certtool - Linux

Overview

certtool is a versatile tool for managing and inspecting X.509 certificates and certificate requests in a variety of formats on Linux systems. It offers a comprehensive suite of features for creating, verifying, converting, and analyzing certificates.

Syntax

certtool [-h] [-V] [-i <input>] [-o <output>] [--indent <indent>] [--text | --subject-text] [--crl-text | --crl-subject-text]
          [-c|--create-request|--create-self-signed] [-f|--create-cert] [--format <format>] [--key <keyfile>] [--type <type>]
          [-p|--purpose <purpose>] [--issuer <issuer>] [--subject <subject>] [--validity <validity>] [--san <san>]
          [-x|--extract-certificate] [--export-key] [--import-key] [-v|--verify] [--no-trust-anchor] [--no-verify-issuer]
          [--trust-anchor <trust_anchor>] [--extension <extension>] [--ca] [--crl] [--list-crl] [--show-all]
          [--subject-lookup-type <lookup_type>] [--subject-lookup-value <lookup_value>] [--subject-lookup-flags <lookup_flags>]
          [--issuer-lookup-type <lookup_type>] [--issuer-lookup-value <lookup_value>] [--issuer-lookup-flags <lookup_flags>]
          [--crl-lookup-type <lookup_type>] [--crl-lookup-value <lookup_value>] [--crl-lookup-flags <crl_lookup_flags>]

Options/Flags

  • -h, --help: Display the help message.
  • -V, --version: Display the version information.
  • -i, --input: Path to the input file containing the certificate or certificate request.
  • -o, --output: Path to the output file to write the certificate or certificate request.
  • --indent: Indentation level for text output.
  • --text: Output the certificate in text format.
  • --subject-text: Output the certificate subject in text format.
  • --crl-text: Output the CRL in text format.
  • --crl-subject-text: Output the CRL subject in text format.
  • --create-request: Create a new certificate request.
  • --create-self-signed: Create a new self-signed certificate.
  • --create-cert: Create a new certificate.
  • --format: Specify the input/output format.
  • --key: Path to the private key file.
  • --type: Specify the certificate type.
  • --purpose: Specify the certificate purpose.
  • --issuer: Specify the certificate issuer.
  • --subject: Specify the certificate subject.
  • --validity: Specify the certificate validity period in days.
  • --san: Specify the Subject Alternative Names (SANs).
  • --extract-certificate: Extract the certificate from the input file.
  • --export-key: Export the private key from the input file.
  • --import-key: Import the private key from the input file.
  • --verify: Verify the certificate against the system trust store.
  • --no-trust-anchor: Do not check the trust anchor for the certificate.
  • --no-verify-issuer: Do not verify the issuer of the certificate.
  • --trust-anchor: Specify the trust anchor file for verification.
  • --extension: Specify additional certificate extensions.
  • --ca: Create a CA certificate.
  • --crl: Create a Certificate Revocation List (CRL).
  • --list-crl: List the certificates in the CRL.
  • --show-all: Display all information about the certificate.
  • --subject-lookup-type: Specify the lookup type for subject field.
  • --subject-lookup-value: Specify the lookup value for subject field.
  • --subject-lookup-flags: Specify the lookup flags for subject field.
  • --issuer-lookup-type: Specify the lookup type for issuer field.
  • --issuer-lookup-value: Specify the lookup value for issuer field.
  • --issuer-lookup-flags: Specify the lookup flags for issuer field.
  • --crl-lookup-type: Specify the lookup type for CRL field.
  • --crl-lookup-value: Specify the lookup value for CRL field.
  • --crl-lookup-flags: Specify the lookup flags for CRL field.

Examples

Creating a Certificate Signing Request (CSR):

certtool --create-request --subject "CN=example.com" \
         --key example.key --output example.csr

Creating a Self-Signed Certificate:

certtool --create-self-signed --subject "CN=localhost" \
         --key example.key --output example.crt

Verifying a Certificate:

certtool --verify example.crt

Extracting the Certificate from a Keystore:

certtool --extract-certificate --keystore keystore.jks --output example.crt

Combining Multiple Commands:

certtool --create-request --subject "CN=example.com" \
         --key example.key | certtool --create-cert \
         --issuer my_ca.crt --key my_ca.key --output example.crt

Common Issues

  • Certificate not recognized: Ensure that the certificate is properly formatted and that the trust anchor is installed.
  • Invalid private key: Ensure that the private key provided matches the certificate.
  • Error creating self-signed certificate: The subject must have a common name (CN) field.

Integration

With ‘openssl’:

openssl req -new -key example.key | certtool --create-cert \
         --subject "CN=example.com" --issuer my_ca.crt --key my_ca.key

With ‘nss-tools’:

certutil -L -n example.com > example.pem
certtool --import-key --input example.pem --output example.key

Related Commands

  • openssl
  • nss-tools
  • crltool