|
Packit Service |
4684c1 |
AutoGen Definitions options;
|
|
Packit Service |
4684c1 |
prog-name = certtool;
|
|
Packit Service |
4684c1 |
prog-title = "GnuTLS certificate tool";
|
|
Packit Service |
4684c1 |
prog-desc = "Manipulate certificates and private keys.";
|
|
Packit Service |
4684c1 |
detail = "Tool to parse and generate X.509 certificates, requests and private keys.
|
|
Packit Service |
4684c1 |
It can be used interactively or non interactively by
|
|
Packit Service |
4684c1 |
specifying the template command line option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The tool accepts files or supported URIs via the --infile option. In case PIN
|
|
Packit Service |
4684c1 |
is required for URI access you can provide it using the environment variables GNUTLS_PIN
|
|
Packit Service |
4684c1 |
and GNUTLS_SO_PIN.
|
|
Packit Service |
4684c1 |
";
|
|
Packit Service |
4684c1 |
short-usage = "certtool [options]\ncerttool --help for usage instructions.\n";
|
|
Packit Service |
4684c1 |
explain = "";
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define INFILE_OPT 1
|
|
Packit Service |
4684c1 |
#define OUTFILE_OPT 1
|
|
Packit Service |
4684c1 |
#define VERBOSE_OPT 1
|
|
Packit Service |
4684c1 |
#include args-std.def
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = cert_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "Certificate related options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = certificate-info;
|
|
Packit Service |
4684c1 |
value = i;
|
|
Packit Service |
4684c1 |
descrip = "Print information on the given certificate";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pubkey-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information on a public key";
|
|
Packit Service |
4684c1 |
doc = "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-self-signed;
|
|
Packit Service |
4684c1 |
value = s;
|
|
Packit Service |
4684c1 |
descrip = "Generate a self-signed certificate";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-certificate;
|
|
Packit Service |
4684c1 |
value = c;
|
|
Packit Service |
4684c1 |
descrip = "Generate a signed certificate";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-proxy;
|
|
Packit Service |
4684c1 |
descrip = "Generates a proxy certificate";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = update-certificate;
|
|
Packit Service |
4684c1 |
value = u;
|
|
Packit Service |
4684c1 |
descrip = "Update a signed certificate";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = fingerprint;
|
|
Packit Service |
4684c1 |
descrip = "Print the fingerprint of the given certificate";
|
|
Packit Service |
4684c1 |
doc = "This is a simple hash of the DER encoding of the certificate. It can be combined with the --hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate's key.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = key-id;
|
|
Packit Service |
4684c1 |
descrip = "Print the key ID of the given certificate";
|
|
Packit Service |
4684c1 |
doc = "This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = certificate-pubkey;
|
|
Packit Service |
4684c1 |
descrip = "Print certificate's public key";
|
|
Packit Service |
4684c1 |
doc = "This option is deprecated as a duplicate of --pubkey-info";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = v1;
|
|
Packit Service |
4684c1 |
descrip = "Generate an X.509 version 1 certificate (with no extensions)";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = sign-params;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Sign a certificate with a specific signature algorithm";
|
|
Packit Service |
4684c1 |
doc = "This option can be combined with --generate-certificate, to sign the certificate with
|
|
Packit Service |
4684c1 |
a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be
|
|
Packit Service |
4684c1 |
specified when the signer does not have a certificate which is marked for RSA-PSS use only.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = crq_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "Certificate request related options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = crq-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information on the given certificate request";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-request;
|
|
Packit Service |
4684c1 |
value = q;
|
|
Packit Service |
4684c1 |
descrip = "Generate a PKCS #10 certificate request";
|
|
Packit Service |
4684c1 |
flags_cant = infile;
|
|
Packit Service |
4684c1 |
doc = "Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = no-crq-extensions;
|
|
Packit Service |
4684c1 |
descrip = "Do not use extensions in certificate requests";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pkcs12_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "PKCS#12 file related options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p12-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information on a PKCS #12 structure";
|
|
Packit Service |
4684c1 |
doc = "This option will dump the contents and print the metadata of the provided PKCS #12 structure.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p12-name;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "The PKCS #12 friendly name to use";
|
|
Packit Service |
4684c1 |
doc = "The name to be used for the primary certificate and private key in a PKCS #12 file.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = to-p12;
|
|
Packit Service |
4684c1 |
descrip = "Generate a PKCS #12 structure";
|
|
Packit Service |
4684c1 |
doc = "It requires a certificate, a private key and possibly a CA certificate to be specified.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = key_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "Private key related options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = key-info;
|
|
Packit Service |
4684c1 |
value = k;
|
|
Packit Service |
4684c1 |
descrip = "Print information on a private key";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p8-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information on a PKCS #8 structure";
|
|
Packit Service |
4684c1 |
doc = "This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = to-rsa;
|
|
Packit Service |
4684c1 |
descrip = "Convert an RSA-PSS key to raw RSA format";
|
|
Packit Service |
4684c1 |
doc = "It requires an RSA-PSS key as input and will output a raw RSA
|
|
Packit Service |
4684c1 |
key. This command is necessary for compatibility with applications that
|
|
Packit Service |
4684c1 |
cannot read RSA-PSS keys.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-privkey;
|
|
Packit Service |
4684c1 |
value = p;
|
|
Packit Service |
4684c1 |
descrip = "Generate a private key";
|
|
Packit Service |
4684c1 |
doc = "When generating RSA-PSS private keys, the --hash option will
|
|
Packit Service |
4684c1 |
restrict the allowed hash for the key; in the same keys the --salt-size
|
|
Packit Service |
4684c1 |
option is also acceptable.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = key-type;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Specify the key type to use on key generation";
|
|
Packit Service |
4684c1 |
doc = "This option can be combined with --generate-privkey, to specify
|
|
Packit Service |
4684c1 |
the key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, and 'ed448'.'.
|
|
Packit Service |
4684c1 |
When combined with certificate generation it can be used to specify an
|
|
Packit Service |
4684c1 |
RSA-PSS certificate when an RSA key is given.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = bits;
|
|
Packit Service |
4684c1 |
arg-type = number;
|
|
Packit Service |
4684c1 |
descrip = "Specify the number of bits for key generation";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = curve;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Specify the curve used for EC key generation";
|
|
Packit Service |
4684c1 |
doc = "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = sec-param;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
arg-name = "Security parameter";
|
|
Packit Service |
4684c1 |
descrip = "Specify the security level [low, legacy, medium, high, ultra]";
|
|
Packit Service |
4684c1 |
doc = "This is alternative to the bits option.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = to-p8;
|
|
Packit Service |
4684c1 |
descrip = "Convert a given key to a PKCS #8 structure";
|
|
Packit Service |
4684c1 |
doc = "This needs to be combined with --load-privkey.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pkcs8;
|
|
Packit Service |
4684c1 |
value = 8;
|
|
Packit Service |
4684c1 |
descrip = "Use PKCS #8 format for private keys";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = provable;
|
|
Packit Service |
4684c1 |
descrip = "Generate a private key or parameters from a seed using a provable method";
|
|
Packit Service |
4684c1 |
doc = "This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.
|
|
Packit Service |
4684c1 |
When specified the private keys or parameters will be generated from a seed, and can be
|
|
Packit Service |
4684c1 |
later validated with --verify-provable-privkey to be correctly generated from the seed. You may
|
|
Packit Service |
4684c1 |
specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with
|
|
Packit Service |
4684c1 |
--generate-privkey or --generate-dh-params.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
That option applies to RSA and DSA keys. On the DSA keys the PQG parameters
|
|
Packit Service |
4684c1 |
are generated using the seed, and on RSA the two primes.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-provable-privkey;
|
|
Packit Service |
4684c1 |
descrip = "Verify a private key generated from a seed using a provable method";
|
|
Packit Service |
4684c1 |
doc = "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or use the seed stored in the private key structure.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = seed;
|
|
Packit Service |
4684c1 |
descrip = "When generating a private key use the given hex-encoded seed";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "The seed acts as a security parameter for the private key, and
|
|
Packit Service |
4684c1 |
thus a seed size which corresponds to the security level of the private key
|
|
Packit Service |
4684c1 |
should be provided (e.g., 256-bits seed).";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = crl_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "CRL related options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = crl-info;
|
|
Packit Service |
4684c1 |
value = l;
|
|
Packit Service |
4684c1 |
descrip = "Print information on the given CRL structure";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-crl;
|
|
Packit Service |
4684c1 |
descrip = "Generate a CRL";
|
|
Packit Service |
4684c1 |
doc = "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).
|
|
Packit Service |
4684c1 |
To add new certificates to the CRL use --load-certificate.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-crl;
|
|
Packit Service |
4684c1 |
descrip = "Verify a Certificate Revocation List using a trusted list";
|
|
Packit Service |
4684c1 |
doc = "The trusted certificate list must be loaded with --load-ca-certificate.";
|
|
Packit Service |
4684c1 |
flags-must = load-ca-certificate;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = cert_verify_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "Certificate verification related options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-chain;
|
|
Packit Service |
4684c1 |
value = e;
|
|
Packit Service |
4684c1 |
descrip = "Verify a PEM encoded certificate chain";
|
|
Packit Service |
4684c1 |
doc = "Verifies the validity of a certificate chain. That is, an ordered set of
|
|
Packit Service |
4684c1 |
certificates where each one is the issuer of the previous, and the first is
|
|
Packit Service |
4684c1 |
the end-certificate to be validated. In a proper chain the last certificate
|
|
Packit Service |
4684c1 |
is a self signed one. It can be combined with --verify-purpose or --verify-hostname.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify;
|
|
Packit Service |
4684c1 |
descrip = "Verify a PEM encoded certificate (chain) against a trusted set";
|
|
Packit Service |
4684c1 |
doc = "The trusted certificate list can be loaded with --load-ca-certificate. If no
|
|
Packit Service |
4684c1 |
certificate list is provided, then the system's trusted certificate list is used. Note that
|
|
Packit Service |
4684c1 |
during verification multiple paths may be explored. On a successful verification
|
|
Packit Service |
4684c1 |
the successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-hostname;
|
|
Packit Service |
4684c1 |
descrip = "Specify a hostname to be used for certificate chain verification";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This is to be combined with one of the verify certificate options.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-email;
|
|
Packit Service |
4684c1 |
descrip = "Specify a email to be used for certificate chain verification";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This is to be combined with one of the verify certificate options.";
|
|
Packit Service |
4684c1 |
flags-cant = verify-hostname;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-purpose;
|
|
Packit Service |
4684c1 |
descrip = "Specify a purpose OID to be used for certificate chain verification";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-allow-broken;
|
|
Packit Service |
4684c1 |
descrip = "Allow broken algorithms, such as MD5 for verification";
|
|
Packit Service |
4684c1 |
doc = "This can be combined with --p7-verify, --verify or --verify-chain.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = verify-profile;
|
|
Packit Service |
4684c1 |
descrip = "Specify a security level profile to be used for verification";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This option can be used to specify a certificate verification profile. Certificate
|
|
Packit Service |
4684c1 |
verification profiles correspond to the security level. This should be one of
|
|
Packit Service |
4684c1 |
'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra',
|
|
Packit Service |
4684c1 |
'future'. Note that by default no profile is applied, unless one is set
|
|
Packit Service |
4684c1 |
as minimum in the gnutls configuration file.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pkcs7_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "PKCS#7 structure options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-generate;
|
|
Packit Service |
4684c1 |
descrip = "Generate a PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "This option generates a PKCS #7 certificate container structure. To add certificates in the structure use --load-certificate and --load-crl.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-sign;
|
|
Packit Service |
4684c1 |
descrip = "Signs using a PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-detached-sign;
|
|
Packit Service |
4684c1 |
descrip = "Signs using a detached PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-include-cert;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
enabled;
|
|
Packit Service |
4684c1 |
descrip = "The signer's certificate will be included in the cert list.";
|
|
Packit Service |
4684c1 |
doc = "This options works with --p7-sign or --p7-detached-sign and will include or exclude the signer's certificate into the generated signature.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-time;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
descrip = "Will include a timestamp in the PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "This option will include a timestamp in the generated signature";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-show-data;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
descrip = "Will show the embedded data in the PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "This option can be combined with --p7-verify or --p7-info and will display the embedded signed data in the PKCS #7 structure.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information on a PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = p7-verify;
|
|
Packit Service |
4684c1 |
descrip = "Verify the provided PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. When no certificate list is provided, then the system's certificate list is used. Alternatively a direct signer can be provided using --load-certificate. A key purpose can be enforced with the --verify-purpose option, and the --load-data option will utilize detached data.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = smime-to-p7;
|
|
Packit Service |
4684c1 |
descrip = "Convert S/MIME to PKCS #7 structure";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = other_options;
|
|
Packit Service |
4684c1 |
documentation;
|
|
Packit Service |
4684c1 |
descrip = "Other options";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
//----------------------------------------
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = generate-dh-params;
|
|
Packit Service |
4684c1 |
descrip = "Generate PKCS #3 encoded Diffie-Hellman parameters";
|
|
Packit Service |
4684c1 |
doc = "The will generate random parameters to be used with
|
|
Packit Service |
4684c1 |
Diffie-Hellman key exchange. The output parameters will be in PKCS #3
|
|
Packit Service |
4684c1 |
format. Note that it is recommended to use the --get-dh-params option
|
|
Packit Service |
4684c1 |
instead.";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = get-dh-params;
|
|
Packit Service |
4684c1 |
descrip = "List the included PKCS #3 encoded Diffie-Hellman parameters";
|
|
Packit Service |
4684c1 |
doc = "Returns stored DH parameters in GnuTLS. Those parameters returned
|
|
Packit Service |
4684c1 |
are defined in RFC7919, and can be considered standard parameters for a TLS
|
|
Packit Service |
4684c1 |
key exchange. This option is provided for old applications which require
|
|
Packit Service |
4684c1 |
DH parameters to be specified; modern GnuTLS applications should not require
|
|
Packit Service |
4684c1 |
them.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = dh-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information PKCS #3 encoded Diffie-Hellman parameters";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-privkey;
|
|
Packit Service |
4684c1 |
descrip = "Loads a private key file";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This can be either a file or a PKCS #11 URL";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-pubkey;
|
|
Packit Service |
4684c1 |
descrip = "Loads a public key file";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This can be either a file or a PKCS #11 URL";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-request;
|
|
Packit Service |
4684c1 |
descrip = "Loads a certificate request file";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This option can be used with a file";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-certificate;
|
|
Packit Service |
4684c1 |
descrip = "Loads a certificate file";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This option can be used with a file";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-ca-privkey;
|
|
Packit Service |
4684c1 |
descrip = "Loads the certificate authority's private key file";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This can be either a file or a PKCS #11 URL";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-ca-certificate;
|
|
Packit Service |
4684c1 |
descrip = "Loads the certificate authority's certificate file";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This can be either a file or a PKCS #11 URL";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-crl;
|
|
Packit Service |
4684c1 |
descrip = "Loads the provided CRL";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This option can be used with a file";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = load-data;
|
|
Packit Service |
4684c1 |
descrip = "Loads auxiliary data";
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
doc = "This option can be used with a file";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = password;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Password to use";
|
|
Packit Service |
4684c1 |
doc = "You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = null-password;
|
|
Packit Service |
4684c1 |
descrip = "Enforce a NULL password";
|
|
Packit Service |
4684c1 |
doc = "This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = empty-password;
|
|
Packit Service |
4684c1 |
descrip = "Enforce an empty password";
|
|
Packit Service |
4684c1 |
doc = "This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = hex-numbers;
|
|
Packit Service |
4684c1 |
descrip = "Print big number in an easier format to parse";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = cprint;
|
|
Packit Service |
4684c1 |
descrip = "In certain operations it prints the information in C-friendly format";
|
|
Packit Service |
4684c1 |
doc = "In certain operations it prints the information in C-friendly format, suitable for including into C programs.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = rsa;
|
|
Packit Service |
4684c1 |
descrip = "Generate RSA key";
|
|
Packit Service |
4684c1 |
doc = "When combined with --generate-privkey generates an RSA private key.";
|
|
Packit Service |
4684c1 |
description = "This option is equivalent to '--key-type rsa'.";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = dsa;
|
|
Packit Service |
4684c1 |
descrip = "Generate DSA key";
|
|
Packit Service |
4684c1 |
doc = "When combined with --generate-privkey generates a DSA private key.";
|
|
Packit Service |
4684c1 |
description = "This option is equivalent to '--key-type dsa'.";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = ecc;
|
|
Packit Service |
4684c1 |
descrip = "Generate ECC (ECDSA) key";
|
|
Packit Service |
4684c1 |
doc = "When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.";
|
|
Packit Service |
4684c1 |
description = "This option is equivalent to '--key-type ecdsa'.";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = ecdsa;
|
|
Packit Service |
4684c1 |
aliases = ecc;
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = hash;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Hash algorithm to use for signing";
|
|
Packit Service |
4684c1 |
doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = salt-size;
|
|
Packit Service |
4684c1 |
arg-type = number;
|
|
Packit Service |
4684c1 |
descrip = "Specify the RSA-PSS key default salt size";
|
|
Packit Service |
4684c1 |
doc = "Typical keys shouldn't set or restrict this option.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = inder;
|
|
Packit Service |
4684c1 |
descrip = "Use DER format for input certificates, private keys, and DH parameters ";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "The input files will be assumed to be in DER or RAW format.
|
|
Packit Service |
4684c1 |
Unlike options that in PEM input would allow multiple input data (e.g. multiple
|
|
Packit Service |
4684c1 |
certificates), when reading in DER format a single data structure is read.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = inraw;
|
|
Packit Service |
4684c1 |
aliases = inder;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = outder;
|
|
Packit Service |
4684c1 |
descrip = "Use DER format for output certificates, private keys, and DH parameters";
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "The output will be in DER or RAW format.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = outraw;
|
|
Packit Service |
4684c1 |
aliases = outder;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = disable-quick-random;
|
|
Packit Service |
4684c1 |
descrip = "No effect";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
deprecated;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = template;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Template file to use for non-interactive operation";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = stdout-info;
|
|
Packit Service |
4684c1 |
descrip = "Print information to stdout instead of stderr";
|
|
Packit Service |
4684c1 |
doc = "";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = ask-pass;
|
|
Packit Service |
4684c1 |
disabled;
|
|
Packit Service |
4684c1 |
descrip = "Enable interaction for entering password when in batch mode.";
|
|
Packit Service |
4684c1 |
doc = "This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = pkcs-cipher;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
arg-name = "Cipher";
|
|
Packit Service |
4684c1 |
descrip = "Cipher to use for PKCS #8 and #12 operations";
|
|
Packit Service |
4684c1 |
doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = provider;
|
|
Packit Service |
4684c1 |
arg-type = string;
|
|
Packit Service |
4684c1 |
descrip = "Specify the PKCS #11 provider library";
|
|
Packit Service |
4684c1 |
doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
flag = {
|
|
Packit Service |
4684c1 |
name = text;
|
|
Packit Service |
4684c1 |
descrip = "Output textual information before PEM-encoded certificates, private keys, etc";
|
|
Packit Service |
4684c1 |
enabled;
|
|
Packit Service |
4684c1 |
disable = "no";
|
|
Packit Service |
4684c1 |
doc = "Output textual information before PEM-encoded data";
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
doc-section = {
|
|
Packit Service |
4684c1 |
ds-type = 'SEE ALSO';
|
|
Packit Service |
4684c1 |
ds-format = 'texi';
|
|
Packit Service |
4684c1 |
ds-text = <<-_EOT_
|
|
Packit Service |
4684c1 |
p11tool (1), psktool (1), srptool (1)
|
|
Packit Service |
4684c1 |
_EOT_;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
doc-section = {
|
|
Packit Service |
4684c1 |
ds-type = 'EXAMPLES';
|
|
Packit Service |
4684c1 |
ds-format = 'texi';
|
|
Packit Service |
4684c1 |
ds-text = <<-_EOT_
|
|
Packit Service |
4684c1 |
@subheading Generating private keys
|
|
Packit Service |
4684c1 |
To create an RSA private key, run:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-privkey --outfile key.pem --rsa
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To create a DSA or elliptic curves (ECDSA) private key use the
|
|
Packit Service |
4684c1 |
above command combined with 'dsa' or 'ecc' options.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Generating certificate requests
|
|
Packit Service |
4684c1 |
To create a certificate request (needed when the certificate is issued by
|
|
Packit Service |
4684c1 |
another party), run:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
certtool --generate-request --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--outfile request.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
If the private key is stored in a smart card you can generate
|
|
Packit Service |
4684c1 |
a request by specifying the private key object URL.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ ./certtool --generate-request --load-privkey "pkcs11:..." \
|
|
Packit Service |
4684c1 |
--load-pubkey "pkcs11:..." --outfile request.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Generating a self-signed certificate
|
|
Packit Service |
4684c1 |
To create a self signed certificate, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-privkey --outfile ca-key.pem
|
|
Packit Service |
4684c1 |
$ certtool --generate-self-signed --load-privkey ca-key.pem \
|
|
Packit Service |
4684c1 |
--outfile ca-cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Note that a self-signed certificate usually belongs to a certificate
|
|
Packit Service |
4684c1 |
authority, that signs other certificates.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Generating a certificate
|
|
Packit Service |
4684c1 |
To generate a certificate using the previous request, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-certificate --load-request request.pem \
|
|
Packit Service |
4684c1 |
--outfile cert.pem --load-ca-certificate ca-cert.pem \
|
|
Packit Service |
4684c1 |
--load-ca-privkey ca-key.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To generate a certificate using the private key only, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-certificate --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--outfile cert.pem --load-ca-certificate ca-cert.pem \
|
|
Packit Service |
4684c1 |
--load-ca-privkey ca-key.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Certificate information
|
|
Packit Service |
4684c1 |
To view the certificate information, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --certificate-info --infile cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Changing the certificate format
|
|
Packit Service |
4684c1 |
To convert the certificate from PEM to DER format, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading PKCS #12 structure generation
|
|
Packit Service |
4684c1 |
To generate a PKCS #12 structure using the previous key and certificate,
|
|
Packit Service |
4684c1 |
use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --load-certificate cert.pem --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--to-p12 --outder --outfile key.p12
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Some tools (reportedly web browsers) have problems with that file
|
|
Packit Service |
4684c1 |
because it does not contain the CA certificate for the certificate.
|
|
Packit Service |
4684c1 |
To work around that problem in the tool, you can use the
|
|
Packit Service |
4684c1 |
--load-ca-certificate parameter as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --load-ca-certificate ca.pem \
|
|
Packit Service |
4684c1 |
--load-certificate cert.pem --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--to-p12 --outder --outfile key.p12
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Obtaining Diffie-Hellman parameters
|
|
Packit Service |
4684c1 |
To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use the command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --get-dh-params --outfile dh.pem --sec-param medium
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Verifying a certificate
|
|
Packit Service |
4684c1 |
To verify a certificate in a file against the system's CA trust store
|
|
Packit Service |
4684c1 |
use the following command:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --verify --infile cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
It is also possible to simulate hostname verification with the following
|
|
Packit Service |
4684c1 |
options:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --verify --verify-hostname www.example.com --infile cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Proxy certificate generation
|
|
Packit Service |
4684c1 |
Proxy certificate can be used to delegate your credential to a
|
|
Packit Service |
4684c1 |
temporary, typically short-lived, certificate. To create one from the
|
|
Packit Service |
4684c1 |
previously created certificate, first create a temporary key and then
|
|
Packit Service |
4684c1 |
generate a proxy certificate for it, using the commands:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-privkey > proxy-key.pem
|
|
Packit Service |
4684c1 |
$ certtool --generate-proxy --load-ca-privkey key.pem \
|
|
Packit Service |
4684c1 |
--load-privkey proxy-key.pem --load-certificate cert.pem \
|
|
Packit Service |
4684c1 |
--outfile proxy-cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@subheading Certificate revocation list generation
|
|
Packit Service |
4684c1 |
To create an empty Certificate Revocation List (CRL) do:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
|
|
Packit Service |
4684c1 |
--load-ca-certificate x509-ca.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To create a CRL that contains some revoked certificates, place the
|
|
Packit Service |
4684c1 |
certificates in a file and use @code{--load-certificate} as follows:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
|
|
Packit Service |
4684c1 |
--load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To verify a Certificate Revocation List (CRL) do:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
_EOT_;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
doc-section = {
|
|
Packit Service |
4684c1 |
ds-type = 'FILES';
|
|
Packit Service |
4684c1 |
ds-format = 'texi';
|
|
Packit Service |
4684c1 |
ds-text = <<-_EOT_
|
|
Packit Service |
4684c1 |
@subheading Certtool's template file format
|
|
Packit Service |
4684c1 |
A template file can be used to avoid the interactive questions of
|
|
Packit Service |
4684c1 |
certtool. Initially create a file named 'cert.cfg' that contains the information
|
|
Packit Service |
4684c1 |
about the certificate. The template can be used as below:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ certtool --generate-certificate --load-privkey key.pem \
|
|
Packit Service |
4684c1 |
--template cert.cfg --outfile cert.pem \
|
|
Packit Service |
4684c1 |
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
An example certtool template file that can be used to generate a certificate
|
|
Packit Service |
4684c1 |
request or a self signed certificate follows.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
# X.509 Certificate options
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DN options
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The organization of the subject.
|
|
Packit Service |
4684c1 |
organization = "Koko inc."
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The organizational unit of the subject.
|
|
Packit Service |
4684c1 |
unit = "sleeping dept."
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The locality of the subject.
|
|
Packit Service |
4684c1 |
# locality =
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The state of the certificate owner.
|
|
Packit Service |
4684c1 |
state = "Attiki"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The country of the subject. Two letter code.
|
|
Packit Service |
4684c1 |
country = GR
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The common name of the certificate owner.
|
|
Packit Service |
4684c1 |
cn = "Cindy Lauper"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A user id of the certificate owner.
|
|
Packit Service |
4684c1 |
#uid = "clauper"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Set domain components
|
|
Packit Service |
4684c1 |
#dc = "name"
|
|
Packit Service |
4684c1 |
#dc = "domain"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# If the supported DN OIDs are not adequate you can set
|
|
Packit Service |
4684c1 |
# any OID here.
|
|
Packit Service |
4684c1 |
# For example set the X.520 Title and the X.520 Pseudonym
|
|
Packit Service |
4684c1 |
# by using OID and string pairs.
|
|
Packit Service |
4684c1 |
#dn_oid = "2.5.4.12 Dr."
|
|
Packit Service |
4684c1 |
#dn_oid = "2.5.4.65 jackal"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# This is deprecated and should not be used in new
|
|
Packit Service |
4684c1 |
# certificates.
|
|
Packit Service |
4684c1 |
# pkcs9_email = "none@@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An alternative way to set the certificate's distinguished name directly
|
|
Packit Service |
4684c1 |
# is with the "dn" option. The attribute names allowed are:
|
|
Packit Service |
4684c1 |
# C (country), street, O (organization), OU (unit), title, CN (common name),
|
|
Packit Service |
4684c1 |
# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
|
|
Packit Service |
4684c1 |
# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
|
|
Packit Service |
4684c1 |
# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
|
|
Packit Service |
4684c1 |
# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
|
|
Packit Service |
4684c1 |
# jurisdictionOfIncorporationStateOrProvinceName,
|
|
Packit Service |
4684c1 |
# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The serial number of the certificate
|
|
Packit Service |
4684c1 |
# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
|
|
Packit Service |
4684c1 |
# Comment the field for a random serial number.
|
|
Packit Service |
4684c1 |
serial = 007
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# In how many days, counting from today, this certificate will expire.
|
|
Packit Service |
4684c1 |
# Use -1 if there is no expiration date.
|
|
Packit Service |
4684c1 |
expiration_days = 700
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Alternatively you may set concrete dates and time. The GNU date string
|
|
Packit Service |
4684c1 |
# formats are accepted. See:
|
|
Packit Service |
4684c1 |
# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#activation_date = "2004-02-29 16:21:42"
|
|
Packit Service |
4684c1 |
#expiration_date = "2025-02-29 16:24:41"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# X.509 v3 extensions
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A dnsname in case of a WWW server.
|
|
Packit Service |
4684c1 |
#dns_name = "www.none.org"
|
|
Packit Service |
4684c1 |
#dns_name = "www.morethanone.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An othername defined by an OID and a hex encoded string
|
|
Packit Service |
4684c1 |
#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
|
|
Packit Service |
4684c1 |
#other_name_utf8 = "1.2.4.5.6 A UTF8 string"
|
|
Packit Service |
4684c1 |
#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Allows writing an XmppAddr Identifier
|
|
Packit Service |
4684c1 |
#xmpp_name = juliet@@im.example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Names used in PKINIT
|
|
Packit Service |
4684c1 |
#krb5_principal = user@@REALM.COM
|
|
Packit Service |
4684c1 |
#krb5_principal = HTTP/user@@REALM.COM
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A subject alternative name URI
|
|
Packit Service |
4684c1 |
#uri = "https://www.example.com"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An IP address in case of a server.
|
|
Packit Service |
4684c1 |
#ip_address = "192.168.1.1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An email in case of a person
|
|
Packit Service |
4684c1 |
email = "none@@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
|
|
Packit Service |
4684c1 |
# extension features to be provided by the server. In practice this is used
|
|
Packit Service |
4684c1 |
# to require the Status Request (extid: 5) extension from the server. That is,
|
|
Packit Service |
4684c1 |
# to require the server holding this certificate to provide a stapled OCSP response.
|
|
Packit Service |
4684c1 |
# You can have multiple lines for multiple TLS features.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# To ask for OCSP status request use:
|
|
Packit Service |
4684c1 |
#tls_feature = 5
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Challenge password used in certificate requests
|
|
Packit Service |
4684c1 |
challenge_password = 123456
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Password when encrypting a private key
|
|
Packit Service |
4684c1 |
#password = secret
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An URL that has CRLs (certificate revocation lists)
|
|
Packit Service |
4684c1 |
# available. Needed in CA certificates.
|
|
Packit Service |
4684c1 |
#crl_dist_points = "https://www.getcrl.crl/getcrl/"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this is a CA certificate or not
|
|
Packit Service |
4684c1 |
#ca
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Subject Unique ID (in hex)
|
|
Packit Service |
4684c1 |
#subject_unique_id = 00153224
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Issuer Unique ID (in hex)
|
|
Packit Service |
4684c1 |
#issuer_unique_id = 00153225
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#### Key usage
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The following key usage flags are used by CAs and end certificates
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used to sign data (needed
|
|
Packit Service |
4684c1 |
# in TLS DHE ciphersuites). This is the digitalSignature flag
|
|
Packit Service |
4684c1 |
# in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used to encrypt data (needed
|
|
Packit Service |
4684c1 |
# in TLS RSA ciphersuites). Note that it is preferred to use different
|
|
Packit Service |
4684c1 |
# keys for encryption and signing. This is the keyEncipherment flag
|
|
Packit Service |
4684c1 |
# in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
encryption_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign other certificates. The
|
|
Packit Service |
4684c1 |
# keyCertSign flag in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
#cert_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign CRLs. The
|
|
Packit Service |
4684c1 |
# cRLSign flag in RFC5280 terminology.
|
|
Packit Service |
4684c1 |
#crl_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The keyAgreement flag of RFC5280. It's purpose is loosely
|
|
Packit Service |
4684c1 |
# defined. Not use it unless required by a protocol.
|
|
Packit Service |
4684c1 |
#key_agreement
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The dataEncipherment flag of RFC5280. It's purpose is loosely
|
|
Packit Service |
4684c1 |
# defined. Not use it unless required by a protocol.
|
|
Packit Service |
4684c1 |
#data_encipherment
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The nonRepudiation flag of RFC5280. It's purpose is loosely
|
|
Packit Service |
4684c1 |
# defined. Not use it unless required by a protocol.
|
|
Packit Service |
4684c1 |
#non_repudiation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#### Extended key usage (key purposes)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The following extensions are used in an end certificate
|
|
Packit Service |
4684c1 |
# to clarify its purpose. Some CAs also use it to indicate
|
|
Packit Service |
4684c1 |
# the types of certificates they are purposed to sign.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used for a TLS client;
|
|
Packit Service |
4684c1 |
# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
|
|
Packit Service |
4684c1 |
# extended key usage.
|
|
Packit Service |
4684c1 |
#tls_www_client
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used for a TLS server;
|
|
Packit Service |
4684c1 |
# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
|
|
Packit Service |
4684c1 |
# extended key usage.
|
|
Packit Service |
4684c1 |
#tls_www_server
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign code. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
|
|
Packit Service |
4684c1 |
# extension.
|
|
Packit Service |
4684c1 |
#code_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign OCSP data. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
|
|
Packit Service |
4684c1 |
#ocsp_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for time stamping. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
|
|
Packit Service |
4684c1 |
#time_stamping_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for email protection. This sets the
|
|
Packit Service |
4684c1 |
# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
|
|
Packit Service |
4684c1 |
#email_protection_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
|
|
Packit Service |
4684c1 |
#ipsec_ike_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
## adding custom key purpose OIDs
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# for microsoft smart card logon
|
|
Packit Service |
4684c1 |
# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# for email protection
|
|
Packit Service |
4684c1 |
# key_purpose_oid = 1.3.6.1.5.5.7.3.4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# for any purpose (must not be used in intermediate CA certificates)
|
|
Packit Service |
4684c1 |
# key_purpose_oid = 2.5.29.37.0
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
### end of key purpose OIDs
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
### Adding arbitrary extensions
|
|
Packit Service |
4684c1 |
# This requires to provide the extension OIDs, as well as the extension data in
|
|
Packit Service |
4684c1 |
# hex format. The following two options are available since GnuTLS 3.5.3.
|
|
Packit Service |
4684c1 |
#add_extension = "1.2.3.4 0x0AAB01ACFE"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# As above but encode the data as an octet string
|
|
Packit Service |
4684c1 |
#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# For portability critical extensions shouldn't be set to certificates.
|
|
Packit Service |
4684c1 |
#add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# When generating a certificate from a certificate
|
|
Packit Service |
4684c1 |
# request, then honor the extensions stored in the request
|
|
Packit Service |
4684c1 |
# and store them in the real certificate.
|
|
Packit Service |
4684c1 |
#honor_crq_extensions
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Alternatively only specific extensions can be copied.
|
|
Packit Service |
4684c1 |
#honor_crq_ext = 2.5.29.17
|
|
Packit Service |
4684c1 |
#honor_crq_ext = 2.5.29.15
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Path length contraint. Sets the maximum number of
|
|
Packit Service |
4684c1 |
# certificates that can be used to certify this certificate.
|
|
Packit Service |
4684c1 |
# (i.e. the certificate chain length)
|
|
Packit Service |
4684c1 |
#path_len = -1
|
|
Packit Service |
4684c1 |
#path_len = 2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# OCSP URI
|
|
Packit Service |
4684c1 |
# ocsp_uri = https://my.ocsp.server/ocsp
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# CA issuers URI
|
|
Packit Service |
4684c1 |
# ca_issuers_uri = https://my.ca.issuer
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Certificate policies
|
|
Packit Service |
4684c1 |
#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
|
|
Packit Service |
4684c1 |
#policy1_txt = "This is a long policy to summarize"
|
|
Packit Service |
4684c1 |
#policy1_url = https://www.example.com/a-policy-to-read
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
|
|
Packit Service |
4684c1 |
#policy2_txt = "This is a short policy"
|
|
Packit Service |
4684c1 |
#policy2_url = https://www.example.com/another-policy-to-read
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The number of additional certificates that may appear in a
|
|
Packit Service |
4684c1 |
# path before the anyPolicy is no longer acceptable.
|
|
Packit Service |
4684c1 |
#inhibit_anypolicy_skip_certs 1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Name constraints
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# DNS
|
|
Packit Service |
4684c1 |
#nc_permit_dns = example.com
|
|
Packit Service |
4684c1 |
#nc_exclude_dns = test.example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# EMAIL
|
|
Packit Service |
4684c1 |
#nc_permit_email = "nmav@@ex.net"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Exclude subdomains of example.com
|
|
Packit Service |
4684c1 |
#nc_exclude_email = .example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Exclude all e-mail addresses of example.com
|
|
Packit Service |
4684c1 |
#nc_exclude_email = example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# IP
|
|
Packit Service |
4684c1 |
#nc_permit_ip = 192.168.0.0/16
|
|
Packit Service |
4684c1 |
#nc_exclude_ip = 192.168.5.0/24
|
|
Packit Service |
4684c1 |
#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Options for proxy certificates
|
|
Packit Service |
4684c1 |
#proxy_policy_language = 1.3.6.1.5.5.7.21.1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Options for generating a CRL
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The number of days the next CRL update will be due.
|
|
Packit Service |
4684c1 |
# next CRL update will be in 43 days
|
|
Packit Service |
4684c1 |
#crl_next_update = 43
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# this is the 5th CRL by this CA
|
|
Packit Service |
4684c1 |
# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
|
|
Packit Service |
4684c1 |
# Comment the field for a time-based number.
|
|
Packit Service |
4684c1 |
# Time-based CRL numbers generated in GnuTLS 3.6.3 and later
|
|
Packit Service |
4684c1 |
# are significantly larger than those generated in previous
|
|
Packit Service |
4684c1 |
# versions. Since CRL numbers need to be monotonic, you need
|
|
Packit Service |
4684c1 |
# to specify the CRL number here manually if you intend to
|
|
Packit Service |
4684c1 |
# downgrade to an earlier version than 3.6.3 after publishing
|
|
Packit Service |
4684c1 |
# the CRL as it is not possible to specify CRL numbers greater
|
|
Packit Service |
4684c1 |
# than 2**63-2 using hex notation in those versions.
|
|
Packit Service |
4684c1 |
#crl_number = 5
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Specify the update dates more precisely.
|
|
Packit Service |
4684c1 |
#crl_this_update_date = "2004-02-29 16:21:42"
|
|
Packit Service |
4684c1 |
#crl_next_update_date = "2025-02-29 16:24:41"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The date that the certificates will be made seen as
|
|
Packit Service |
4684c1 |
# being revoked.
|
|
Packit Service |
4684c1 |
#crl_revocation_date = "2025-02-29 16:24:41"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_EOT_;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|