Apple has its own certtool, GnuTLS’ certtool is renamed as gnutls-certtool in MacPorts.
Create Private Key
GnuTLS
1 |
gnutls-certtool --generate-privkey --bits 2048 --outfile text.key |
OpenSSL
1 |
openssl genrsa -out test.key 2048 |
Create Certificate Request
GnuTLS
You can also create your own template file rather than filling interactively.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
gnutls-certtool --generate-request --load-privkey test.key --outfile test.csr Generating a PKCS #10 certificate request... Common name: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Is this a TLS web client certificate? (y/N): Is this a TLS web server certificate? (y/N): Self signature: verified |
OpenSSL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
openssl req -new -key test.key -out test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Sign request
GnuTLS
1 |
gnutls-certtool --generate-certificate --load-request sskaje.csr --load-ca-certificate ~/Documents/CA/USER\ CA/user_ca.pem --load-ca-privkey ~/Documents/CA/USER\ CA/user_ca.key --template sskaje.tmpl --outfile tmp.pem |
OpenSSL
I don’t like openssl.cnf!
Show certificate information
GnuTLS
1 |
gnutls-certtool --certificate-info --infile sskaje-cert.pem |
OpenSSL
1 |
openssl x509 -in sskaje-cert.pem -text |
Export as A PKCS#12
GnuTLS
1 2 3 |
gnutls-certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12 # with ca gnutls-certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12 |
OpenSSL
1 2 3 |
openssl pkcs12 -export -in sskaje-cert.pem -inkey sskaje-key.pem -out sskaje.p12 # with ca openssl pkcs12 -export -in sskaje-cert.pem -inkey sskaje-key.pem -certfile user_ca.pem -out sskaje.p12 |
Extract Keys And Certificates from PKCS#12
GnuTLS
I don’t know how…
You can manually copy from –p12-info
OpenSSL
1 2 |
openssl pkcs12 -in certificate.p12 -nodes -nocerts -out user_ca.key openssl pkcs12 -in certificate.p12 -nodes -nokeys -out user_ca.pem |
Show PKCS#12 Structure
GnuTLS
1 |
gnutls-certtool --inder --infile clients/sskaje/sskaje.p12 --p12-info |
OpenSSL
1 |
openssl pkcs12 -in clients/sskaje/sskaje.p12 -info |
Incoming search terms:
- certtool create ca
- certtool enter the subjects domain component
- certtool multiple common name
- certtool nginx
- How to encrypt PKCS12 file on cloudera