Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

genkey(1) [centos man page]

GENKEY(1)						      Cryptography Utilities							 GENKEY(1)

NAME
genkey - generate SSL certificates and certificate requests SYNOPSIS
genkey [--test] [--days count] [[--genreq] | [--makeca] | [--nss] | [--renew] | [--cacert]] {hostname} DESCRIPTION
genkey is an interactive command-line tool which can be used to generate SSL certificates or Certificate Signing Requests (CSR). Generated certificates are stored in the directory /etc/pki/tls/certs/, and the corresponding private key in /etc/pki/tls/private/. When using mod_nss the private key is stored in the nss database. Consult the nss.conf file in /etc/httpd/conf.d/ for the location of the database. genkey will prompt for the size of key desired; whether or not to generate a CSR; whether or not an encrypted private key is desired; the certificate subject DN details. genkey generates random data for the private key using the truerand library and also by prompting the user for entry of random text. nss indicates that mod_nss database should be used to store keys and certificates. OPTIONS
--makeca Generate a Certificate Authority keypair and certificate. --genreq Generate a Certificate Signing Request for an existing private key, which can be submitted to a CA (for example, for renewal). --renew Used with --genreq to indicate a renewal, the existing keypair will be used. Certs and keys must reside in the nss database, therefore --nss is also required. Pem file based cert renewal is not currently supported. --cacert The certificate renewal is for a CA, needed for openssl certs only. --days count When generating a self-signed certificate, specify that the number of days for which the certificate is valid be count rather than the default value of 30. --test For test purposes only; omit the slow process of generating random data. EXAMPLES
The following example will create a self-signed certificate and private key for the hostname www.example.com: # genkey --days 120 www.example.com The following example will create a self-signed certificate and private key for the hostname www.nssexample.com which will be stored in cert and key in the nss database. If no nickname is given the tool will extract it from mod_nss's nss configuration file. # genkey --days --nss 120 www.nssexample.com The following example will generate a certificate signing request for a new mod_nss style cert specified by its nickname, Server-Cert: # genkey --genreq --nss --days 120 Server-Cert The following example will generate a certificate signing request for the renewal of an existing mod_nss cert specified by its nickname, Server-Cert: # genkey --genreq --renew --nss --days 120 Server-Cert FILES
/etc/pki/tls/openssl.cnf SEE ALSO
certwatch(1), keyrand(1) crypto-utils 2.4.1 9 June 2014 GENKEY(1)

Check Out this Related Man Page

certtool(1)						      General Commands Manual						       certtool(1)

NAME
certtool - Manipulate certificates and keys. SYNOPSIS
certtool [options] DESCRIPTION
Generate X.509 certificates, certificate requests, and private keys. OPTIONS
Program control options -d, --debug LEVEL Specify the debug level. Default is 1. -h, --help Shows this help text -v, --version Shows the program's version Getting information on X.509 certificates -i, --certificate-info Print information on a certificate. -k, --key-info Print information on a private key. -l, --crl-info Print information on a CRL. --p12-info Print information on a PKCS #12 structure. Getting information on Openpgp certificates --pgp--certificate-info Print information on an OpenPGP certificate. --pgp--key-info Print information on an OpenPGP private key. --pgp--ring-info Print information on a keyring. Generating/verifying X.509 certificates/keys -c, --generate-certificate Generate a signed certificate. -e, --verify-chain Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one. --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters. --load-ca-certificate FILE Certificate authority's certificate file to use. --load-ca-privkey FILE Certificate authority's private key file or PKCS #11 URL to use. --load-certificate FILE Certificate file to use. --load-privkey FILE Private key file or PKCS #11 URL to use. --load-pubkey FILE Public key file or PKCS #11 URL to use. --load-request FILE Certificate request file to use. -p, --generate-privkey Generate a private key. -q, --generate-request Generate a PKCS #10 certificate request. -s, --generate-self-signed Generate a self-signed certificate. -u, --update-certificate Update a signed certificate. Controlling output -8, --pkcs8 Use PKCS #8 format for private keys. --pkcs-cipher The cipher to use when doing pkcs encryption. Valid options are 3des,aes-128,aes-192,aes-256,rc2-40 --dsa Generate a DSA key. --bits BITS Specify the number of bits for key generation. --export-ciphers Use weak encryption algorithms. --inraw Use RAW/DER format for input certificates and private keys. --infile FILE Input file. --outraw Use RAW/DER format for output certificates and private keys. --outfile FILE Output file. --password PASSWORD Password to use. --to-p12 Generate a PKCS #12 structure. --template Use a template file to read input. See the doc/certtool.cfg in the distribution, for an example. --fix-key Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use --key-info in combination with this parameter. --v1 When generating a certificate use the X.509 version 1 format. This does not add any extensions (such as indication for a CA) but some programs do need these. EXAMPLES
To create a private key, run: $ certtool --generate-privkey --outfile key.pem To create a certificate request (needed when the certificate is issued by another party), run: $ certtool --generate-request --load-privkey key.pem --outfile request.pem To create a certificate request using a key stored in a PKCS #11 token, run: $ ./certtool --generate-request --load-privkey "pkcs11:..." --load-pubkey "pkcs11:..." --outfile request.pem To generate a certificate using the previous request, use the command: $ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem To generate a certificate using the private key only, use the command: $ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem To view the certificate information, use: $ certtool --certificate-info --infile cert.pem To generate a PKCS #12 structure using the previous key and certificate, use the command: $ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12 AUTHOR
Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list. This manual page was written by Ivo Timmermans <ivo@debian.org>, for the Debian GNU/Linux system (but may be used by others). May 23rd 2005 certtool(1)
Man Page