tor-gencert
Create Tor Hidden Service client authentication certificates
SYNOPSIS
tor-gencert [OPTIONS]
This command generates a new Tor identity key and a self-signed certificate for that key.
PARAMETERS
-h
Displays help information and exits.
-V
Shows version information and exits.
-i identity_key_file
Specifies the path for the Tor identity key file to be generated or loaded.
-s signing_key_file
Specifies the path for the certificate signing key.
-r revocation_key_file
Specifies the path for the certificate revocation key.
-c certificate_file
Specifies the path where the generated certificate will be saved.
-t type
Sets the type of certificate to generate (e.g., "authority", "router"). Defaults to "authority".
-e expiration
Sets the expiration date/time for the certificate. Formats include "YYYY-MM-DD", "YYYY-MM-DD HH:MM:SS", or "N days".
-m min_lifetime
Specifies the minimum lifetime of the certificate in days if it would otherwise expire too soon.
-f
Forces overwriting of existing files without prompting.
DESCRIPTION
tor-gencert is a utility included with the Tor project used to generate cryptographic keys and self-signed certificates.
Its primary purpose is to create the long-term identity key and the corresponding certificate for a Tor relay, especially for directory authorities or bridge authorities. These generated files—typically an identity key (e.g., authority_identity_key) and a certificate (e.g., authority_certificate)—are fundamental for a Tor server to establish its unique identity and participate securely in the Tor network.
The command is usually run once when setting up a new Tor authority or a similar component that requires a persistent, verifiable identity. It ensures that the Tor instance can be identified and trusted by other nodes in the network.
CAVEATS
Generating new identity keys and certificates is a sensitive operation. The generated files (especially the identity key) should be treated with extreme care and kept secure, as they represent the unforgeable identity of your Tor authority or relay. This command is typically run only once for a given Tor authority setup.
DEFAULT OUTPUT
If no file paths are specified for the identity key or certificate, tor-gencert typically creates them in the current working directory or a predefined Tor data directory, using default filenames such as authority_identity_key and authority_certificate.
KEY MANAGEMENT
The security of the generated identity key is paramount. Loss or compromise of this key could allow an attacker to impersonate your Tor authority, potentially disrupting network operations or trust. Ensure proper file permissions and storage security for all generated key files.
HISTORY
The tor-gencert utility has been an integral part of the Tor project since its early days, specifically designed to facilitate the setup and operation of directory authorities and bridge authorities within the Tor network. Its core functionality of generating long-term identity keys and self-signed certificates has remained consistent, underscoring its foundational role in establishing trusted identities for critical Tor infrastructure components.
SEE ALSO
tor(1), torrc(5)