certtool - Linux
Overview
certtool is a versatile tool for managing and inspecting X.509 certificates and certificate requests in a variety of formats on Linux systems. It offers a comprehensive suite of features for creating, verifying, converting, and analyzing certificates.
Syntax
certtool [-h] [-V] [-i <input>] [-o <output>] [--indent <indent>] [--text | --subject-text] [--crl-text | --crl-subject-text]
[-c|--create-request|--create-self-signed] [-f|--create-cert] [--format <format>] [--key <keyfile>] [--type <type>]
[-p|--purpose <purpose>] [--issuer <issuer>] [--subject <subject>] [--validity <validity>] [--san <san>]
[-x|--extract-certificate] [--export-key] [--import-key] [-v|--verify] [--no-trust-anchor] [--no-verify-issuer]
[--trust-anchor <trust_anchor>] [--extension <extension>] [--ca] [--crl] [--list-crl] [--show-all]
[--subject-lookup-type <lookup_type>] [--subject-lookup-value <lookup_value>] [--subject-lookup-flags <lookup_flags>]
[--issuer-lookup-type <lookup_type>] [--issuer-lookup-value <lookup_value>] [--issuer-lookup-flags <lookup_flags>]
[--crl-lookup-type <lookup_type>] [--crl-lookup-value <lookup_value>] [--crl-lookup-flags <crl_lookup_flags>]
Options/Flags
-h
,--help
: Display the help message.-V
,--version
: Display the version information.-i
,--input
: Path to the input file containing the certificate or certificate request.-o
,--output
: Path to the output file to write the certificate or certificate request.--indent
: Indentation level for text output.--text
: Output the certificate in text format.--subject-text
: Output the certificate subject in text format.--crl-text
: Output the CRL in text format.--crl-subject-text
: Output the CRL subject in text format.--create-request
: Create a new certificate request.--create-self-signed
: Create a new self-signed certificate.--create-cert
: Create a new certificate.--format
: Specify the input/output format.--key
: Path to the private key file.--type
: Specify the certificate type.--purpose
: Specify the certificate purpose.--issuer
: Specify the certificate issuer.--subject
: Specify the certificate subject.--validity
: Specify the certificate validity period in days.--san
: Specify the Subject Alternative Names (SANs).--extract-certificate
: Extract the certificate from the input file.--export-key
: Export the private key from the input file.--import-key
: Import the private key from the input file.--verify
: Verify the certificate against the system trust store.--no-trust-anchor
: Do not check the trust anchor for the certificate.--no-verify-issuer
: Do not verify the issuer of the certificate.--trust-anchor
: Specify the trust anchor file for verification.--extension
: Specify additional certificate extensions.--ca
: Create a CA certificate.--crl
: Create a Certificate Revocation List (CRL).--list-crl
: List the certificates in the CRL.--show-all
: Display all information about the certificate.--subject-lookup-type
: Specify the lookup type for subject field.--subject-lookup-value
: Specify the lookup value for subject field.--subject-lookup-flags
: Specify the lookup flags for subject field.--issuer-lookup-type
: Specify the lookup type for issuer field.--issuer-lookup-value
: Specify the lookup value for issuer field.--issuer-lookup-flags
: Specify the lookup flags for issuer field.--crl-lookup-type
: Specify the lookup type for CRL field.--crl-lookup-value
: Specify the lookup value for CRL field.--crl-lookup-flags
: Specify the lookup flags for CRL field.
Examples
Creating a Certificate Signing Request (CSR):
certtool --create-request --subject "CN=example.com" \
--key example.key --output example.csr
Creating a Self-Signed Certificate:
certtool --create-self-signed --subject "CN=localhost" \
--key example.key --output example.crt
Verifying a Certificate:
certtool --verify example.crt
Extracting the Certificate from a Keystore:
certtool --extract-certificate --keystore keystore.jks --output example.crt
Combining Multiple Commands:
certtool --create-request --subject "CN=example.com" \
--key example.key | certtool --create-cert \
--issuer my_ca.crt --key my_ca.key --output example.crt
Common Issues
- Certificate not recognized: Ensure that the certificate is properly formatted and that the trust anchor is installed.
- Invalid private key: Ensure that the private key provided matches the certificate.
- Error creating self-signed certificate: The subject must have a common name (CN) field.
Integration
With ‘openssl’:
openssl req -new -key example.key | certtool --create-cert \
--subject "CN=example.com" --issuer my_ca.crt --key my_ca.key
With ‘nss-tools’:
certutil -L -n example.com > example.pem
certtool --import-key --input example.pem --output example.key
Related Commands
- openssl
- nss-tools
- crltool