LinuxCommandLibrary

certtool

Create, sign, and verify X.509 certificates

TLDR

Generate a private key and save it to a file

$ certtool [[-p|--generate-privkey]] --outfile [path/to/private.key]
copy

Generate a self-signed certificate using a private key and a template file
$ certtool [[-s|--generate-self-signed]] --load-privkey [path/to/private.key] --template [path/to/info.template] --outfile [path/to/certificate.crt]
copy

Generate a certificate signing request (CSR)
$ certtool [[-q|--generate-request]] --load-privkey [path/to/private.key] --template [path/to/info.template] --outfile [path/to/request.csr]
copy

Generate a certificate authority (CA) certificate
$ certtool [[-s|--generate-self-signed]] --load-privkey [path/to/ca.key] --template [path/to/ca.template] --outfile [path/to/ca.crt]
copy

Verify a certificate against a CA certificate
$ certtool --verify --infile [path/to/certificate.crt] --load-ca-certificate [path/to/ca.crt]
copy

SYNOPSIS

certtool [OPTION...] [parameter]

PARAMETERS

--ask-pass
    Always prompt for password

--askp
    Always prompt for password from console

--bits N
    Specify the number of bits

--ca
    Mark as CA

--cert-sign
    Include cert signing permission

--certificate-info
    Print certificate information

--cipher NAME
    Specify cipher

--code-sign
    Include code signing permission

--crl-info
    Print CRL information

--crl-sign
    Include CRL signing permission

--disable-crls
    Disable CRL verification

--dns NAME
    Set DNS name in certificate

--ec CURVE
    Generate EC key using named curve

--email EMAIL
    Set email in certificate

--generate-certificate
    Generate certificate (sign request)

--generate-privkey
    Generate private key

--generate-proxy
    Generate proxy certificate request

--generate-request
    Generate certificate request

--generate-self-signed
    Generate self-signed certificate

--hash ALGO
    Specify hash algorithm

--i, --info
    Start in interactive mode

--inder
    Use DER format for output

--infile FILE
    Input file

--ip ADDRESS
    Set IP address in certificate

--key-info
    Print key information

--load-ca-certificate FILE
    CA certificate to use

--load-ca-privkey FILE
    CA private key to use

--load-certificate FILE
    Load certificate

--load-privkey FILE
    Load private key

--load-pubkey FILE
    Load public key

--no-ca
    Mark as not CA

--no-text
    Do not print human-readable text

--null-passwd
    Set empty password

--ocsp-signing
    Include OCSP signing permission

--outfile FILE
    Output file

--outfile-format pem|der
    Output format

--pass PASS
    Password

--pem
    Use PEM format

--pkcs-crypto-providers FILE
    PKCS#11 providers file

--p12-file FILE
    PKCS#12 file

--pubkey-info
    Print public key information

--rsa
    Generate RSA key

--sec-param level
    Specify security level

--seal
    Mark for sealing

--time-stamp
    Include timestamping permission

--to-rsa
    Convert to RSA key

--verify
    Verify certificate

--verify-chain
    Verify certificate chain

--verify-hostname NAME
    Verify hostname

--verify-host
    Verify host certificate

DESCRIPTION

Certtool is a command-line utility from the GnuTLS library designed for managing X.509 certificates, private keys, and related PKI elements. It enables generation of private keys (RSA, DSA, ECC), certificate signing requests (CSRs), self-signed certificates, proxy certificates, and CRLs. Users can sign certificates using a CA private key, verify certificate chains, hostnames, emails, or CRLs, and perform OCSP status checks.

The tool supports detailed inspection of certificates, keys, CRLs, PKCS#12 files, and PKCS#7 structures, with options for human-readable output or DER/PEM formats. Conversion between formats (e.g., PKCS#12 to PEM keys) and PDF export for PKCS#12 are available. Certtool operates in interactive mode (-i) for guided input or non-interactively for automation.

Security-focused features include customizable security levels, cipher choices, hash algorithms, and warnings for weak parameters. It's ideal for securing servers, creating test CAs, or scripting TLS setups without OpenSSL dependencies. Supports timestamping requests and PKCS#7 signing/encryption.

CAVEATS

Many options are mutually exclusive; interactive mode (-i) overrides most. Requires GnuTLS libraries. Deprecated algorithms may be used unless specified otherwise. Passphrases not suitable for unattended use.

INTERACTIVE MODE

Run with -i or --info for menu-driven certificate/key operations. Prompts for details like common name, validity period, key type.

EXAMPLE USAGE

certtool --generate-privkey --outfile ca-key.pem --bits 2048
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
certtool --verify --load-ca-certificate ca-cert.pem --infile client-cert.pem

HISTORY

Developed as part of GnuTLS project starting with version 1.0.0 in 2003 by Nikos Mavrogiannopoulos. Evolved with GnuTLS releases, adding ECC support in 2.12 (2010), OCSP in 3.0 (2011), and modern crypto curves. Widely used in Linux distributions for TLS certificate management.

SEE ALSO

gnutls-cli(1), gnutls-serv(1), openssl(1), x509(1)

Copied to clipboard