certtool

Generate a private key and save it to a file

$ certtool [[-p|--generate-privkey]] --outfile [path/to/private.key]

$ certtool [[-s|--generate-self-signed]] --load-privkey [path/to/private.key] --template [path/to/info.template] --outfile [path/to/certificate.crt]

$ certtool [[-q|--generate-request]] --load-privkey [path/to/private.key] --template [path/to/info.template] --outfile [path/to/request.csr]

$ certtool [[-s|--generate-self-signed]] --load-privkey [path/to/ca.key] --template [path/to/ca.template] --outfile [path/to/ca.crt]

$ certtool --verify --infile [path/to/certificate.crt] --load-ca-certificate [path/to/ca.crt]

certtool operation-option [generic-options]...

--generate-privkey
    Generates a new private key.

--generate-self-signed
    Generates a self-signed X.509 certificate.

--generate-request
    Generates a certificate signing request (CSR).

--sign-request
    Signs a certificate request with a CA key and certificate.

--verify-chain
    Verifies a certificate chain against a trusted CA.

--generate-crl
    Generates a Certificate Revocation List (CRL).

--crl-info
    Displays information about a CRL.

--pkcs12-encrypt
    Encrypts a private key and certificate into a PKCS#12 file.

--pkcs12-decrypt
    Decrypts a PKCS#12 file, extracting keys and certificates.

--info
    Displays information about a certificate, key, or CSR.

--bits BITS
    Sets the key size in bits for generated keys (e.g., 2048).

--sec-param LEVEL
    Sets the security level for cryptographic operations.

--hash ALGORITHM
    Specifies the hash algorithm to be used (e.g., SHA256).

--load-privkey FILE
    Loads a private key from the specified file.

--load-request FILE
    Loads a certificate request from the specified file.

--load-certificate FILE
    Loads a certificate from the specified file.

--load-ca-privkey FILE
    Loads the CA private key for signing.

--load-ca-certificate FILE
    Loads the CA certificate for signing or verification.

--outfile FILE
    Specifies the output file for generated content.

--infile FILE
    Specifies the input file for processing.

--days DAYS
    Sets the validity period for certificates in days.

--key-usage USAGE
    Defines the purpose(s) for which the public key may be used.

--ext-usage USAGE
    Defines extended purposes for which the public key may be used.

--template FILE
    Uses a template file for certificate or request generation.

--password STRING
    Provides a password for encrypted files.

--passphrase STRING
    Alias for --password.

--p12-name STRING
    Sets the friendly name for PKCS#12 entries.

--debug LEVEL
    Sets the debug level for verbose output.

--verbose
    Enables verbose output during execution.

--batch
    Operates in non-interactive mode, suppressing prompts.

--force-overwrite
    Overwrites existing output files without prompting.

--version
    Displays the certtool version and exits.

--help
    Displays the help message and exits.

certtool is a command-line utility provided by the GnuTLS (GNU Transport Layer Security) library. It serves as a comprehensive tool for managing various cryptographic elements essential for secure communication. Its primary functions include generating X.509 certificates, creating private keys (RSA, DSA, ECC), signing certificate requests (CSRs), verifying certificate chains, and managing Certificate Revocation Lists (CRLs).

certtool supports a wide range of cryptographic algorithms and parameters, making it versatile for establishing Public Key Infrastructure (PKI) components. It is commonly used by administrators and developers to set up SSL/TLS servers, secure client applications, and manage digital identities. The tool allows for detailed specification of certificate fields, extensions, and key usages, providing granular control over the cryptographic properties of generated assets.

Users should exercise caution when handling private keys and certificates, as improper usage or exposure can compromise security. certtool is part of the GnuTLS ecosystem, meaning its internal mechanisms and default behaviors might differ from other cryptographic toolkits like OpenSSL. Always verify the generated output and ensure proper file permissions.

certtool supports the use of template files (specified with --template) to define certificate fields, extensions, and key usages. This feature allows for automated and consistent generation of certificates and certificate signing requests (CSRs), reducing manual input and potential errors.

The command provides comprehensive functionality for handling PKCS#12 (PFX) files. This includes encrypting private keys and certificates into a single, password-protected file (--pkcs12-encrypt) and decrypting such files to extract their contents (--pkcs12-decrypt), which is crucial for secure key and certificate distribution.

Users can specify a security level using the --sec-param option. This influences the selection of cryptographic parameters like key sizes and hash algorithms, ensuring that generated keys and certificates meet desired security standards or policy requirements.

certtool is an integral part of the GnuTLS project, which was initiated to provide a free software implementation of the SSL/TLS protocols. Development began in the early 2000s, aiming to offer an alternative to OpenSSL, especially for projects preferring LGPL-licensed libraries. certtool evolved alongside the GnuTLS library, incorporating new cryptographic algorithms, protocol versions (TLS 1.2, 1.3), and key types (ECC) as they became standardized. Its design prioritizes consistency with the GnuTLS API, making it a natural choice for developers working within that ecosystem.

openssl(1), gnutls-cli(1), gnutls-serv(1), p11tool(1), gnutls(7)