DragonFly On-Line Manual Pages
CREATE-CERT(8) DragonFly System Manager's Manual CREATE-CERT(8)
NAME
create-cert - create openssl client key and certificates
SYNOPSIS
create-cert [-nv] [-c config] -I
create-cert [-nv] [-c config] -C cert
create-cert [-nv] [-c config] -R
create-cert [-fnv] [-c config] FQDN
DESCRIPTION
create-cert is a script that uses openssl(1) to create self-signed host
certificates and private keys for fully qualified domain names (FQDNs).
A configuration file to specify certificate attributes. The -I flag is
used to create an initial version of this file. The user may optionally
customize this file before running create-cert with the -R flag which
creates a self-signed rootca cert and key.
Once a valid configuration file and rootca cert and key files are all
present, create-cert can be used to create cert and key files for a FQDN.
This means the name must have at least one `.' in it; use the -f flag to
override this restriction.
Key files are created without group or world read permissions. The
script always refuses to overwrite existing files. If c_rehash is found
on the user's PATH, it is used to hash the directory after a host cert is
created.
OPTIONS
Here are the command line options:
-c config Specify the configuration file; defaults to
create-cert.conf.
-C cert Like -I, creates an initial configuration file but
populate the values from an existing X509 certificate
file cert. This is a handy way to bootstrap an old tree
of self-signed certs for use with create-cert.
-f Normally, create-cert requires FQDNs. The -f flag
removes this restriction.
-I Create an initial configuration file; see the
description for the -c flag for more details about the
filename used.
-n Show the shell commands but do not execute them (aka dry
run).
-R Create a self-signed rootca cert and private key.
-v Increase verbosity.
CONFIGURATION OPTIONS
Here are the configuration options that may be used in create-cert.conf.
country The two character country code.
state The State or province.
city The City or locality.
organization The name of the organization or company.
authority The name of the authority.
rootname The root certificate authority name.
email The email address of the organization.
bits Size of the key in bits. Keys smaller than 2048 are not
recommended.
digest The format of the message digest. Possible values include
md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384
and sha512. sha1 or higher is recommend and in particular
md5 is not recommended as iPhones reject certificates using
this hash algorithm due to its weakness.
days The length of the host certificate length in days. The
default is 3650 (10 years).
EXAMPLES
Here's an example work flow using create-cert to create a new rootca and
host certs and keys (uninteresting output from openssl has been removed):
% create-cert -I
create-cert: Creating a default in create-cert.conf
% vi create-cert.conf
% create-cert -R
create-cert: Creating the key for the new rootca
create-cert: Creating temporary rootca config
create-cert: Creating the cert for the new rootca
create-cert: Creating the database file for the new rootca
create-cert: Creating the serial file for the new rootca
% create-cert foo.lbl.gov
create-cert: Creating the key for foo.lbl.gov
create-cert: Create a cert config for foo.lbl.gov
create-cert: Create a CSR config for foo.lbl.gov
create-cert: Create a CSR for foo.lbl.gov
create-cert: Sign the certificate request for foo.lbl.gov
create-cert: Verify the the csr for foo.lbl.gov
create-cert: Remove junk we don't need
create-cert: Rehashing the cert directory
create-cert: Cert and key for foo.lbl.gov successfully created
% create-cert bar.lbl.gov
create-cert: Creating the key for bar.lbl.gov
[...]
create-cert: Cert and key for bar.lbl.gov successfully created
% find. -type f
./create-cert.conf
./private/rootca.key
./private/serial
./private/foo.lbl.gov.key
./private/bar.lbl.gov.key
./certs/rootca.pem
./certs/rootca.index
./certs/foo.lbl.gov.pem
./certs/bar.lbl.gov.pem
Here are some examples of the error checking:
% create-cert -I
create-cert: Error: create-cert.conf exists
% create-cert -R
create-cert: Error: private/rootca.key exists
create-cert: Error: certs/rootca.pem exists
% create-cert bar.lbl.gov
create-cert: Error: private/bar.lbl.gov.key exists
create-cert: Error: certs/bar.lbl.gov.pem exists
FILES
create-cert.conf create-cert configuration file
certs public certs directory
certs/rootca.index certificate database file
certs/rootca.pem rootca public cert file
private private key directory
private/rootca.key rootca private key file
private/serial certificate serial number file
SEE ALSO
openssl(1)
AUTHOR
Craig Leres
BUGS
DragonFly 6.5-DEVELOPMENT 15 April 2011 DragonFly 6.5-DEVELOPMENT