1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
|
.\" Copyright (c) 2022 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd February 22, 2022
.Dt HXTOOL 1
.Os HEIMDAL
.Sh NAME
.Nm hxtool
.Nd PKIX command-line utility
.Sh SYNOPSIS
.Nm
.Bk -words
.Oo Fl Fl version Oc
.Oo Fl Fl help Oc
.Op Ar sub-command
.Ek
.Sh DESCRIPTION
.Nm
is a utility for making certificate sigining requests (CSRs),
displaying CSRs, signing certificates, etc.
are given, then the value will be parsed and displayed using just
the self-describing nature of DER.
.Pp
All sub-commands have their own help message, shown when invoked
with the
.Fl Fl help
or
.Fl h
option.
.Pp
Supported commands:
.Bl -tag -width Ds -offset indent
.It help
.It list-oids
.It verify
Verify a certificate and its certification path up to a trust
anchor, possibly checking CRLs.
.It print
Prints a human-readable rendering of certificates in a store.
See
.Sx CERTIFICATE STORES.
.It validate
Validate a certificate (but not a full chain).
.It certificate-copy, cc
Copy ceritificates and possibly private keys from one store to
another.
See
.Sx CERTIFICATE STORES.
.It ocsp-fetch
Fetch an OCSP response.
.It ocsp-verify
Fetch an OCSP response chain.
.It ocsp-print
Prints a human-readable rendering of an OCSP response chain.
.It revoke-print
Prints a human-readable rendering of a CRL or OCSP response
chain.
.It generate-key
Generates a private key.
.It request-create
Generates a Certificate Signing Request (CSR).
.It request-print
Prints a human-readable rendering of a CSR.
.It query
Queries a certificate store.
.It info
Prints information about supported algorithms.
.It random-data
Outputs entropy using a random number generator.
.It crypto-available
Tests if a cryptographic algorithm is available.
.It crypto-select
Selects a supported cryptographic algorithm given a peer's
capabilities.
.It hex
Hex-encode/decode utility.
.It certificate-sign, cert-sign, issue-certificate, ca
Issue a certificate.
.It crl-sign
Sign a CRL.
.It cms-create-sd, cms-sign
Created a CMS SignedData.
.It cms-verify-sd
Verifies a CMS SignedData.
.It cms-unenvelope
Extracts enveloped data from a CMS SignedData.
.It cms-envelope
Creates an enveloped CMS SignedData.
.El
Other sub-commands reported by the
.Nm help
sub-command are not stable or fully supported at this time.
.Sh CERTIFICATE STORES
Stores of certificates and/or keys have string names that can be
used with
.Nm 's
commands as well as in various configuration parameters and
command-line arguments of Heimdal's Kerberos implementation (for
PKINIT).
.Pp
For example,
.Ql FILE:/path/to/file ,
.Ql PEM-FILE:/path/to/file ,
.Ql DER-FILE:/path/to/file ,
etc.
See below for a full list of store types.
.Pp
A certificate store name starts with a store TYPE followed by a
colon followed by a name of form specific to that store type.
.Pp
Private keys can be stored in the same stores as the certificates
that certify their public keys.
.Pp
Private keys can also be stored in separate files, but still be
referenced in one certificate store name by joining two with a
comma:
.Ql FILE:/path/to/certificate,/path/to/private/key
.
.Pp
Heimdal supports a variety of certificate and private key store
types:
.Bl -tag -width Ds -offset indent
.It PEM-FILE:/path
If writing, PEM will be written (private keys may be written in
algorithm-specific formats or in PKCS#8).
If reading, PEM will be expected (private keys may be in
algorithm-specific formats or in PKCS#8).
.It DER-FILE:/path
If writing, DER will be written.
If reading, DER will be expected.
Private keys will be in algorithm-specific formats.
.It FILE:/path
If writing, PEM will be written as if
.Ql PEM-FILE
had been used.
If reading, PEM or DER will be detected and read as if
.Ql PEM-FILE
or
.Ql DER-FILE
had been used.
.It PKCS12:/path
If writing, PKCS#12 will be written.
If reading, PKCS#12 will be expected.
Note that PKCS#12 support is currently very limited.
.It DIR:/path
OpenSSL-style hashed directory of trust anchors.
.It KEYCHAIN:system-anchors
On OS X this refers to the system's trust anchors.
.It KEYCHAIN:FILE:/path
On OS X this refers to an OS X keychain at the given path.
.It PKCS11:/path/to/shared/object[,slot=NUMBER]
Loads the given PKCS#11 provider object and uses the token at the
given slot number, or else the first token found.
.It NULL:
An empty store.
.It MEMORY:name
An in-memory only, ephemeral store, usually never used in
.NM 's
commands.
The MEMORY store name exists primarily for internal
.Sq hx509
APIs.
.El
.Pp
Use the
.Nm certificate-copy
command to copy certificates from one store to another.
This is useful for, e.g., converting DER files to PEM or
vice-versa, removing private keys, adding certificate chains,
and removing root certificates from chains.
.Sh CERTIFICATES
You can validate a certificate with the
.Nm validate
sub-command, or verify a certificate and its certification path
with the
.Nm verify
sub-command.
.Pp
You can display a certificate using the
.Nm print
sub-command:
.Pp
.Nm print
.Oo options Oc
.Ar STORE
.Pp
Options:
.Bl -tag -width Ds -offset indent
.It Fl Fl content
.It Fl Fl info
.It Fl Fl never-fail
.It Fl Fl pass=password
.It Fl Fl raw-json
.El
.Pp
The
.Fl Fl pass=password
option is for PKCS#8 (PEM), PKCS#12 and PKCS#11 stores, and if
needed and not given, will be prompted for.
Note that it's not secure to pass passwords as command-line
arguments on multi-tenant systems.
.Pp
The
.Fl Fl raw-json
option prints the certificate(s) in the given
.Ar STORE
as a JSON dump of their DER using an experimental (i.e.,
unstable) schema.
.Sh KEYS
The
.Nm generate-key
sub-command will generate a key.
.Sh CERTIFICATE SIGNING REQUESTS
The
.Nm request-create
sub-command will create a CSR, and has support for requesting
subject alternative names and extended key usage extensions.
See its
.Fl Fl help
option, and see
.Sx EXAMPLES
below.
.Pp
The
.Nm request-print
sub-command will display a CSR.
.Sh CERTIFICATE ISSUANCE / CERTIFICATION AUTHORITY
The
.Nm certificate-sign
sub-command will issue a certificate.
See its usage message.
.Sh ONLINE CERTIFICATE STATUS PROTOCOL
The
.Nm ocsp-fetch
sub-command will fetch OCSP Responses for the given
certificates.
.Pp
The
.Nm ocsp-verify
sub-command will verify OCSP Responses.
.Pp
The
.Nm ocsp-print
sub-command will display OCSP Responses.
.Sh CERTIFICATE REVOCATION LIST
The
.Nm crl-sign
sub-command will add certificates to a certificate revocation
list.
.Sh EXAMPLES
Generate an RSA key:
.Bd -literal -offset indent
hxtool generate-key --type=rsa --key-bits=4096 PEM-FILE:key.pem
.Ed
.Pp
Create a CSR (with an empty name) for some key:
.Bd -literal -offset indent
hxtool request-create --subject= --key=FILE:key.pem csr.der
.Ed
.Pp
Generate a key and create a CSR (with an empty name) for it:
.Bd -literal -offset indent
hxtool request-create \\
--subject= \\
--generate-key=rsa \\
--key-bits=4096 \\
--key=FILE:key.pem \\
csr.der
.Ed
.Pp
Generate a key and create a CSR with an empty name but also
requesting a specific dNSName subject alternative name (SAN) for
it:
.Bd -literal -offset indent
hxtool request-create \\
--subject= \\
--generate-key=rsa \\
--dnsname=foo.test.h5l.se \\
--key=FILE:key.pem \\
csr.der
.Ed
.Pp
Print a CSR:
.Bd -literal -offset indent
hxtool request-print csr.der
.Ed
which outputs:
.Bd -literal -offset indent
request print
PKCS#10 CertificationRequest:
name:
san: dNSName: foo.test.h5l.se
.Ed
.Pp
Issue a end-entity certificate for an HTTPS server given a CSR:
.Bd -literal -offset indent
hxtool issue-certificate \\
--type=https-server \\
--subject= \\
--hostname=foo.test.h5l.se \\
--ca-certificate=FILE:cacert.pem \\
--ca-private-key=FILE:cakey.pem \\
--req=PKCS10:csr.der \\
--certificate=PEM-FILE:ee.pem
.Ed
.Pp
Add a chain to a PEM file:
.Bd -literal -offset indent
hxtool copy-certificiate \\
--no-private-keys \\
--no-root-certs \\
FILE:ca.pem FILE:ee.pem
.Ed
.Pp
Create a self-signed end-entity certificate for an HTTPS server:
.Bd -literal -offset indent
hxtool issue-certificate \\
--self-signed \\
--type=https-server \\
--subject= \\
--hostname=foo.test.h5l.se \\
--ca-private-key=FILE:key.pem \\
--certificate-private-key=FILE:key.pem \\
--certificate=PEM-FILE:cert.pem
.Ed
.Pp
Create a root certification authority certificate:
.Bd -literal -offset indent
hxtool issue-certificate \\
--issue-ca \\
--self-signed \\
--subject=CN=SomeRootCA \\
--ca-private-key=FILE:rootkey.pem \\
--certificate=PEM-FILE:rootcert.pem
.Ed
.Pp
Create an intermediate certification authority certificate from a
CSR:
.Bd -literal -offset indent
hxtool issue-certificate \\
--type=https-server \\
--subject=CN=SomeIntermediateCA \\
--ca-certificate=FILE:parent-cert.pem \\
--ca-private-key=FILE:parent-key.pem \\
--req=PKCS10:csr.der \\
--certificate=PEM-FILE:intermediate.pem
.Ed
.Pp
.Sh SEE ALSO
.Xr openssl 1
|
