GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CREATE-CERT(8) FreeBSD System Manager's Manual CREATE-CERT(8)

create-cert
create openssl client key and certificates

create-cert [-nv] [-c config] -I

create-cert [-nv] [-c config] -C cert

create-cert [-nv] [-c config] -R

create-cert [-fnv] [-c config] [-b bits] [-d days] [-D digest] FQDN ...

create-cert is a script that uses openssl(1) to create self-signed host certificates and private keys for fully qualified domain names (FQDNs).

A configuration file to specify certificate attributes. The -I flag is used to create an initial version of this file. The user may optionally customize this file before running create-cert with the -R flag which creates a self-signed rootca cert and key.

Once a valid configuration file, rootca cert, and key files are all present, create-cert can be used to create cert and key files for a FQDN. The FQDN will be added as a Subject Alt Name as will an additional arguments. create-cert requires each FQDN (and any Subject Alt Names) to include at least one ‘.’ in it; use the -f flag to override this restriction. IPv4 and IPv6 addresses may also be specified.

Key files are created without group or world read permissions. The script always refuses to overwrite existing files. If c_rehash is found on the user's PATH, it is used to hash the certs directory after a host cert is created.

Here are the command line options:
bits
Override the size of the key in bits when creating a certificate.
days
When creating a new certificate, override the number days to certify it.
digest
When creating a new certificate, override the digest.
config
Specify the configuration file; defaults to create-cert.conf.
cert
Like -I, creates an initial configuration file but populates the values from an existing X509 root or host certificate file cert. This is a handy way to bootstrap an old tree of self-signed certs for use with create-cert.
Normally, create-cert requires FQDNs (with at least one ‘.’ in them). The -f flag removes this restriction.
Create an initial configuration file; see the description for the -c flag for more details about the filename used.
Show the shell commands but do not execute them (aka dry run).
Create a self-signed rootca cert and private key.
Increase verbosity.

Here are the configuration options that may be used in create-cert.conf.
The two character country code.
The State or province.
The City or locality.
The name of the organization or company.
The name of the authority.
The root certificate authority name.
The email address of the organization.
Size of the key in bits. Keys smaller than 2048 are not recommended.
The format of the message digest. Possible values include md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384 and sha512. sha1 or higher is recommend and in particular md5 is not recommended as iPhones reject certificates using this hash algorithm due to its weakness.
The number of days to certify the certificate. The default is 3650 (10 years).

Here's an example work flow using create-cert to create a new rootca and host certs and keys (uninteresting output from openssl has been removed):
% create-cert
create-cert: Please use -I or -C to create a config (create-cert.conf)
% create-cert -I
create-cert: Creating a default in create-cert.conf
% vi create-cert.conf
% create-cert -R
create-cert: Creating the key for the new rootca
create-cert: Creating temporary rootca config
create-cert: Creating the cert for the new rootca
create-cert: Creating the database file for the new rootca
create-cert: Creating the serial file for the new rootca
% create-cert foo.lbl.gov
create-cert: Creating the key for foo.lbl.gov
create-cert: Create a cert config for foo.lbl.gov
create-cert: Create a CSR config for foo.lbl.gov
create-cert: Create a CSR for foo.lbl.gov
create-cert: Sign the certificate request for foo.lbl.gov
create-cert: Verify the the csr for foo.lbl.gov
create-cert: Remove junk we don't need
create-cert: Rehashing the cert directory
create-cert: Cert and key for foo.lbl.gov successfully created
% create-cert bar.lbl.gov 10.0.0.1
create-cert: Creating the key for bar.lbl.gov
[...]
create-cert: Cert and key for bar.lbl.gov successfully created
% find . -type f | sort
./certs/bar.lbl.gov.pem
./certs/foo.lbl.gov.pem
./certs/rootca.index
./certs/rootca.index.attr
./certs/rootca.index.attr.old
./certs/rootca.pem
./create-cert.conf
./private/bar.lbl.gov.key
./private/foo.lbl.gov.key
./private/rootca.key
./private/serial
% openssl x509 -text -noout -in certs/bar.lbl.gov | egrep 'Alternative|DNS'
    X509v3 Subject Alternative Name:
        DNS:bar.lbl.gov, IP Address:10.0.0.1

Here are some examples of the error checking:

% create-cert -I
create-cert: Error: create-cert.conf exists
% create-cert -R
create-cert: Error: private/rootca.key exists
create-cert: Error: certs/rootca.pem exists
% create-cert bar.lbl.gov
create-cert: Error: private/bar.lbl.gov.key exists
create-cert: Error: certs/bar.lbl.gov.pem exists

create-cert.conf
create-cert configuration file
certs
public certs directory
certs/rootca.index
certificate database file
certs/rootca.pem
rootca public cert file
private
private key directory
private/rootca.key
rootca private key file
private/serial
certificate serial number file

openssl(1)

Craig Leres

27 March 2021 FreeBSD 13.1-RELEASE

Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.