tor-gencert

tor-gencert [OPTIONS]

This command generates a new Tor identity key and a self-signed certificate for that key.

-h
    Displays help information and exits.

-V
    Shows version information and exits.

-i identity_key_file
    Specifies the path for the Tor identity key file to be generated or loaded.

-s signing_key_file
    Specifies the path for the certificate signing key.

-r revocation_key_file
    Specifies the path for the certificate revocation key.

-c certificate_file
    Specifies the path where the generated certificate will be saved.

-t type
    Sets the type of certificate to generate (e.g., "authority", "router"). Defaults to "authority".

-e expiration
    Sets the expiration date/time for the certificate. Formats include "YYYY-MM-DD", "YYYY-MM-DD HH:MM:SS", or "N days".

-m min_lifetime
    Specifies the minimum lifetime of the certificate in days if it would otherwise expire too soon.

-f
    Forces overwriting of existing files without prompting.

tor-gencert is a utility included with the Tor project used to generate cryptographic keys and self-signed certificates.

Its primary purpose is to create the long-term identity key and the corresponding certificate for a Tor relay, especially for directory authorities or bridge authorities. These generated files—typically an identity key (e.g., authority_identity_key) and a certificate (e.g., authority_certificate)—are fundamental for a Tor server to establish its unique identity and participate securely in the Tor network.

The command is usually run once when setting up a new Tor authority or a similar component that requires a persistent, verifiable identity. It ensures that the Tor instance can be identified and trusted by other nodes in the network.

Generating new identity keys and certificates is a sensitive operation. The generated files (especially the identity key) should be treated with extreme care and kept secure, as they represent the unforgeable identity of your Tor authority or relay. This command is typically run only once for a given Tor authority setup.

If no file paths are specified for the identity key or certificate, tor-gencert typically creates them in the current working directory or a predefined Tor data directory, using default filenames such as authority_identity_key and authority_certificate.

The security of the generated identity key is paramount. Loss or compromise of this key could allow an attacker to impersonate your Tor authority, potentially disrupting network operations or trust. Ensure proper file permissions and storage security for all generated key files.

The tor-gencert utility has been an integral part of the Tor project since its early days, specifically designed to facilitate the setup and operation of directory authorities and bridge authorities within the Tor network. Its core functionality of generating long-term identity keys and self-signed certificates has remained consistent, underscoring its foundational role in establishing trusted identities for critical Tor infrastructure components.

tor(1), torrc(5)