certtool - The Certificate Tool

certtool utility provides support for generating Certificate Signing Requests (CSR), decoding Base64 encoded certificates, and printing certificates.

SYNOPSIS

certtool -gencsr -keylength <keylength> -out <dirname>

certtool -b64toder <base64 encoded cert> -out <filename>

certtool -printcert <der encoded cert>
 

DESCRIPTION

The certtool creates CSRs, decodes the base64 encoded certificates, and prints certificates.

A CSR can be generated with given the given public key pair size. A smaller key size is weeker and runs faster than a large key size. Larger key sizes run slower but are more secure. A key size of 1024 is a strong key size that runs at acceptabel speeds. The CSR generation tool is launched by specifying the -gencsr parameter. It will take you through a series of steps.

In the first need to enter your personal information. For example:

Step 1: Specifying your Distinguished Name.

After this the tool will ask for a password to encrypt your private key. You will need to remember this key when you are ready to install this certificate.

Step 2: Specifying the password to use to protect your private key.

If necessary, you will then be asked to enter random characters, and move and click the mouse in the given box.

Fig3: Providiing input for Random Number Generation.

Once the program has collected enough random information, it will generate the public key pair, encrypt the private key with the specified password, and generate a CSR.
Fig 4: The resulting Certificate Signing Request.

The CSR and the PKCS8 encoded private key is written out to specified directory. The CSR can now be sent over to a Certificate Authority who will (after due processing) grant you a certificate.

The certificate returned by the Certificate Authority, in response to a CSR, is typically a base64 encoded certificate that looks like the following:

-----BEGIN CERTIFICATE-----
MIICZjCCAhACEEX4L7DokAg1hYOx9FRCOeMwDQYJKoZIhvcNAQEEBQAwgakxFjAU
BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAwMDQwNTAwMDAwMFoXDTAwMDQxOTIz
NTk1OVowfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNV
BAcUCFNhbiBKb3NlMRMwEQYDVQQKFApPYmplY3RFcmEyMRQwEgYDVQQLFAtFbmdp
bmVlcmluZzEdMBsGA1UEAxQUd3d3LnNpbHZlcnN0cmVhbS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAL3EBLCIXg2ilMxVn7Kpb13SY5KQ8pzulw9MdYl0
blaRhmyFGj/SMCY+YM9CAZ7UuxLTMJpdbuGda2o5MAmXx45nejcJk5p2rzeF28EJ
RcWNAgMBAAEwDQYJKoZIhvcNAQEEBQADQQCkDOAqJ+bMtfh/g0U+M0kD6a+K5ADa
YdNHuIKJ2pCeIjLH2o8Zc294UJOrUF7Vug8pq12/olrcGh9VYjqWeBOC
-----END CERTIFICATE-----
The certool's -b64toder option can be used to decode the certificate and write it out to a file. The -printcert option can then be used to print out the certificate.

OPTIONS

-gencsr -keylength <keylength-out <dirname>
Generates a public key pair with the given key size, and a Certificate Signing Request (CSR) and writes out the CSR (as csr.txt and csr.der) and the PKCS8 of the private key (privkey.pkcs8) in the given directory.
-b64toder <base64 encoded cert> -out <filename>
The base64 encoded certificate is read from the input file and written out to the given output file.
-printcert <der encoded cert>
Print a DER encoded certificate contained in the given file.

EXAMPLES

  1. Create a Certificate Request
      2.  
      certtool -gencsr -keylength 1024

  2. Decode a Base64 encoded certificate
      3.  
      certtool -b64toder d:\temp\cert    -out     d:\myProject\certs\john.cert

  3. Print a Certificate
      4.  
      certtool -print d:\myProject\certs\john.cert
Copyright © 1998-2003, Novell, Inc. All rights reserved.