search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
news update
[gnutls.git] / src / certtool-args.def
blob0cd94b5fcd60f8a99d7c87da29b4820496cc9642
1 AutoGen Definitions options;
2 prog-name = certtool;
3 prog-title = "GnuTLS certificate tool";
4 prog-desc = "Manipulate certificates and private keys.";
5 detail = "Tool to parse and generate X.509 certificates, requests and private keys.
6 It can be used interactively or non interactively by
7 specifying the template command line option.";
8 short-usage = "certtool [options]\ncerttool --help for usage instructions.\n";
9 explain = "";
10
11 #define INFILE_OPT 1
12 #define OUTFILE_OPT 1
13 #define VERBOSE_OPT 1
14 #include args-std.def
15
16 flag = {
17 name = generate-self-signed;
18 value = s;
19 descrip = "Generate a self-signed certificate";
20 doc = "";
21 };
22
23 flag = {
24 name = generate-certificate;
25 value = c;
26 descrip = "Generate a signed certificate";
27 doc = "";
28 };
29
30 flag = {
31 name = generate-proxy;
32 descrip = "Generates a proxy certificate";
33 doc = "";
34 };
35
36 flag = {
37 name = generate-crl;
38 descrip = "Generate a CRL";
39 doc = "";
40 };
41
42 flag = {
43 name = update-certificate;
44 value = u;
45 descrip = "Update a signed certificate";
46 doc = "";
47 };
48
49 flag = {
50 name = generate-privkey;
51 value = p;
52 descrip = "Generate a private key";
53 doc = "";
54 };
55
56 flag = {
57 name = generate-request;
58 value = q;
59 descrip = "Generate a PKCS #10 certificate request";
60 doc = "";
61 };
62
63 flag = {
64 name = verify-chain;
65 value = e;
66 descrip = "Verify a PEM encoded certificate chain.";
67 doc = "The last certificate in the chain must be a self signed one.";
68 };
69
70 flag = {
71 name = verify;
72 descrip = "Verify a PEM encoded certificate chain using a trusted list.";
73 doc = "The trusted certificate list must be loaded with --load-ca-certificate.";
74 flags-must = load-ca-certificate;
75 };
76
77 flag = {
78 name = verify-crl;
79 descrip = "Verify a CRL using a trusted list.";
80 doc = "The trusted certificate list must be loaded with --load-ca-certificate.";
81 flags-must = load-ca-certificate;
82 };
83
84 flag = {
85 name = generate-dh-params;
86 descrip = "Generate PKCS #3 encoded Diffie-Hellman parameters.";
87 doc = "";
88 };
89
90 flag = {
91 name = get-dh-params;
92 descrip = "Get the included PKCS #3 encoded Diffie-Hellman parameters.";
93 doc = "Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
94 are more efficient since GnuTLS 3.0.9.";
95 };
96
97 flag = {
98 name = dh-info;
99 descrip = "Print information PKCS #3 encoded Diffie-Hellman parameters";
100 doc = "";
101 };
102
103 flag = {
104 name = load-privkey;
105 descrip = "Loads a private key file";
106 arg-type = string;
107 doc = "This can be either a file or a PKCS #11 URL";
108 };
109
110 flag = {
111 name = load-pubkey;
112 descrip = "Loads a public key file";
113 arg-type = string;
114 doc = "This can be either a file or a PKCS #11 URL";
115 };
116
117 flag = {
118 name = load-request;
119 descrip = "Loads a certificate request file";
120 arg-type = file;
121 file-exists = yes;
122 doc = "";
123 };
124
125 flag = {
126 name = load-certificate;
127 descrip = "Loads a certificate file";
128 arg-type = string;
129 doc = "This can be either a file or a PKCS #11 URL";
130 };
131
132 flag = {
133 name = load-ca-privkey;
134 descrip = "Loads the certificate authority's private key file";
135 arg-type = string;
136 doc = "This can be either a file or a PKCS #11 URL";
137 };
138
139 flag = {
140 name = load-ca-certificate;
141 descrip = "Loads the certificate authority's certificate file";
142 arg-type = string;
143 doc = "This can be either a file or a PKCS #11 URL";
144 };
145
146 flag = {
147 name = password;
148 arg-type = string;
149 descrip = "Password to use";
150 doc = "";
151 };
152
153 flag = {
154 name = simple-numbers;
155 descrip = "Print big number in an easier format to parse";
156 doc = "";
157 };
158
159 flag = {
160 name = null-password;
161 descrip = "Enforce a NULL password";
162 doc = "This option enforces a NULL password. This may be different than the empty password in some schemas.";
163 };
164
165 flag = {
166 name = certificate-info;
167 value = i;
168 descrip = "Print information on the given certificate";
169 doc = "";
170 };
171
172 flag = {
173 name = certificate-pubkey;
174 descrip = "Print certificate's public key";
175 doc = "";
176 };
177
178 flag = {
179 name = pgp-certificate-info;
180 descrip = "Print information on the given OpenPGP certificate";
181 doc = "";
182 };
183
184 flag = {
185 name = pgp-ring-info;
186 descrip = "Print information on the given OpenPGP keyring structure";
187 doc = "";
188 };
189
190 flag = {
191 name = crl-info;
192 value = l;
193 descrip = "Print information on the given CRL structure";
194 doc = "";
195 };
196
197 flag = {
198 name = crq-info;
199 descrip = "Print information on the given certificate request";
200 doc = "";
201 };
202
203
204 flag = {
205 name = no-crq-extensions;
206 descrip = "Do not use extensions in certificate requests";
207 doc = "";
208 };
209
210 flag = {
211 name = p12-info;
212 descrip = "Print information on a PKCS #12 structure";
213 doc = "";
214 };
215
216 flag = {
217 name = p7-info;
218 descrip = "Print information on a PKCS #7 structure";
219 doc = "";
220 };
221
222 flag = {
223 name = smime-to-p7;
224 descrip = "Convert S/MIME to PKCS #7 structure";
225 doc = "";
226 };
227
228 flag = {
229 name = key-info;
230 value = k;
231 descrip = "Print information on a private key";
232 doc = "";
233 };
234
235 flag = {
236 name = pgp-key-info;
237 descrip = "Print information on an OpenPGP private key";
238 doc = "";
239 };
240
241 flag = {
242 name = pubkey-info;
243 descrip = "Print information on a public key";
244 doc = "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.";
245 };
246
247 flag = {
248 name = v1;
249 descrip = "Generate an X.509 version 1 certificate (with no extensions)";
250 doc = "";
251 };
252
253 flag = {
254 name = to-p12;
255 descrip = "Generate a PKCS #12 structure";
256 doc = "It requires a certificate, a private key and possibly a CA certificate to be specified.";
257 flags-must = load-certificate;
258 };
259
260 flag = {
261 name = to-p8;
262 descrip = "Generate a PKCS #8 structure";
263 doc = "";
264 };
265
266 flag = {
267 name = pkcs8;
268 value = 8;
269 descrip = "Use PKCS #8 format for private keys";
270 doc = "";
271 };
272
273 flag = {
274 name = rsa;
275 descrip = "Generate RSA key";
276 doc = "";
277 };
278
279 flag = {
280 name = dsa;
281 descrip = "Generate DSA key";
282 doc = "";
283 };
284
285 flag = {
286 name = ecc;
287 descrip = "Generate ECC (ECDSA) key";
288 doc = "";
289 };
290
291 flag = {
292 name = hash;
293 arg-type = string;
294 descrip = "Hash algorithm to use for signing.";
295 doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.";
296 };
297
298 flag = {
299 name = inder;
300 descrip = "Use DER format for input certificates and private keys.";
301 disabled;
302 disable = "no";
303 doc = "The input files will be assumed to be in DER or RAW format.
304 Unlike options that in PEM input would allow multiple input data (e.g. multiple
305 certificates), when reading in DER format a single data structure is read.";
306 };
307
308 flag = {
309 name = inraw;
310 aliases = inder;
311 };
312
313 flag = {
314 name = outder;
315 descrip = "Use DER format for output certificates and private keys";
316 disabled;
317 disable = "no";
318 doc = "The output will be in DER or RAW format.";
319 };
320
321 flag = {
322 name = outraw;
323 aliases = outder;
324 };
325
326 flag = {
327 name = bits;
328 arg-type = number;
329 descrip = "Specify the number of bits for key generate";
330 doc = "";
331 };
332
333 flag = {
334 name = sec-param;
335 arg-type = string;
336 arg-name = "Security parameter";
337 descrip = "Specify the security level [low, legacy, normal, high, ultra].";
338 doc = "This is alternative to the bits option.";
339 };
340
341 flag = {
342 name = disable-quick-random;
343 descrip = "No effect";
344 doc = "";
345 };
346
347 flag = {
348 name = template;
349 arg-type = file;
350 file-exists = yes;
351 descrip = "Template file to use for non-interactive operation";
352 doc = "";
353 };
354
355 flag = {
356 name = pkcs-cipher;
357 arg-type = string;
358 arg-name = "Cipher";
359 descrip = "Cipher to use for PKCS #8 and #12 operations";
360 doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.";
361 };
362
363 doc-section = {
364 ds-type = 'SEE ALSO';
365 ds-format = 'texi';
366 ds-text = <<-_EOT_
367 p11tool (1)
368 _EOT_;
369 };
370
371 doc-section = {
372 ds-type = 'EXAMPLES';
373 ds-format = 'texi';
374 ds-text = <<-_EOT_
375 @subheading Generating private keys
376 To create an RSA private key, run:
377 @example
378 $ certtool --generate-privkey --outfile key.pem --rsa
379 @end example
380
381 To create a DSA or elliptic curves (ECDSA) private key use the
382 above command combined with 'dsa' or 'ecc' options.
383
384 @subheading Generating certificate requests
385 To create a certificate request (needed when the certificate is issued by
386 another party), run:
387 @example
388 certtool --generate-request --load-privkey key.pem \
389 --outfile request.pem
390 @end example
391
392 If the private key is stored in a smart card you can generate
393 a request by specifying the private key object URL.
394 @example
395 $ ./certtool --generate-request --load-privkey "pkcs11:..." \
396 --load-pubkey "pkcs11:..." --outfile request.pem
397 @end example
398
399
400 @subheading Generating a self-signed certificate
401 To create a self signed certificate, use the command:
402 @example
403 $ certtool --generate-privkey --outfile ca-key.pem
404 $ certtool --generate-self-signed --load-privkey ca-key.pem \
405 --outfile ca-cert.pem
406 @end example
407
408 Note that a self-signed certificate usually belongs to a certificate
409 authority, that signs other certificates.
410
411 @subheading Generating a certificate
412 To generate a certificate using the previous request, use the command:
413 @example
414 $ certtool --generate-certificate --load-request request.pem \
415 --outfile cert.pem --load-ca-certificate ca-cert.pem \
416 --load-ca-privkey ca-key.pem
417 @end example
418
419 To generate a certificate using the private key only, use the command:
420 @example
421 $ certtool --generate-certificate --load-privkey key.pem \
422 --outfile cert.pem --load-ca-certificate ca-cert.pem \
423 --load-ca-privkey ca-key.pem
424 @end example
425
426 @subheading Certificate information
427 To view the certificate information, use:
428 @example
429 $ certtool --certificate-info --infile cert.pem
430 @end example
431
432 @subheading PKCS #12 structure generation
433 To generate a PKCS #12 structure using the previous key and certificate,
434 use the command:
435 @example
436 $ certtool --load-certificate cert.pem --load-privkey key.pem \
437 --to-p12 --outder --outfile key.p12
438 @end example
439
440 Some tools (reportedly web browsers) have problems with that file
441 because it does not contain the CA certificate for the certificate.
442 To work around that problem in the tool, you can use the
443 --load-ca-certificate parameter as follows:
444
445 @example
446 $ certtool --load-ca-certificate ca.pem \
447 --load-certificate cert.pem --load-privkey key.pem \
448 --to-p12 --outder --outfile key.p12
449 @end example
450
451 @subheading Diffie-Hellman parameter generation
452 To generate parameters for Diffie-Hellman key exchange, use the command:
453 @example
454 $ certtool --generate-dh-params --outfile dh.pem --sec-param normal
455 @end example
456
457 @subheading Proxy certificate generation
458 Proxy certificate can be used to delegate your credential to a
459 temporary, typically short-lived, certificate. To create one from the
460 previously created certificate, first create a temporary key and then
461 generate a proxy certificate for it, using the commands:
462
463 @example
464 $ certtool --generate-privkey > proxy-key.pem
465 $ certtool --generate-proxy --load-ca-privkey key.pem \
466 --load-privkey proxy-key.pem --load-certificate cert.pem \
467 --outfile proxy-cert.pem
468 @end example
469
470 @subheading Certificate revocation list generation
471 To create an empty Certificate Revocation List (CRL) do:
472
473 @example
474 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
475 --load-ca-certificate x509-ca.pem
476 @end example
477
478 To create a CRL that contains some revoked certificates, place the
479 certificates in a file and use @code{--load-certificate} as follows:
480
481 @example
482 $ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
483 --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
484 @end example
485
486 To verify a Certificate Revocation List (CRL) do:
487
488 @example
489 $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
490 @end example
491 _EOT_;
492 };
493
494
495 doc-section = {
496 ds-type = 'FILES';
497 ds-format = 'texi';
498 ds-text = <<-_EOT_
499 @subheading Certtool's template file format
500 A template file can be used to avoid the interactive questions of
501 certtool. Initially create a file named 'cert.cfg' that contains the information
502 about the certificate. The template can be used as below:
503
504 @example
505 $ certtool --generate-certificate cert.pem --load-privkey key.pem \
506 --template cert.cfg \
507 --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
508 @end example
509
510 An example certtool template file that can be used to generate a certificate
511 request or a self signed certificate follows.
512
513 @example
514 # X.509 Certificate options
515 #
516 # DN options
517
518 # The organization of the subject.
519 organization = "Koko inc."
520
521 # The organizational unit of the subject.
522 unit = "sleeping dept."
523
524 # The locality of the subject.
525 # locality =
526
527 # The state of the certificate owner.
528 state = "Attiki"
529
530 # The country of the subject. Two letter code.
531 country = GR
532
533 # The common name of the certificate owner.
534 cn = "Cindy Lauper"
535
536 # A user id of the certificate owner.
537 #uid = "clauper"
538
539 # Set domain components
540 #dc = "name"
541 #dc = "domain"
542
543 # If the supported DN OIDs are not adequate you can set
544 # any OID here.
545 # For example set the X.520 Title and the X.520 Pseudonym
546 # by using OID and string pairs.
547 #dn_oid = 2.5.4.12 Dr.
548 #dn_oid = 2.5.4.65 jackal
549
550 # This is deprecated and should not be used in new
551 # certificates.
552 # pkcs9_email = "none@@none.org"
553
554 # The serial number of the certificate
555 serial = 007
556
557 # In how many days, counting from today, this certificate will expire.
558 expiration_days = 700
559
560 # X.509 v3 extensions
561
562 # A dnsname in case of a WWW server.
563 #dns_name = "www.none.org"
564 #dns_name = "www.morethanone.org"
565
566 # A subject alternative name URI
567 #uri = "http://www.example.com"
568
569 # An IP address in case of a server.
570 #ip_address = "192.168.1.1"
571
572 # An email in case of a person
573 email = "none@@none.org"
574
575 # Challenge password used in certificate requests
576 challenge_passwd = 123456
577
578 # An URL that has CRLs (certificate revocation lists)
579 # available. Needed in CA certificates.
580 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
581
582 # Whether this is a CA certificate or not
583 #ca
584
585 # for microsoft smart card logon
586 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
587
588 ### Other predefined key purpose OIDs
589
590 # Whether this certificate will be used for a TLS client
591 #tls_www_client
592
593 # Whether this certificate will be used for a TLS server
594 #tls_www_server
595
596 # Whether this certificate will be used to sign data (needed
597 # in TLS DHE ciphersuites).
598 signing_key
599
600 # Whether this certificate will be used to encrypt data (needed
601 # in TLS RSA ciphersuites). Note that it is preferred to use different
602 # keys for encryption and signing.
603 #encryption_key
604
605 # Whether this key will be used to sign other certificates.
606 #cert_signing_key
607
608 # Whether this key will be used to sign CRLs.
609 #crl_signing_key
610
611 # Whether this key will be used to sign code.
612 #code_signing_key
613
614 # Whether this key will be used to sign OCSP data.
615 #ocsp_signing_key
616
617 # Whether this key will be used for time stamping.
618 #time_stamping_key
619
620 # Whether this key will be used for IPsec IKE operations.
621 #ipsec_ike_key
622
623 ### end of key purpose OIDs
624
625 # When generating a certificate from a certificate
626 # request, then honor the extensions stored in the request
627 # and store them in the real certificate.
628 #honor_crq_extensions
629
630 # Path length contraint. Sets the maximum number of
631 # certificates that can be used to certify this certificate.
632 # (i.e. the certificate chain length)
633 #path_len = -1
634 #path_len = 2
635
636 # OCSP URI
637 # ocsp_uri = http://my.ocsp.server/ocsp
638
639 # CA issuers URI
640 # ca_issuers_uri = http://my.ca.issuer
641
642 # Certificate policies
643 # policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
644 # policy1_txt = "This is a long policy to summarize"
645 # policy1_url = http://www.example.com/a-policy-to-read
646
647 # policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
648 # policy2_txt = "This is a short policy"
649 # policy2_url = http://www.example.com/another-policy-to-read
650
651
652 # Options for proxy certificates
653 # proxy_policy_language = 1.3.6.1.5.5.7.21.1
654
655
656 # Options for generating a CRL
657
658 # next CRL update will be in 43 days (wow)
659 #crl_next_update = 43
660
661 # this is the 5th CRL by this CA
662 #crl_number = 5
663
664 @end example
665
666 _EOT_;
667 };
668
Implementation of the SSL/TLS protocol