certtool
NAME
certtool– Command line tool to setup a simple CA and issue, show, revoke and verify certificates.
SYNOPSIS
certtool command (help | [command-options])
certtool help
Displays all the commands available with certtool.
certtool command help
Displays all the command-options available with the command.
certtool setupca [setupca-options]
Sets up a file-based simple CA..
certtool issue [issue-options]
Issues a certificate and updates the CA files.
certtool show [show-options]
Displays the contents of a certificate, certification path or CRL.
certtool revoke [revoke-options]
Revokes a previously issued certificate.
certtool crl [crl-options]
Generates a CRL file of all the revoked certificates.
certtool validate [validate-options]
Validates a certificate.
DESCRIPTION
The tool certtool is a command line utility to set up a minimal CA. During setup, it can either generate a self-signed certificate or use a certificate signed by another CA. After setup, certtool can be used to issue signed certificates taking a CSR as input, revoke a previously issued certificate, generate a CRL (Certificate Revocation List) and so on. All information related to the certtool-based CA is stored in flat files within a directory tree rooted at the directory specified during the setup.
OPTIONS for certtool setupca
| -cadir dir | Directory to store internal data. Default: cadir. |
| -dn dn | Distinguished Name of the CA. Default:[CN=JSTK Test Root CA, OU=JSTK Operations, O=JSTK Inc, C=US]. |
| -capath pathlen | Maximum permissible depth of the CA hierarchy rooted at this CA. Default: 2. |
| -serial serialno | Serial no. of the CA certificate. Default: 100 |
| -keyalg alg | Algorithm for key-pair generation. Default: RSA. Other possible value is DSA. |
| -keysize keysz | Key size in bits. Default: 2048. |
| -sigalg sigalg | Signature algorithm. Should match the key algorithm. Default: SHA1WithRSA. |
| -password passwd | Password for CA keystore. This is mandatory and there is no default for it. |
| -cadir dir | certtool CA directory. Default: cadir. |
| -ca | Flag to indicate that the issued certificate is a CA certificate |
| -capath pathlen | Maximum permissible depth of the CA hierarchy rooted at this CA. Default: 0. |
| -csrfile csrfile | Input file with the Certificate Signing Request. |
| -cerfile cerfile | Output file to store the certificate. |
| -cpfmt cpfmt | Certification path format for the output file. Default: PKCS7. Other possible values are PKIPATH and X509. |
| -keyalg alg | Algorithm for key-pair generation. Default: RSA. Other possible value is DSA. |
| -keysize keysz | Key size in bits. Default: 2048. |
| -sigalg sigalg | Signature algorithm. Should match the key algorithm. Default: SHA1WithRSA. |
| -password passwd | Password specified at the time of CA setup. This is mandatory and there is no default for it. |
OPTIONS for certtool revoke
| -cadir dir | certtool CA directory. Default: cadir. |
| -cerfile cerfile | input file having the certificate to be revoked. |
| -password passwd | Password specified at the time of CA setup. This is mandatory and there is no default for it. |
OPTIONS for certtool crl
| -cadir dir | certtool CA directory. Default: cadir. |
| -crlfile crlfile | Output file to store the CRL of all the revoked certificates. |
| -password passwd | Password specified at the time of CA setup. This is mandatory and there is no default for it. |
| -infile infile | Input file. |
EXAMPLES
certtool setupca –password changeit
Sets up the files for a simple file-based CA. Directory cadir is created to hold all the files and subdirectories for maintaining information about the CA. The self-signed certificate for the CA and its private key are stored in keystore cadirca.ks, protected by password changeit and within cakey entry.
keytool -genkey -keystore test.ks -storepass changeit keytool -certreq -file test.csr -keystore test.ks -storepass changeit certtool issue -csrfile test.csr -password hello
The first keytool command creates keystore test.ks with a self-signed certificate for the identity information supplied. The second keytool command generates a CSR from this self-signed certificate. This CSR is used to issue a CA-signed certificate by the utility certtool. The issued certificate is stored in file my.cer.
certtool show –infile my.cer
Displays the contents of the issued certificate.
certtool setupca -cadir cadir1 -password hello keytool -certreq -file ca1.csr -keystore cadir1ca.ks -storepass hello -alias cakey -storetype JCEKS certtool issue -csrfile ca1.csr -cerfile ca1.cer -password hello keytool -import -file ca1.cer -keystore cadir1ca.ks -storepass hello -alias cakey -storetype JCEKS
Creates a sub-CA in subdirectory cadir1. The basic mechanism to setup a CA with CA directory cadir1: generates a CSR from its keystore, issues a certificate as per this CSR using the super-CA and then imports the issued certificate to the original keystore.