GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  CREATE-CERT (8)

NAME

create-cert - create openssl client key and certificates

CONTENTS

Synopsis
Description
Options
Examples
Files
Author
Bugs

SYNOPSIS

create-cert [-nv] [-c config] -I
create-cert [-nv] [-c config] -C cert
create-cert [-nv] [-c config] -R
create-cert [-fnv] [-c config] FQDN

DESCRIPTION

create-cert is a script that uses openssl(1) to create self-signed host certificates and private keys for fully qualified domain names (FQDNs).

A configuration file to specify certificate attributes. The -I flag is used to create an initial version of this file. The user may optionally customize this file before running create-cert with the -R flag which creates a self-signed rootca cert and key.

Once a valid configuration file and rootca cert and key files are all present, create-cert can be used to create cert and key files for a FQDN. This means the name must have at least one '.' in it; use the -f flag to override this restriction.

Key files are created without group or world read permissions. The script always refuses to overwrite existing files. If c_rehash is found on the user’s PATH, it is used to hash the certs directory after a host cert is created.

OPTIONS

Here are the command line options:
-c config Specify the configuration file; defaults to create-cert.conf.
-C cert Like -I , creates an initial configuration file but populate the values from an existing X509 certificate file cert. This is a handy way to bootstrap an old tree of self-signed certs for use with create-cert.
-f Normally, create-cert requires FQDNs. The -f flag removes this restriction.
-I Create an initial configuration file; see the description for the -c flag for more details about the filename used.
-n Show the shell commands but do not execute them (aka dry run).
-R Create a self-signed rootca cert and private key.
-v Increase verbosity.

CONFIGURATION OPTIONS

Here are the configuration options that may be used in create-cert.conf.
country The two character country code.
state The State or province.
city The City or locality.
organization
  The name of the organization or company.
authority The name of the authority.
rootname The root certificate authority name.
email The email address of the organization.
bits Size of the key in bits. Keys smaller than 2048 are not recommended.
digest The format of the message digest. Possible values include md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384 and sha512. sha1 or higher is recommend and in particular md5 is not recommended as iPhones reject certificates using this hash algorithm due to its weakness.
days The length of the host certificate length in days. The default is 3650 (10 years).

EXAMPLES

Here’s an example work flow using create-cert to create a new rootca and host certs and keys (uninteresting output from openssl has been removed):
%

 create-cert -I


create-cert: Creating a default in create-cert.conf
% vi create-cert.conf
% create-cert -R
create-cert: Creating the key for the new rootca
create-cert: Creating temporary rootca config
create-cert: Creating the cert for the new rootca
create-cert: Creating the database file for the new rootca
create-cert: Creating the serial file for the new rootca
% create-cert foo.lbl.gov
create-cert: Creating the key for foo.lbl.gov
create-cert: Create a cert config for foo.lbl.gov
create-cert: Create a CSR config for foo.lbl.gov
create-cert: Create a CSR for foo.lbl.gov
create-cert: Sign the certificate request for foo.lbl.gov
create-cert: Verify the the csr for foo.lbl.gov
create-cert: Remove junk we don’t need
create-cert: Rehashing the cert directory
create-cert: Cert and key for foo.lbl.gov successfully created
% create-cert bar.lbl.gov
create-cert: Creating the key for bar.lbl.gov
[...]
create-cert: Cert and key for bar.lbl.gov successfully created
% find. -type f
./create-cert.conf
./private/rootca.key
./private/serial
./private/foo.lbl.gov.key
./private/bar.lbl.gov.key
./certs/rootca.pem
./certs/rootca.index
./certs/foo.lbl.gov.pem
./certs/bar.lbl.gov.pem
Here are some examples of the error checking:
%

 create-cert -I


create-cert: Error: create-cert.conf exists
% create-cert -R
create-cert: Error: private/rootca.key exists
create-cert: Error: certs/rootca.pem exists
% create-cert bar.lbl.gov
create-cert: Error: private/bar.lbl.gov.key exists
create-cert: Error: certs/bar.lbl.gov.pem exists

FILES

create-cert.conf create-cert configuration file
certs public certs directory
certs/rootca.index
  certificate database file
certs/rootca.pem rootca public cert file
private private key directory
private/rootca.key
  rootca private key file
private/serial certificate serial number file

SEE ALSO

openssl(1)

AUTHOR


.An Craig Leres

BUGS

Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.