GnuTLS Certificate Authority Commands
Apple has its own certtool, GnuTLS’ certtool is renamed as gnutls-certtool in MacPorts. Create Private Key GnuTLS
1 |
gnutls-certtool --generate-privkey --bits 2048 --outfile text.key |
OpenSSL
1 |
openssl genrsa -out test.key 2048 |
Create Certificate Request GnuTLS You can also create your own template file rather than filling interactively.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
gnutls-certtool --generate-request --load-privkey test.key --outfile test.csr Generating a PKCS #10 certificate request... Common name: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Is this a TLS web client certificate? (y/N): Is this a TLS web server certificate? (y/N): Self signature: verified |
OpenSSL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
openssl req -new -key test.key -out test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Sign request GnuTLS
1 |
gnutls-certtool --generate-certificate --load-request sskaje.csr --load-ca-certificate ~/Documents/CA/USER\ CA/user_ca.pem --load-ca-privkey ~/Documents/CA/USER\ CA/user_ca.key --template sskaje.tmpl --outfile tmp.pem |
OpenSSL I don’t like openssl.cnf! Show certificate information GnuTLS
1 |
gnutls-certtool --certificate-info --infile sskaje-cert.pem |
OpenSSL
1 |
openssl x509 -in sskaje-cert.pem -text |