certtool command examples

certtool command examples

certtool – GnuTLS certificate tool

Generating private keys

To create an RSA private key, run:

$ certtool --generate-privkey --outfile key.pem --rsa

To create a DSA or elliptic curves (ECDSA) private key use the above command combined with ‘dsa’ or ‘ecc’ options.

Generating certificate requests

To create a certificate request (needed when the certificate is issued by another party), run:

#certtool --generate-request --load-privkey key.pem --outfile request.pem

If the private key is stored in a smart card you can generate a request by specifying the private key object URL.

$ ./certtool --generate-request --load-privkey "pkcs11:..." --load-pubkey "pkcs11:..." --outfile request.pem

Generating a self-signed certificate

To create a self signed certificate, use the command:

$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Note that a self-signed certificate usually belongs to a certificate authority, that signs other certificates.

Generating a certificate

To generate a certificate using the previous request, use the command:

$ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem

To generate a certificate using the private key only, use the command:

$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem

Certificate information

To view the certificate information, use:

$ certtool --certificate-info --infile cert.pem

PKCS #12 structure generation

To generate a PKCS #12 structure using the previous key and certificate, use the command:

$ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12

Some tools (reportedly web browsers) have problems with that file because it does not contain the CA certificate for the certificate. To work around that problem in the tool, you can use the –load-ca-certificate parameter as follows:

$ certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey \ 
key.pem --to-p12 --outder --outfile key.p12

Diffie-Hellman parameter generation

To generate parameters for Diffie-Hellman key exchange, use the command:

$ certtool --generate-dh-params --outfile dh.pem --sec-param medium

Proxy certificate generation

Proxy certificate can be used to delegate your credential to a temporary, typically short-lived, certificate. To create one from the previously created certificate, first create a temporary key and then generate a proxy certificate for it, using the commands:

$ certtool --generate-privkey > proxy-key.pem
$ certtool --generate-proxy --load-ca-privkey key.pem --load-privkey proxy-key.pem --load-certificate cert.pem --outfile proxy-cert.pem

Certificate revocation list generation

To create an empty Certificate Revocation List (CRL) do:

$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem

To create a CRL that contains some revoked certificates, place the certificates in a file and use –load-certificate as follows:

$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem

To verify a Certificate Revocation List (CRL) do:

$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem


Leave a Reply

Your email address will not be published. Required fields are marked *