search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
documented updates
[gnutls.git] / src / certtool-args.def
blob480c16eb6ce8e5e501ba22e384eda96465f11c0d
1 AutoGen Definitions options;
2 prog-name = certtool;
3 prog-title = "GnuTLS certificate tool";
4 prog-desc = "Manipulate certificates and private keys.";
5 detail = "Tool to parse and generate X.509 certificates, requests and private keys.
6 It can be used interactively or non interactively by
7 specifying the template command line option.";
8 short-usage = "certtool [options]\ncerttool --help for usage instructions.\n";
9 explain = "";
10
11 #define INFILE_OPT 1
12 #define OUTFILE_OPT 1
13 #define VERBOSE_OPT 1
14 #include args-std.def
15
16 flag = {
17 name = generate-self-signed;
18 value = s;
19 descrip = "Generate a self-signed certificate";
20 doc = "";
21 };
22
23 flag = {
24 name = generate-certificate;
25 value = c;
26 descrip = "Generate a signed certificate";
27 doc = "";
28 };
29
30 flag = {
31 name = generate-proxy;
32 descrip = "Generates a proxy certificate";
33 doc = "";
34 };
35
36 flag = {
37 name = generate-crl;
38 descrip = "Generate a CRL";
39 doc = "";
40 };
41
42 flag = {
43 name = update-certificate;
44 value = u;
45 descrip = "Update a signed certificate";
46 doc = "";
47 };
48
49 flag = {
50 name = generate-privkey;
51 value = p;
52 descrip = "Generate a private key";
53 doc = "";
54 };
55
56 flag = {
57 name = generate-request;
58 value = q;
59 descrip = "Generate a PKCS #10 certificate request";
60 doc = "";
61 };
62
63 flag = {
64 name = verify-chain;
65 value = e;
66 descrip = "Verify a PEM encoded certificate chain.";
67 doc = "The last certificate in the chain must be a self signed one.";
68 };
69
70 flag = {
71 name = verify;
72 descrip = "Verify a PEM encoded certificate chain using a trusted list.";
73 doc = "The trusted certificate list must be loaded with --load-ca-certificate.";
74 flags-must = load-ca-certificate;
75 };
76
77 flag = {
78 name = verify-crl;
79 descrip = "Verify a CRL using a trusted list.";
80 doc = "The trusted certificate list must be loaded with --load-ca-certificate.";
81 flags-must = load-ca-certificate;
82 };
83
84 flag = {
85 name = generate-dh-params;
86 descrip = "Generate PKCS #3 encoded Diffie-Hellman parameters.";
87 doc = "";
88 };
89
90 flag = {
91 name = get-dh-params;
92 descrip = "Get the included PKCS #3 encoded Diffie-Hellman parameters.";
93 doc = "Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
94 are more efficient since GnuTLS 3.0.9.";
95 };
96
97 flag = {
98 name = dh-info;
99 descrip = "Print information PKCS #3 encoded Diffie-Hellman parameters";
100 doc = "";
101 };
102
103 flag = {
104 name = load-privkey;
105 descrip = "Loads a private key file";
106 arg-type = string;
107 doc = "This can be either a file or a PKCS #11 URL";
108 };
109
110 flag = {
111 name = load-pubkey;
112 descrip = "Loads a public key file";
113 arg-type = string;
114 doc = "This can be either a file or a PKCS #11 URL";
115 };
116
117 flag = {
118 name = load-request;
119 descrip = "Loads a certificate request file";
120 arg-type = file;
121 file-exists = yes;
122 doc = "";
123 };
124
125 flag = {
126 name = load-certificate;
127 descrip = "Loads a certificate file";
128 arg-type = string;
129 doc = "This can be either a file or a PKCS #11 URL";
130 };
131
132 flag = {
133 name = load-ca-privkey;
134 descrip = "Loads the certificate authority's private key file";
135 arg-type = string;
136 doc = "This can be either a file or a PKCS #11 URL";
137 };
138
139 flag = {
140 name = load-ca-certificate;
141 descrip = "Loads the certificate authority's certificate file";
142 arg-type = string;
143 doc = "This can be either a file or a PKCS #11 URL";
144 };
145
146 flag = {
147 name = password;
148 arg-type = string;
149 descrip = "Password to use";
150 doc = "";
151 };
152
153 flag = {
154 name = null-password;
155 descrip = "Enforce a NULL password";
156 doc = "This option enforces a NULL password. This may be different than the empty password in some schemas.";
157 };
158
159 flag = {
160 name = certificate-info;
161 value = i;
162 descrip = "Print information on the given certificate";
163 doc = "";
164 };
165
166 flag = {
167 name = certificate-pubkey;
168 descrip = "Print certificate's public key";
169 doc = "";
170 };
171
172 flag = {
173 name = pgp-certificate-info;
174 descrip = "Print information on the given OpenPGP certificate";
175 doc = "";
176 };
177
178 flag = {
179 name = pgp-ring-info;
180 descrip = "Print information on the given OpenPGP keyring structure";
181 doc = "";
182 };
183
184 flag = {
185 name = crl-info;
186 value = l;
187 descrip = "Print information on the given CRL structure";
188 doc = "";
189 };
190
191 flag = {
192 name = crq-info;
193 descrip = "Print information on the given certificate request";
194 doc = "";
195 };
196
197
198 flag = {
199 name = no-crq-extensions;
200 descrip = "Do not use extensions in certificate requests";
201 doc = "";
202 };
203
204 flag = {
205 name = p12-info;
206 descrip = "Print information on a PKCS #12 structure";
207 doc = "";
208 };
209
210 flag = {
211 name = p7-info;
212 descrip = "Print information on a PKCS #7 structure";
213 doc = "";
214 };
215
216 flag = {
217 name = smime-to-p7;
218 descrip = "Convert S/MIME to PKCS #7 structure";
219 doc = "";
220 };
221
222 flag = {
223 name = key-info;
224 value = k;
225 descrip = "Print information on a private key";
226 doc = "";
227 };
228
229 flag = {
230 name = pgp-key-info;
231 descrip = "Print information on an OpenPGP private key";
232 doc = "";
233 };
234
235 flag = {
236 name = pubkey-info;
237 descrip = "Print information on a public key";
238 doc = "The option combined with --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.";
239 };
240
241 flag = {
242 name = v1;
243 descrip = "Generate an X.509 version 1 certificate (with no extensions)";
244 doc = "";
245 };
246
247 flag = {
248 name = to-p12;
249 descrip = "Generate a PKCS #12 structure";
250 doc = "It requires a certificate, a private key and possibly a CA certificate to be specified.";
251 flags-must = load-certificate;
252 };
253
254 flag = {
255 name = to-p8;
256 descrip = "Generate a PKCS #8 structure";
257 doc = "";
258 };
259
260 flag = {
261 name = pkcs8;
262 value = 8;
263 descrip = "Use PKCS #8 format for private keys";
264 doc = "";
265 };
266
267 flag = {
268 name = rsa;
269 descrip = "Generate RSA key";
270 doc = "";
271 };
272
273 flag = {
274 name = dsa;
275 descrip = "Generate DSA key";
276 doc = "";
277 };
278
279 flag = {
280 name = ecc;
281 descrip = "Generate ECC (ECDSA) key";
282 doc = "";
283 };
284
285 flag = {
286 name = hash;
287 arg-type = string;
288 descrip = "Hash algorithm to use for signing.";
289 doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.";
290 };
291
292 flag = {
293 name = inder;
294 descrip = "Use DER format for input certificates and private keys.";
295 disabled;
296 disable = "no";
297 doc = "The input files will be assumed to be in DER or RAW format.
298 Unlike options that in PEM input would allow multiple input data (e.g. multiple
299 certificates), when reading in DER format a single data structure is read.";
300 };
301
302 flag = {
303 name = inraw;
304 aliases = inder;
305 };
306
307 flag = {
308 name = outder;
309 descrip = "Use DER format for output certificates and private keys";
310 disabled;
311 disable = "no";
312 doc = "The output will be in DER or RAW format.";
313 };
314
315 flag = {
316 name = outraw;
317 aliases = outder;
318 };
319
320 flag = {
321 name = bits;
322 arg-type = number;
323 descrip = "Specify the number of bits for key generate";
324 doc = "";
325 };
326
327 flag = {
328 name = sec-param;
329 arg-type = string;
330 arg-name = "Security parameter";
331 descrip = "Specify the security level [low, legacy, normal, high, ultra].";
332 doc = "This is alternative to the bits option.";
333 };
334
335 flag = {
336 name = disable-quick-random;
337 descrip = "No effect";
338 doc = "";
339 };
340
341 flag = {
342 name = template;
343 arg-type = file;
344 file-exists = yes;
345 descrip = "Template file to use for non-interactive operation";
346 doc = "";
347 };
348
349 flag = {
350 name = pkcs-cipher;
351 arg-type = string;
352 arg-name = "Cipher";
353 descrip = "Cipher to use for PKCS #8 and #12 operations";
354 doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.";
355 };
356
357 doc-section = {
358 ds-type = 'SEE ALSO';
359 ds-format = 'texi';
360 ds-text = <<-_EOT_
361 p11tool (1)
362 _EOT_;
363 };
364
365 doc-section = {
366 ds-type = 'EXAMPLES';
367 ds-format = 'texi';
368 ds-text = <<-_EOT_
369 @subheading Generating private keys
370 To create an RSA private key, run:
371 @example
372 $ certtool --generate-privkey --outfile key.pem --rsa
373 @end example
374
375 To create a DSA or elliptic curves (ECDSA) private key use the
376 above command combined with 'dsa' or 'ecc' options.
377
378 @subheading Generating certificate requests
379 To create a certificate request (needed when the certificate is issued by
380 another party), run:
381 @example
382 certtool --generate-request --load-privkey key.pem \
383 --outfile request.pem
384 @end example
385
386 If the private key is stored in a smart card you can generate
387 a request by specifying the private key object URL.
388 @example
389 $ ./certtool --generate-request --load-privkey "pkcs11:..." \
390 --load-pubkey "pkcs11:..." --outfile request.pem
391 @end example
392
393
394 @subheading Generating a self-signed certificate
395 To create a self signed certificate, use the command:
396 @example
397 $ certtool --generate-privkey --outfile ca-key.pem
398 $ certtool --generate-self-signed --load-privkey ca-key.pem \
399 --outfile ca-cert.pem
400 @end example
401
402 Note that a self-signed certificate usually belongs to a certificate
403 authority, that signs other certificates.
404
405 @subheading Generating a certificate
406 To generate a certificate using the previous request, use the command:
407 @example
408 $ certtool --generate-certificate --load-request request.pem \
409 --outfile cert.pem --load-ca-certificate ca-cert.pem \
410 --load-ca-privkey ca-key.pem
411 @end example
412
413 To generate a certificate using the private key only, use the command:
414 @example
415 $ certtool --generate-certificate --load-privkey key.pem \
416 --outfile cert.pem --load-ca-certificate ca-cert.pem \
417 --load-ca-privkey ca-key.pem
418 @end example
419
420 @subheading Certificate information
421 To view the certificate information, use:
422 @example
423 $ certtool --certificate-info --infile cert.pem
424 @end example
425
426 @subheading PKCS #12 structure generation
427 To generate a PKCS #12 structure using the previous key and certificate,
428 use the command:
429 @example
430 $ certtool --load-certificate cert.pem --load-privkey key.pem \
431 --to-p12 --outder --outfile key.p12
432 @end example
433
434 Some tools (reportedly web browsers) have problems with that file
435 because it does not contain the CA certificate for the certificate.
436 To work around that problem in the tool, you can use the
437 --load-ca-certificate parameter as follows:
438
439 @example
440 $ certtool --load-ca-certificate ca.pem \
441 --load-certificate cert.pem --load-privkey key.pem \
442 --to-p12 --outder --outfile key.p12
443 @end example
444
445 @subheading Diffie-Hellman parameter generation
446 To generate parameters for Diffie-Hellman key exchange, use the command:
447 @example
448 $ certtool --generate-dh-params --outfile dh.pem --sec-param normal
449 @end example
450
451 @subheading Proxy certificate generation
452 Proxy certificate can be used to delegate your credential to a
453 temporary, typically short-lived, certificate. To create one from the
454 previously created certificate, first create a temporary key and then
455 generate a proxy certificate for it, using the commands:
456
457 @example
458 $ certtool --generate-privkey > proxy-key.pem
459 $ certtool --generate-proxy --load-ca-privkey key.pem \
460 --load-privkey proxy-key.pem --load-certificate cert.pem \
461 --outfile proxy-cert.pem
462 @end example
463
464 @subheading Certificate revocation list generation
465 To create an empty Certificate Revocation List (CRL) do:
466
467 @example
468 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
469 --load-ca-certificate x509-ca.pem
470 @end example
471
472 To create a CRL that contains some revoked certificates, place the
473 certificates in a file and use @code{--load-certificate} as follows:
474
475 @example
476 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
477 --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
478 @end example
479
480 To verify a Certificate Revocation List (CRL) do:
481
482 @example
483 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
484 @end example
485 _EOT_;
486 };
487
488
489 doc-section = {
490 ds-type = 'FILES';
491 ds-format = 'texi';
492 ds-text = <<-_EOT_
493 @subheading Certtool's template file format
494 A template file can be used to avoid the interactive questions of
495 certtool. Initially create a file named 'cert.cfg' that contains the information
496 about the certificate. The template can be used as below:
497
498 @example
499 $ certtool --generate-certificate cert.pem --load-privkey key.pem \
500 --template cert.cfg \
501 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
502 @end example
503
504 An example certtool template file that can be used to generate a certificate
505 request or a self signed certificate follows.
506
507 @example
508 # X.509 Certificate options
509 #
510 # DN options
511
512 # The organization of the subject.
513 organization = "Koko inc."
514
515 # The organizational unit of the subject.
516 unit = "sleeping dept."
517
518 # The locality of the subject.
519 # locality =
520
521 # The state of the certificate owner.
522 state = "Attiki"
523
524 # The country of the subject. Two letter code.
525 country = GR
526
527 # The common name of the certificate owner.
528 cn = "Cindy Lauper"
529
530 # A user id of the certificate owner.
531 #uid = "clauper"
532
533 # Set domain components
534 #dc = "name"
535 #dc = "domain"
536
537 # If the supported DN OIDs are not adequate you can set
538 # any OID here.
539 # For example set the X.520 Title and the X.520 Pseudonym
540 # by using OID and string pairs.
541 #dn_oid = 2.5.4.12 Dr.
542 #dn_oid = 2.5.4.65 jackal
543
544 # This is deprecated and should not be used in new
545 # certificates.
546 # pkcs9_email = "none@@none.org"
547
548 # The serial number of the certificate
549 serial = 007
550
551 # In how many days, counting from today, this certificate will expire.
552 expiration_days = 700
553
554 # X.509 v3 extensions
555
556 # A dnsname in case of a WWW server.
557 #dns_name = "www.none.org"
558 #dns_name = "www.morethanone.org"
559
560 # A subject alternative name URI
561 #uri = "http://www.example.com"
562
563 # An IP address in case of a server.
564 #ip_address = "192.168.1.1"
565
566 # An email in case of a person
567 email = "none@@none.org"
568
569 # Challenge password used in certificate requests
570 challenge_passwd = 123456
571
572 # An URL that has CRLs (certificate revocation lists)
573 # available. Needed in CA certificates.
574 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
575
576 # Whether this is a CA certificate or not
577 #ca
578
579 # for microsoft smart card logon
580 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
581
582 ### Other predefined key purpose OIDs
583
584 # Whether this certificate will be used for a TLS client
585 #tls_www_client
586
587 # Whether this certificate will be used for a TLS server
588 #tls_www_server
589
590 # Whether this certificate will be used to sign data (needed
591 # in TLS DHE ciphersuites).
592 signing_key
593
594 # Whether this certificate will be used to encrypt data (needed
595 # in TLS RSA ciphersuites). Note that it is preferred to use different
596 # keys for encryption and signing.
597 #encryption_key
598
599 # Whether this key will be used to sign other certificates.
600 #cert_signing_key
601
602 # Whether this key will be used to sign CRLs.
603 #crl_signing_key
604
605 # Whether this key will be used to sign code.
606 #code_signing_key
607
608 # Whether this key will be used to sign OCSP data.
609 #ocsp_signing_key
610
611 # Whether this key will be used for time stamping.
612 #time_stamping_key
613
614 # Whether this key will be used for IPsec IKE operations.
615 #ipsec_ike_key
616
617 ### end of key purpose OIDs
618
619 # When generating a certificate from a certificate
620 # request, then honor the extensions stored in the request
621 # and store them in the real certificate.
622 #honor_crq_extensions
623
624 # Path length contraint. Sets the maximum number of
625 # certificates that can be used to certify this certificate.
626 # (i.e. the certificate chain length)
627 #path_len = -1
628 #path_len = 2
629
630 # OCSP URI
631 # ocsp_uri = http://my.ocsp.server/ocsp
632
633 # CA issuers URI
634 # ca_issuers_uri = http://my.ca.issuer
635
636 # Options for proxy certificates
637 # proxy_policy_language = 1.3.6.1.5.5.7.21.1
638
639 # Options for generating a CRL
640
641 # next CRL update will be in 43 days (wow)
642 #crl_next_update = 43
643
644 # this is the 5th CRL by this CA
645 #crl_number = 5
646
647 @end example
648
649 _EOT_;
650 };
651
Implementation of the SSL/TLS protocol