certtool

NAME

certtool Command line tool to setup a simple CA and issue, show, revoke and verify certificates.

SYNOPSIS

						certtool
						command (help | [command-options])

Executes certtool with the specified command.

						certtool help
					

Displays all the commands available with certtool.

						certtool
						command
						help
					

Displays all the command-options available with the command.

						certtool setupca [setupca-options]

Sets up a file-based simple CA..

						certtool issue [issue-options]

Issues a certificate and updates the CA files.

						certtool show [show-options]

Displays the contents of a certificate, certification path or CRL.

						certtool revoke [revoke-options]

Revokes a previously issued certificate.

						certtool crl [crl-options]

Generates a CRL file of all the revoked certificates.

						certtool validate [validate-options]

Validates a certificate.

DESCRIPTION

The tool certtool is a command line utility to set up a minimal CA. During setup, it can either generate a self-signed certificate or use a certificate signed by another CA. After setup, certtool can be used to issue signed certificates taking a CSR as input, revoke a previously issued certificate, generate a CRL (Certificate Revocation List) and so on. All information related to the certtool-based CA is stored in flat files within a directory tree rooted at the directory specified during the setup.

OPTIONS for certtool setupca

-cadir dirDirectory to store internal data. Default: cadir.
-dn dnDistinguished Name of the CA. Default:[CN=JSTK Test Root CA, OU=JSTK Operations, O=JSTK Inc, C=US].
-capath pathlenMaximum permissible depth of the CA hierarchy rooted at this CA. Default: 2.
-serial serialnoSerial no. of the CA certificate. Default: 100
-keyalg algAlgorithm for key-pair generation. Default: RSA. Other possible value is DSA.
-keysize keyszKey size in bits. Default: 2048.
-sigalg sigalgSignature algorithm. Should match the key algorithm. Default: SHA1WithRSA.
-password passwdPassword for CA keystore. This is mandatory and there is no default for it.

OPTIONS for certtool issue

-cadir dircerttool CA directory. Default: cadir.
-caFlag to indicate that the issued certificate is a CA certificate
-capath pathlenMaximum permissible depth of the CA hierarchy rooted at this CA. Default: 0.
-csrfile csrfileInput file with the Certificate Signing Request.
-cerfile cerfileOutput file to store the certificate.
-cpfmt cpfmtCertification path format for the output file. Default: PKCS7. Other possible values are PKIPATH and X509.
-keyalg algAlgorithm for key-pair generation. Default: RSA. Other possible value is DSA.
-keysize keyszKey size in bits. Default: 2048.
-sigalg sigalgSignature algorithm. Should match the key algorithm. Default: SHA1WithRSA.
-password passwdPassword specified at the time of CA setup. This is mandatory and there is no default for it.

OPTIONS for certtool revoke

-cadir dircerttool CA directory. Default: cadir.
-cerfile cerfileinput file having the certificate to be revoked.
-password passwdPassword specified at the time of CA setup. This is mandatory and there is no default for it.

OPTIONS for certtool crl

-cadir dircerttool CA directory. Default: cadir.
-crlfile crlfileOutput file to store the CRL of all the revoked certificates.
-password passwdPassword specified at the time of CA setup. This is mandatory and there is no default for it.

OPTIONS for certtool show

-infile infileInput file.

EXAMPLES

						certtool setupca –password changeit
					

Sets up the files for a simple file-based CA. Directory cadir is created to hold all the files and subdirectories for maintaining information about the CA. The self-signed certificate for the CA and its private key are stored in keystore cadirca.ks, protected by password changeit and within cakey entry.

						keytool -genkey -keystore test.ks -storepass changeit
						keytool -certreq -file test.csr -keystore test.ks 
						-storepass changeit
						certtool issue -csrfile test.csr -password hello
					

The first keytool command creates keystore test.ks with a self-signed certificate for the identity information supplied. The second keytool command generates a CSR from this self-signed certificate. This CSR is used to issue a CA-signed certificate by the utility certtool. The issued certificate is stored in file my.cer.

						certtool show –infile my.cer
					

Displays the contents of the issued certificate.

						certtool setupca -cadir cadir1 -password hello
						keytool -certreq -file ca1.csr -keystore cadir1ca.ks 
						-storepass hello -alias cakey -storetype JCEKS
						certtool issue -csrfile ca1.csr -cerfile ca1.cer 
						-password hello
						keytool -import -file ca1.cer -keystore cadir1ca.ks 
						-storepass hello -alias cakey -storetype JCEKS
					

Creates a sub-CA in subdirectory cadir1. The basic mechanism to setup a CA with CA directory cadir1: generates a CSR from its keystore, issues a certificate as per this CSR using the super-CA and then imports the issued certificate to the original keystore.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.233.26