tor-gencert

tor-gencert {--create-missing} {--passphrase-fd FD} {--valid-until YYYY-MM-DD} {--help} {--quiet} {--version} [output_directory]

--create-missing
    Creates the key and certificate files if they don't already exist.

--passphrase-fd FD
    Reads a passphrase from file descriptor FD to encrypt the private key with.

--valid-until YYYY-MM-DD
    Sets the validity period of the generated certificate to end on the specified date (YYYY-MM-DD).

--help
    Displays help information and exits.

--quiet
    Suppresses verbose output.

--version
    Displays the version number and exits.

output_directory
    The directory where the generated key and certificate files will be stored. If not specified, the current directory is used.

The tor-gencert command is a utility provided by the Tor project used to generate self-signed certificates for Tor hidden services (also known as onion services). These certificates are used to encrypt traffic between clients and the hidden service. The command generates a private key and a corresponding X.509 certificate, both of which are necessary for configuring a hidden service.

The tool provides a simple and direct way to create these certificates, ensuring that the hidden service can operate securely.

While Tor itself handles much of the underlying cryptography, tor-gencert simplifies the process of creating the required certificates, removing the need for manual OpenSSL configuration or other complex procedures.

The certificates generated by tor-gencert are self-signed. While they provide encryption, they do not provide identity verification in the same way as certificates signed by a trusted Certificate Authority (CA). Clients accessing the hidden service will not be able to verify the service's identity based on the certificate alone. Therefore, other means of verification (e.g., public key fingerprint comparison) may be necessary.

The command produces two key files:
hostname.key: The private key used by the hidden service.
hostname.crt: The X.509 certificate corresponding to the private key.

It's crucial to protect the hostname.key file. If compromised, an attacker can impersonate the hidden service. Store it securely with appropriate file permissions.

tor-gencert was developed as part of the Tor project to simplify the process of setting up hidden services. Its inclusion reflects the Tor project's commitment to making onion services more accessible. Early versions of Tor required more manual steps to create certificates. tor-gencert was created to automate this key generation and related certificate tasks and lower the barrier to entry for users wanting to host a Tor hidden service. It provides functionality in a simplified command-line package.

tor(1), openssl(1)