certtool
GnuTLS certificate and key generation tool
TLDR
SYNOPSIS
certtool [options]
DESCRIPTION
certtool generates and manages X.509 certificates, private keys, certificate signing requests, and other PKI structures using the GnuTLS library. It serves as an alternative to OpenSSL's certificate tools with a distinct command-line interface and template-based workflow.
Certificate attributes such as organization name, common name, validity period, key usage, and extensions are defined in template files rather than passed as command-line arguments. This makes complex certificate configurations reproducible and scriptable. The template syntax uses simple key-value pairs.
The tool supports the full PKI workflow: generating private keys, creating self-signed CA certificates, issuing certificate signing requests, signing certificates with a CA, and verifying certificate chains.
PARAMETERS
-p, --generate-privkey
Generate a private key-s, --generate-self-signed
Generate a self-signed certificate-q, --generate-request
Generate a certificate signing request--generate-certificate
Generate a certificate from CSR--load-privkey file
Load private key from file--template file
Use template file for certificate info--outfile file
Output file path--verify
Verify certificate chain-i, --certificate-info
Display certificate information
CAVEATS
Template file format differs from OpenSSL configuration. Some features may require specific GnuTLS version. Certificate templates must specify all required fields.
SEE ALSO
openssl(1), gnutls-cli(1)
