summaryrefslogtreecommitdiffstats
path: root/doc/certtool-examples.texi
blob: c24df9b706be54b776250b27bfb2484971c4eba9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
@subheading Generating private keys
To create an RSA private key, run:
@example
$ certtool --generate-privkey --outfile key.pem --rsa
@end example

To create a DSA or elliptic curves (ECDSA) private key use the
above command combined with 'dsa' or 'ecc' options.

@subheading Generating certificate requests
To create a certificate request (needed when the certificate is  issued  by
another party), run:
@example
certtool --generate-request --load-privkey key.pem \
   --outfile request.pem
@end example

If the private key is stored in a smart card you can generate
a request by specifying the private key object URL.
@example
$ ./certtool --generate-request --load-privkey "pkcs11:..." \
  --load-pubkey "pkcs11:..." --outfile request.pem
@end example


@subheading Generating a self-signed certificate
To create a self signed certificate, use the command:
@example
$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem \
   --outfile ca-cert.pem
@end example

Note that a self-signed certificate usually belongs to a certificate
authority, that signs other certificates.

@subheading Generating a certificate
To generate a certificate using the previous request, use the command:
@example
$ certtool --generate-certificate --load-request request.pem \
   --outfile cert.pem --load-ca-certificate ca-cert.pem \
   --load-ca-privkey ca-key.pem
@end example

To generate a certificate using the private key only, use the command:
@example
$ certtool --generate-certificate --load-privkey key.pem \
   --outfile cert.pem --load-ca-certificate ca-cert.pem \
   --load-ca-privkey ca-key.pem
@end example

@subheading Certificate information
To view the certificate information, use:
@example
$ certtool --certificate-info --infile cert.pem
@end example

@subheading Changing the certificate format
To convert the certificate from PEM to DER format, use:
@example
$ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
@end example

@subheading PKCS #12 structure generation
To generate a PKCS #12 structure using the previous key and certificate,
use the command:
@example
$ certtool --load-certificate cert.pem --load-privkey key.pem \
   --to-p12 --outder --outfile key.p12
@end example

Some tools (reportedly web browsers) have problems with that file
because it does not contain the CA certificate for the certificate.
To work around that problem in the tool, you can use the
--load-ca-certificate parameter as follows:

@example
$ certtool --load-ca-certificate ca.pem \
  --load-certificate cert.pem --load-privkey key.pem \
  --to-p12 --outder --outfile key.p12
@end example

@subheading Obtaining Diffie-Hellman parameters
To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use the command:
@example
$ certtool --get-dh-params --outfile dh.pem --sec-param medium
@end example

@subheading Verifying a certificate
To verify a certificate in a file against the system's CA trust store
use the following command:
@example
$ certtool --verify --infile cert.pem
@end example

It is also possible to simulate hostname verification with the following
options:
@example
$ certtool --verify --verify-hostname www.example.com --infile cert.pem
@end example


@subheading Proxy certificate generation
Proxy certificate can be used to delegate your credential to a
temporary, typically short-lived, certificate.  To create one from the
previously created certificate, first create a temporary key and then
generate a proxy certificate for it, using the commands:

@example
$ certtool --generate-privkey > proxy-key.pem
$ certtool --generate-proxy --load-ca-privkey key.pem \
  --load-privkey proxy-key.pem --load-certificate cert.pem \
  --outfile proxy-cert.pem
@end example

@subheading Certificate revocation list generation
To create an empty Certificate Revocation List (CRL) do:

@example
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
           --load-ca-certificate x509-ca.pem
@end example

To create a CRL that contains some revoked certificates, place the
certificates in a file and use @code{--load-certificate} as follows:

@example
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
  --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
@end example

To verify a Certificate Revocation List (CRL) do:

@example
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
@end example