684c1 |
@anchor{certtool to-p8}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``convert a given key to a pkcs #8 structure'' option.
|
|
Packit Service |
4684c1 |
This needs to be combined with --load-privkey.
|
|
Packit Service |
4684c1 |
@subsubheading provable option.
|
|
Packit Service |
4684c1 |
@anchor{certtool provable}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate a private key or parameters from a seed using a provable method'' option.
|
|
Packit Service |
4684c1 |
This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.
|
|
Packit Service |
4684c1 |
When specified the private keys or parameters will be generated from a seed, and can be
|
|
Packit Service |
4684c1 |
later validated with --verify-provable-privkey to be correctly generated from the seed. You may
|
|
Packit Service |
4684c1 |
specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with
|
|
Packit Service |
4684c1 |
--generate-privkey or --generate-dh-params.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
That option applies to RSA and DSA keys. On the DSA keys the PQG parameters
|
|
Packit Service |
4684c1 |
are generated using the seed, and on RSA the two primes.
|
|
Packit Service |
4684c1 |
@subsubheading verify-provable-privkey option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-provable-privkey}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``verify a private key generated from a seed using a provable method'' option.
|
|
Packit Service |
4684c1 |
This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or use the seed stored in the private key structure.
|
|
Packit Service |
4684c1 |
@subsubheading seed option.
|
|
Packit Service |
4684c1 |
@anchor{certtool seed}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``when generating a private key use the given hex-encoded seed'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
The seed acts as a security parameter for the private key, and
|
|
Packit Service |
4684c1 |
thus a seed size which corresponds to the security level of the private key
|
|
Packit Service |
4684c1 |
should be provided (e.g., 256-bits seed).
|
|
Packit Service |
4684c1 |
@anchor{certtool crl-options}
|
|
Packit Service |
4684c1 |
@subsubheading crl-options options
|
|
Packit Service |
4684c1 |
CRL related options.
|
|
Packit Service |
4684c1 |
@subsubheading generate-crl option.
|
|
Packit Service |
4684c1 |
@anchor{certtool generate-crl}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate a crl'' option.
|
|
Packit Service |
4684c1 |
This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).
|
|
Packit Service |
4684c1 |
To add new certificates to the CRL use --load-certificate.
|
|
Packit Service |
4684c1 |
@subsubheading verify-crl option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-crl}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``verify a certificate revocation list using a trusted list'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must appear in combination with the following options:
|
|
Packit Service |
4684c1 |
load-ca-certificate.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The trusted certificate list must be loaded with --load-ca-certificate.
|
|
Packit Service |
4684c1 |
@anchor{certtool cert-verify-options}
|
|
Packit Service |
4684c1 |
@subsubheading cert-verify-options options
|
|
Packit Service |
4684c1 |
Certificate verification related options.
|
|
Packit Service |
4684c1 |
@subsubheading verify-chain option (-e).
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-chain}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``verify a pem encoded certificate chain'' option.
|
|
Packit Service |
4684c1 |
Verifies the validity of a certificate chain. That is, an ordered set of
|
|
Packit Service |
4684c1 |
certificates where each one is the issuer of the previous, and the first is
|
|
Packit Service |
4684c1 |
the end-certificate to be validated. In a proper chain the last certificate
|
|
Packit Service |
4684c1 |
is a self signed one. It can be combined with --verify-purpose or --verify-hostname.
|
|
Packit Service |
4684c1 |
@subsubheading verify option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``verify a pem encoded certificate (chain) against a trusted set'' option.
|
|
Packit Service |
4684c1 |
The trusted certificate list can be loaded with --load-ca-certificate. If no
|
|
Packit Service |
4684c1 |
certificate list is provided, then the system's trusted certificate list is used. Note that
|
|
Packit Service |
4684c1 |
during verification multiple paths may be explored. On a successful verification
|
|
Packit Service |
4684c1 |
the successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname.
|
|
Packit Service |
4684c1 |
@subsubheading verify-hostname option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-hostname}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify a hostname to be used for certificate chain verification'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This is to be combined with one of the verify certificate options.
|
|
Packit Service |
4684c1 |
@subsubheading verify-email option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-email}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify a email to be used for certificate chain verification'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
verify-hostname.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is to be combined with one of the verify certificate options.
|
|
Packit Service |
4684c1 |
@subsubheading verify-purpose option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-purpose}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify a purpose oid to be used for certificate chain verification'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.
|
|
Packit Service |
4684c1 |
@subsubheading verify-allow-broken option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-allow-broken}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``allow broken algorithms, such as md5 for verification'' option.
|
|
Packit Service |
4684c1 |
This can be combined with --p7-verify, --verify or --verify-chain.
|
|
Packit Service |
4684c1 |
@subsubheading verify-profile option.
|
|
Packit Service |
4684c1 |
@anchor{certtool verify-profile}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify a security level profile to be used for verification'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be used to specify a certificate verification profile. Certificate
|
|
Packit Service |
4684c1 |
verification profiles correspond to the security level. This should be one of
|
|
Packit Service |
4684c1 |
'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra',
|
|
Packit Service |
4684c1 |
'future'. Note that by default no profile is applied, unless one is set
|
|
Packit Service |
4684c1 |
as minimum in the gnutls configuration file.
|
|
Packit Service |
4684c1 |
@anchor{certtool pkcs7-options}
|
|
Packit Service |
4684c1 |
@subsubheading pkcs7-options options
|
|
Packit Service |
4684c1 |
PKCS#7 structure options.
|
|
Packit Service |
4684c1 |
@subsubheading p7-generate option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-generate}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate a pkcs #7 structure'' option.
|
|
Packit Service |
4684c1 |
This option generates a PKCS #7 certificate container structure. To add certificates in the structure use --load-certificate and --load-crl.
|
|
Packit Service |
4684c1 |
@subsubheading p7-sign option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-sign}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``signs using a pkcs #7 structure'' option.
|
|
Packit Service |
4684c1 |
This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.
|
|
Packit Service |
4684c1 |
@subsubheading p7-detached-sign option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-detached-sign}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``signs using a detached pkcs #7 structure'' option.
|
|
Packit Service |
4684c1 |
This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.
|
|
Packit Service |
4684c1 |
@subsubheading p7-include-cert option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-include-cert}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the signer's certificate will be included in the cert list.'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-p7-include-cert.
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
It is enabled by default.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This options works with --p7-sign or --p7-detached-sign and will include or exclude the signer's certificate into the generated signature.
|
|
Packit Service |
4684c1 |
@subsubheading p7-time option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-time}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``will include a timestamp in the pkcs #7 structure'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-p7-time.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will include a timestamp in the generated signature
|
|
Packit Service |
4684c1 |
@subsubheading p7-show-data option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-show-data}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``will show the embedded data in the pkcs #7 structure'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-p7-show-data.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option can be combined with --p7-verify or --p7-info and will display the embedded signed data in the PKCS #7 structure.
|
|
Packit Service |
4684c1 |
@subsubheading p7-verify option.
|
|
Packit Service |
4684c1 |
@anchor{certtool p7-verify}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``verify the provided pkcs #7 structure'' option.
|
|
Packit Service |
4684c1 |
This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. When no certificate list is provided, then the system's certificate list is used. Alternatively a direct signer can be provided using --load-certificate. A key purpose can be enforced with the --verify-purpose option, and the --load-data option will utilize detached data.
|
|
Packit Service |
4684c1 |
@anchor{certtool other-options}
|
|
Packit Service |
4684c1 |
@subsubheading other-options options
|
|
Packit Service |
4684c1 |
Other options.
|
|
Packit Service |
4684c1 |
@subsubheading generate-dh-params option.
|
|
Packit Service |
4684c1 |
@anchor{certtool generate-dh-params}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate pkcs #3 encoded diffie-hellman parameters'' option.
|
|
Packit Service |
4684c1 |
The will generate random parameters to be used with
|
|
Packit Service |
4684c1 |
Diffie-Hellman key exchange. The output parameters will be in PKCS #3
|
|
Packit Service |
4684c1 |
format. Note that it is recommended to use the --get-dh-params option
|
|
Packit Service |
4684c1 |
instead.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@subsubheading get-dh-params option.
|
|
Packit Service |
4684c1 |
@anchor{certtool get-dh-params}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``list the included pkcs #3 encoded diffie-hellman parameters'' option.
|
|
Packit Service |
4684c1 |
Returns stored DH parameters in GnuTLS. Those parameters returned
|
|
Packit Service |
4684c1 |
are defined in RFC7919, and can be considered standard parameters for a TLS
|
|
Packit Service |
4684c1 |
key exchange. This option is provided for old applications which require
|
|
Packit Service |
4684c1 |
DH parameters to be specified; modern GnuTLS applications should not require
|
|
Packit Service |
4684c1 |
them.
|
|
Packit Service |
4684c1 |
@subsubheading load-privkey option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-privkey}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads a private key file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This can be either a file or a PKCS #11 URL
|
|
Packit Service |
4684c1 |
@subsubheading load-pubkey option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-pubkey}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads a public key file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This can be either a file or a PKCS #11 URL
|
|
Packit Service |
4684c1 |
@subsubheading load-request option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-request}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads a certificate request file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be used with a file
|
|
Packit Service |
4684c1 |
@subsubheading load-certificate option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-certificate}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads a certificate file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be used with a file
|
|
Packit Service |
4684c1 |
@subsubheading load-ca-privkey option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-ca-privkey}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads the certificate authority's private key file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This can be either a file or a PKCS #11 URL
|
|
Packit Service |
4684c1 |
@subsubheading load-ca-certificate option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-ca-certificate}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads the certificate authority's certificate file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This can be either a file or a PKCS #11 URL
|
|
Packit Service |
4684c1 |
@subsubheading load-crl option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-crl}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads the provided crl'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be used with a file
|
|
Packit Service |
4684c1 |
@subsubheading load-data option.
|
|
Packit Service |
4684c1 |
@anchor{certtool load-data}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads auxiliary data'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This option can be used with a file
|
|
Packit Service |
4684c1 |
@subsubheading password option.
|
|
Packit Service |
4684c1 |
@anchor{certtool password}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``password to use'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password.
|
|
Packit Service |
4684c1 |
@subsubheading null-password option.
|
|
Packit Service |
4684c1 |
@anchor{certtool null-password}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enforce a null password'' option.
|
|
Packit Service |
4684c1 |
This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8.
|
|
Packit Service |
4684c1 |
@subsubheading empty-password option.
|
|
Packit Service |
4684c1 |
@anchor{certtool empty-password}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enforce an empty password'' option.
|
|
Packit Service |
4684c1 |
This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8.
|
|
Packit Service |
4684c1 |
@subsubheading cprint option.
|
|
Packit Service |
4684c1 |
@anchor{certtool cprint}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``in certain operations it prints the information in c-friendly format'' option.
|
|
Packit Service |
4684c1 |
In certain operations it prints the information in C-friendly format, suitable for including into C programs.
|
|
Packit Service |
4684c1 |
@subsubheading rsa option.
|
|
Packit Service |
4684c1 |
@anchor{certtool rsa}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate rsa key'' option.
|
|
Packit Service |
4684c1 |
When combined with --generate-privkey generates an RSA private key.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@subsubheading dsa option.
|
|
Packit Service |
4684c1 |
@anchor{certtool dsa}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate dsa key'' option.
|
|
Packit Service |
4684c1 |
When combined with --generate-privkey generates a DSA private key.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@subsubheading ecc option.
|
|
Packit Service |
4684c1 |
@anchor{certtool ecc}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``generate ecc (ecdsa) key'' option.
|
|
Packit Service |
4684c1 |
When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit Service |
4684c1 |
@subsubheading ecdsa option.
|
|
Packit Service |
4684c1 |
@anchor{certtool ecdsa}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{ecc} option,
|
|
Packit Service |
4684c1 |
@pxref{certtool ecc, the ecc option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading hash option.
|
|
Packit Service |
4684c1 |
@anchor{certtool hash}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``hash algorithm to use for signing'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
|
|
Packit Service |
4684c1 |
@subsubheading salt-size option.
|
|
Packit Service |
4684c1 |
@anchor{certtool salt-size}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the rsa-pss key default salt size'' option.
|
|
Packit Service |
4684c1 |
This option takes a number argument.
|
|
Packit Service |
4684c1 |
Typical keys shouldn't set or restrict this option.
|
|
Packit Service |
4684c1 |
@subsubheading inder option.
|
|
Packit Service |
4684c1 |
@anchor{certtool inder}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use der format for input certificates, private keys, and dh parameters '' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-inder.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The input files will be assumed to be in DER or RAW format.
|
|
Packit Service |
4684c1 |
Unlike options that in PEM input would allow multiple input data (e.g. multiple
|
|
Packit Service |
4684c1 |
certificates), when reading in DER format a single data structure is read.
|
|
Packit Service |
4684c1 |
@subsubheading inraw option.
|
|
Packit Service |
4684c1 |
@anchor{certtool inraw}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{inder} option,
|
|
Packit Service |
4684c1 |
@pxref{certtool inder, the inder option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading outder option.
|
|
Packit Service |
4684c1 |
@anchor{certtool outder}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use der format for output certificates, private keys, and dh parameters'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-outder.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The output will be in DER or RAW format.
|
|
Packit Service |
4684c1 |
@subsubheading outraw option.
|
|
Packit Service |
4684c1 |
@anchor{certtool outraw}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{outder} option,
|
|
Packit Service |
4684c1 |
@pxref{certtool outder, the outder option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading ask-pass option.
|
|
Packit Service |
4684c1 |
@anchor{certtool ask-pass}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable interaction for entering password when in batch mode.'' option.
|
|
Packit Service |
4684c1 |
This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified.
|
|
Packit Service |
4684c1 |
@subsubheading pkcs-cipher option.
|
|
Packit Service |
4684c1 |
@anchor{certtool pkcs-cipher}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``cipher to use for pkcs #8 and #12 operations'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument @file{Cipher}.
|
|
Packit Service |
4684c1 |
Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
|
|
Packit Service |
4684c1 |
@subsubheading provider option.
|
|
Packit Service |
4684c1 |
@anchor{certtool provider}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the pkcs #11 provider library'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This will override the default options in /etc/gnutls/pkcs11.conf
|
|
Packit Service |
4684c1 |
@subsubheading text option.
|
|
Packit Service |
4684c1 |
@anchor{certtool text}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``output textual information before pem-encoded certificates, private keys, etc'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-text.
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
It is enabled by default.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Output textual information before PEM-encoded data
|
|
Packit Service |
4684c1 |
@anchor{certtool exit status}
|
|
Packit Service |
4684c1 |
@subsubheading certtool exit status
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
One of the following exit values will be returned:
|
|
Packit Service |
4684c1 |
@table @samp
|
|
Packit Service |
4684c1 |
@item 0 (EXIT_SUCCESS)
|
|
Packit Service |
4684c1 |
Successful program execution.
|
|
Packit Service |
4684c1 |
@item 1 (EXIT_FAILURE)
|
|
Packit Service |
4684c1 |
The operation failed or the command syntax was not valid.
|
|
Packit Service |
4684c1 |
@end table
|
|
Packit Service |
4684c1 |
@anchor{certtool See Also}
|
|
Packit Service |
4684c1 |
@subsubheading certtool See Also
|
|
Packit Service |
4684c1 |
p11tool (1), psktool (1), srptool (1)
|
|
Packit Service |
4684c1 |
@anchor{certtool Examples}
|
|
Packit Service |
4684c1 |
@subsubheading certtool Examples
|
|
Packit Service |
4684c1 |
@subsubheading Generating private keys
|
|
Packit Service |
4684c1 |
To create an RSA private key, run:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-privkey --outfile key.pem --rsa
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To create a DSA or elliptic curves (ECDSA) private key use the
|
|
Packit Service |
4684c1 |
above command combined with 'dsa' or 'ecc' options.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Generating certificate requests
|
|
Packit Service |
4684c1 |
To create a certificate request (needed when the certificate is issued by
|
|
Packit Service |
4684c1 |
another party), run:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
certtool --generate-request --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--outfile request.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
If the private key is stored in a smart card you can generate
|
|
Packit Service |
4684c1 |
a request by specifying the private key object URL.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./certtool --generate-request --load-privkey "pkcs11:..." \
|
|
Packit Service |
4684c1 |
--load-pubkey "pkcs11:..." --outfile request.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Generating a self-signed certificate
|
|
Packit Service |
4684c1 |
To create a self signed certificate, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-privkey --outfile ca-key.pem
|
|
Packit Service |
4684c1 |
$ certtool --generate-self-signed --load-privkey ca-key.pem \
|
|
Packit Service |
4684c1 |
--outfile ca-cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Note that a self-signed certificate usually belongs to a certificate
|
|
Packit Service |
4684c1 |
authority, that signs other certificates.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Generating a certificate
|
|
Packit Service |
4684c1 |
To generate a certificate using the previous request, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-certificate --load-request request.pem \
|
|
Packit Service |
4684c1 |
--outfile cert.pem --load-ca-certificate ca-cert.pem \
|
|
Packit Service |
4684c1 |
--load-ca-privkey ca-key.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To generate a certificate using the private key only, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-certificate --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--outfile cert.pem --load-ca-certificate ca-cert.pem \
|
|
Packit Service |
4684c1 |
--load-ca-privkey ca-key.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Certificate information
|
|
Packit Service |
4684c1 |
To view the certificate information, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --certificate-info --infile cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Changing the certificate format
|
|
Packit Service |
4684c1 |
To convert the certificate from PEM to DER format, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading PKCS #12 structure generation
|
|
Packit Service |
4684c1 |
To generate a PKCS #12 structure using the previous key and certificate,
|
|
Packit Service |
4684c1 |
use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --load-certificate cert.pem --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--to-p12 --outder --outfile key.p12
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Some tools (reportedly web browsers) have problems with that file
|
|
Packit Service |
4684c1 |
because it does not contain the CA certificate for the certificate.
|
|
Packit Service |
4684c1 |
To work around that problem in the tool, you can use the
|
|
Packit Service |
4684c1 |
--load-ca-certificate parameter as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --load-ca-certificate ca.pem \
|
|
Packit Service |
4684c1 |
--load-certificate cert.pem --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--to-p12 --outder --outfile key.p12
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Obtaining Diffie-Hellman parameters
|
|
Packit Service |
4684c1 |
To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --get-dh-params --outfile dh.pem --sec-param medium
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Verifying a certificate
|
|
Packit Service |
4684c1 |
To verify a certificate in a file against the system's CA trust store
|
|
Packit Service |
4684c1 |
use the following command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --verify --infile cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
It is also possible to simulate hostname verification with the following
|
|
Packit Service |
4684c1 |
options:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --verify --verify-hostname www.example.com --infile cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Proxy certificate generation
|
|
Packit Service |
4684c1 |
Proxy certificate can be used to delegate your credential to a
|
|
Packit Service |
4684c1 |
temporary, typically short-lived, certificate. To create one from the
|
|
Packit Service |
4684c1 |
previously created certificate, first create a temporary key and then
|
|
Packit Service |
4684c1 |
generate a proxy certificate for it, using the commands:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-privkey > proxy-key.pem
|
|
Packit Service |
4684c1 |
$ certtool --generate-proxy --load-ca-privkey key.pem \
|
|
Packit Service |
4684c1 |
--load-privkey proxy-key.pem --load-certificate cert.pem \
|
|
Packit Service |
4684c1 |
--outfile proxy-cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subsubheading Certificate revocation list generation
|
|
Packit Service |
4684c1 |
To create an empty Certificate Revocation List (CRL) do:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
|
|
Packit Service |
4684c1 |
--load-ca-certificate x509-ca.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To create a CRL that contains some revoked certificates, place the
|
|
Packit Service |
4684c1 |
certificates in a file and use @code{--load-certificate} as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
|
|
Packit Service |
4684c1 |
--load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To verify a Certificate Revocation List (CRL) do:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
@anchor{certtool Files}
|
|
Packit Service |
4684c1 |
@subsubheading certtool Files
|
|
Packit Service |
4684c1 |
@subsubheading Certtool's template file format
|
|
Packit Service |
4684c1 |
A template file can be used to avoid the interactive questions of
|
|
Packit Service |
4684c1 |
certtool. Initially create a file named 'cert.cfg' that contains the information
|
|
Packit Service |
4684c1 |
about the certificate. The template can be used as below:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-certificate --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--template cert.cfg --outfile cert.pem \
|
|
Packit Service |
4684c1 |
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
An example certtool template file that can be used to generate a certificate
|
|
Packit Service |
4684c1 |
request or a self signed certificate follows.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
# X.509 Certificate options
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DN options
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The organization of the subject.
|
|
Packit Service |
4684c1 |
organization = "Koko inc."
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The organizational unit of the subject.
|
|
Packit Service |
4684c1 |
unit = "sleeping dept."
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The locality of the subject.
|
|
Packit Service |
4684c1 |
# locality =
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The state of the certificate owner.
|
|
Packit Service |
4684c1 |
state = "Attiki"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The country of the subject. Two letter code.
|
|
Packit Service |
4684c1 |
country = GR
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The common name of the certificate owner.
|
|
Packit Service |
4684c1 |
cn = "Cindy Lauper"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A user id of the certificate owner.
|
|
Packit Service |
4684c1 |
#uid = "clauper"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Set domain components
|
|
Packit Service |
4684c1 |
#dc = "name"
|
|
Packit Service |
4684c1 |
#dc = "domain"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# If the supported DN OIDs are not adequate you can set
|
|
Packit Service |
4684c1 |
# any OID here.
|
|
Packit Service |
4684c1 |
# For example set the X.520 Title and the X.520 Pseudonym
|
|
Packit Service |
4684c1 |
# by using OID and string pairs.
|
|
Packit Service |
4684c1 |
#dn_oid = "2.5.4.12 Dr."
|
|
Packit Service |
4684c1 |
#dn_oid = "2.5.4.65 jackal"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# This is deprecated and should not be used in new
|
|
Packit Service |
4684c1 |
# certificates.
|
|
Packit Service |
4684c1 |
# pkcs9_email = "none@@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An alternative way to set the certificate's distinguished name directly
|
|
Packit Service |
4684c1 |
# is with the "dn" option. The attribute names allowed are:
|
|
Packit Service |
4684c1 |
# C (country), street, O (organization), OU (unit), title, CN (common name),
|
|
Packit Service |
4684c1 |
# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
|
|
Packit Service |
4684c1 |
# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
|
|
Packit Service |
4684c1 |
# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
|
|
Packit Service |
4684c1 |
# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
|
|
Packit Service |
4684c1 |
# jurisdictionOfIncorporationStateOrProvinceName,
|
|
Packit Service |
4684c1 |
# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The serial number of the certificate
|
|
Packit Service |
4684c1 |
# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
|
|
Packit Service |
4684c1 |
# Comment the field for a random serial number.
|
|
Packit Service |
4684c1 |
serial = 007
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# In how many days, counting from today, this certificate will expire.
|
|
Packit Service |
4684c1 |
# Use -1 if there is no expiration date.
|
|
Packit Service |
4684c1 |
expiration_days = 700
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Alternatively you may set concrete dates and time. The GNU date string
|
|
Packit Service |
4684c1 |
# formats are accepted. See:
|
|
Packit Service |
4684c1 |
# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#activation_date = "2004-02-29 16:21:42"
|
|
Packit Service |
4684c1 |
#expiration_date = "2025-02-29 16:24:41"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# X.509 v3 extensions
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A dnsname in case of a WWW server.
|
|
Packit Service |
4684c1 |
#dns_name = "www.none.org"
|
|
Packit Service |
4684c1 |
#dns_name = "www.morethanone.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An othername defined by an OID and a hex encoded string
|
|
Packit Service |
4684c1 |
#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
|
|
Packit Service |
4684c1 |
#other_name_utf8 = "1.2.4.5.6 A UTF8 string"
|
|
Packit Service |
4684c1 |
#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Allows writing an XmppAddr Identifier
|
|
Packit Service |
4684c1 |
#xmpp_name = juliet@@im.example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Names used in PKINIT
|
|
Packit Service |
4684c1 |
#krb5_principal = user@@REALM.COM
|
|
Packit Service |
4684c1 |
#krb5_principal = HTTP/user@@REALM.COM
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A subject alternative name URI
|
|
Packit Service |
4684c1 |
#uri = "https://www.example.com"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An IP address in case of a server.
|
|
Packit Service |
4684c1 |
#ip_address = "192.168.1.1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An email in case of a person
|
|
Packit Service |
4684c1 |
email = "none@@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
|
|
Packit Service |
4684c1 |
# extension features to be provided by the server. In practice this is used
|
|
Packit Service |
4684c1 |
# to require the Status Request (extid: 5) extension from the server. That is,
|
|
Packit Service |
4684c1 |
# to require the server holding this certificate to provide a stapled OCSP response.
|
|
Packit Service |
4684c1 |
# You can have multiple lines for multiple TLS features.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# To ask for OCSP status request use:
|
|
Packit Service |
4684c1 |
#tls_feature = 5
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Challenge password used in certificate requests
|
|
Packit Service |
4684c1 |
challenge_password = 123456
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Password when encrypting a private key
|
|
Packit Service |
4684c1 |
#password = secret
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An URL that has CRLs (certificate revocation lists)
|
|
Packit Service |
4684c1 |
# available. Needed in CA certificates.
|
|
Packit Service |
4684c1 |
#crl_dist_points = "https://www.getcrl.crl/getcrl/"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this is a CA certificate or not
|
|
Packit Service |
4684c1 |
#ca
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Subject Unique ID (in hex)
|
|
Packit Service |
4684c1 |
#subject_unique_id = 00153224
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Issuer Unique ID (in hex)
|
|
Packit Service |
4684c1 |
#issuer_unique_id = 00153225
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#### Key usage
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The following key usage flags are used by CAs and end certificates
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used to sign data (needed
|
|
Packit Service |
4684c1 |
# in TLS DHE ciphersuites). This is the digitalSignature flag
|
|
Packit Service |
4684c1 |
# in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used to encrypt data (needed
|
|
Packit Service |
4684c1 |
# in TLS RSA ciphersuites). Note that it is preferred to use different
|
|
Packit Service |
4684c1 |
# keys for encryption and signing. This is the keyEncipherment flag
|
|
Packit Service |
4684c1 |
# in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
encryption_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign other certificates. The
|
|
Packit Service |
4684c1 |
# keyCertSign flag in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
#cert_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign CRLs. The
|
|
Packit Service |
4684c1 |
# cRLSign flag in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
#crl_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The keyAgreement flag of RFC5280. It's purpose is loosely
|
|
Packit Service |
4684c1 |
# defined. Not use it unless required by a protocol.
|
|
Packit Service |
4684c1 |
#key_agreement
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The dataEncipherment flag of RFC5280. It's purpose is loosely
|
|
Packit Service |
4684c1 |
# defined. Not use it unless required by a protocol.
|
|
Packit Service |
4684c1 |
#data_encipherment
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The nonRepudiation flag of RFC5280. It's purpose is loosely
|
|
Packit Service |
4684c1 |
# defined. Not use it unless required by a protocol.
|
|
Packit Service |
4684c1 |
#non_repudiation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#### Extended key usage (key purposes)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The following extensions are used in an end certificate
|
|
Packit Service |
4684c1 |
# to clarify its purpose. Some CAs also use it to indicate
|
|
Packit Service |
4684c1 |
# the types of certificates they are purposed to sign.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used for a TLS client;
|
|
Packit Service |
4684c1 |
# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
|
|
Packit Service |
4684c1 |
# extended key usage.
|
|
Packit Service |
4684c1 |
#tls_www_client
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used for a TLS server;
|
|
Packit Service |
4684c1 |
# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
|
|
Packit Service |
4684c1 |
# extended key usage.
|
|
Packit Service |
4684c1 |
#tls_www_server
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign code. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
|
|
Packit Service |
4684c1 |
# extension.
|
|
Packit Service |
4684c1 |
#code_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign OCSP data. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
|
|
Packit Service |
4684c1 |
#ocsp_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for time stamping. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
|
|
Packit Service |
4684c1 |
#time_stamping_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for email protection. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
|
|
Packit Service |
4684c1 |
#email_protection_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
|
|
Packit Service |
4684c1 |
#ipsec_ike_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
## adding custom key purpose OIDs
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# for microsoft smart card logon
|
|
Packit Service |
4684c1 |
# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# for email protection
|
|
Packit Service |
4684c1 |
# key_purpose_oid = 1.3.6.1.5.5.7.3.4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# for any purpose (must not be used in intermediate CA certificates)
|
|
Packit Service |
4684c1 |
# key_purpose_oid = 2.5.29.37.0
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
### end of key purpose OIDs
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
### Adding arbitrary extensions
|
|
Packit Service |
4684c1 |
# This requires to provide the extension OIDs, as well as the extension data in
|
|
Packit Service |
4684c1 |
# hex format. The following two options are available since GnuTLS 3.5.3.
|
|
Packit Service |
4684c1 |
#add_extension = "1.2.3.4 0x0AAB01ACFE"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# As above but encode the data as an octet string
|
|
Packit Service |
4684c1 |
#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# For portability critical extensions shouldn't be set to certificates.
|
|
Packit Service |
4684c1 |
#add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# When generating a certificate from a certificate
|
|
Packit Service |
4684c1 |
# request, then honor the extensions stored in the request
|
|
Packit Service |
4684c1 |
# and store them in the real certificate.
|
|
Packit Service |
4684c1 |
#honor_crq_extensions
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Alternatively only specific extensions can be copied.
|
|
Packit Service |
4684c1 |
#honor_crq_ext = 2.5.29.17
|
|
Packit Service |
4684c1 |
#honor_crq_ext = 2.5.29.15
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Path length contraint. Sets the maximum number of
|
|
Packit Service |
4684c1 |
# certificates that can be used to certify this certificate.
|
|
Packit Service |
4684c1 |
# (i.e. the certificate chain length)
|
|
Packit Service |
4684c1 |
#path_len = -1
|
|
Packit Service |
4684c1 |
#path_len = 2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# OCSP URI
|
|
Packit Service |
4684c1 |
# ocsp_uri = https://my.ocsp.server/ocsp
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# CA issuers URI
|
|
Packit Service |
4684c1 |
# ca_issuers_uri = https://my.ca.issuer
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Certificate policies
|
|
Packit Service |
4684c1 |
#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
|
|
Packit Service |
4684c1 |
#policy1_txt = "This is a long policy to summarize"
|
|
Packit Service |
4684c1 |
#policy1_url = https://www.example.com/a-policy-to-read
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
|
|
Packit Service |
4684c1 |
#policy2_txt = "This is a short policy"
|
|
Packit Service |
4684c1 |
#policy2_url = https://www.example.com/another-policy-to-read
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The number of additional certificates that may appear in a
|
|
Packit Service |
4684c1 |
# path before the anyPolicy is no longer acceptable.
|
|
Packit Service |
4684c1 |
#inhibit_anypolicy_skip_certs 1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Name constraints
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# DNS
|
|
Packit Service |
4684c1 |
#nc_permit_dns = example.com
|
|
Packit Service |
4684c1 |
#nc_exclude_dns = test.example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# EMAIL
|
|
Packit Service |
4684c1 |
#nc_permit_email = "nmav@@ex.net"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Exclude subdomains of example.com
|
|
Packit Service |
4684c1 |
#nc_exclude_email = .example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Exclude all e-mail addresses of example.com
|
|
Packit Service |
4684c1 |
#nc_exclude_email = example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# IP
|
|
Packit Service |
4684c1 |
#nc_permit_ip = 192.168.0.0/16
|
|
Packit Service |
4684c1 |
#nc_exclude_ip = 192.168.5.0/24
|
|
Packit Service |
4684c1 |
#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Options for proxy certificates
|
|
Packit Service |
4684c1 |
#proxy_policy_language = 1.3.6.1.5.5.7.21.1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Options for generating a CRL
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The number of days the next CRL update will be due.
|
|
Packit Service |
4684c1 |
# next CRL update will be in 43 days
|
|
Packit Service |
4684c1 |
#crl_next_update = 43
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# this is the 5th CRL by this CA
|
|
Packit Service |
4684c1 |
# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
|
|
Packit Service |
4684c1 |
# Comment the field for a time-based number.
|
|
Packit Service |
4684c1 |
# Time-based CRL numbers generated in GnuTLS 3.6.3 and later
|
|
Packit Service |
4684c1 |
# are significantly larger than those generated in previous
|
|
Packit Service |
4684c1 |
# versions. Since CRL numbers need to be monotonic, you need
|
|
Packit Service |
4684c1 |
# to specify the CRL number here manually if you intend to
|
|
Packit Service |
4684c1 |
# downgrade to an earlier version than 3.6.3 after publishing
|
|
Packit Service |
4684c1 |
# the CRL as it is not possible to specify CRL numbers greater
|
|
Packit Service |
4684c1 |
# than 2**63-2 using hex notation in those versions.
|
|
Packit Service |
4684c1 |
#crl_number = 5
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Specify the update dates more precisely.
|
|
Packit Service |
4684c1 |
#crl_this_update_date = "2004-02-29 16:21:42"
|
|
Packit Service |
4684c1 |
#crl_next_update_date = "2025-02-29 16:24:41"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The date that the certificates will be made seen as
|
|
Packit Service |
4684c1 |
# being revoked.
|
|
Packit Service |
4684c1 |
#crl_revocation_date = "2025-02-29 16:24:41"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end example
|