certtool

Generate a private key

$ certtool -p --outfile [path/to/private.key]

$ certtool -s --load-privkey [path/to/private.key] --template [path/to/info.template] --outfile [path/to/certificate.crt]

$ certtool -q --load-privkey [path/to/private.key] --template [path/to/info.template] --outfile [path/to/request.csr]

$ certtool -s --load-privkey [path/to/ca.key] --template [path/to/ca.template] --outfile [path/to/ca.crt]

$ certtool --verify --infile [path/to/certificate.crt] --load-ca-certificate [path/to/ca.crt]

certtool [options]

certtool generates and manages X.509 certificates, private keys, certificate signing requests, and other PKI structures using the GnuTLS library. It serves as an alternative to OpenSSL's certificate tools with a distinct command-line interface and template-based workflow.
Certificate attributes such as organization name, common name, validity period, key usage, and extensions are defined in template files rather than passed as command-line arguments. This makes complex certificate configurations reproducible and scriptable. The template syntax uses simple key-value pairs.
The tool supports the full PKI workflow: generating private keys, creating self-signed CA certificates, issuing certificate signing requests, signing certificates with a CA, and verifying certificate chains.

-p, --generate-privkey

Generate a private key

Generate a self-signed certificate

Generate a certificate signing request

Generate a certificate from CSR

Load private key from file

Use template file for certificate info

Output file path

Verify certificate chain

Display certificate information

Template file format differs from OpenSSL configuration. Some features may require specific GnuTLS version. Certificate templates must specify all required fields.

openssl(1), gnutls-cli(1)