Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

CREATE-CERT(8)		  BSD System Manager's Manual		CREATE-CERT(8)

NAME
     create-cert — create openssl client key and certificates

SYNOPSIS
     create-cert [-nv] [-c config] -I
     create-cert [-nv] [-c config] -C cert
     create-cert [-nv] [-c config] -R
     create-cert [-fnv] [-c config] FQDN

DESCRIPTION
     create-cert is a script that uses openssl(1) to create self-signed host
     certificates and private keys for fully qualified domain names (FQDNs).

     A configuration file to specify certificate attributes.  The -I flag is
     used to create an initial version of this file.  The user may optionally
     customize this file before running create-cert with the -R flag which
     creates a self-signed rootca cert and key.

     Once a valid configuration file and rootca cert and key files are all
     present, create-cert can be used to create cert and key files for a FQDN.
     This means the name must have at least one ‘.’ in it; use the -f flag to
     override this restriction.

     Key files are created without group or world read permissions.  The
     script always refuses to overwrite existing files. If c_rehash is found
     on the user's PATH, it is used to hash the directory after a host cert is
     created.

OPTIONS
     Here are the command line options:

     -c config	Specify the configuration file; defaults to create-cert.conf.

     -C cert	Like -I, creates an initial configuration file but populate
		the values from an existing X509 certificate file cert.	 This
		is a handy way to bootstrap an old tree of self-signed certs
		for use with create-cert.

     -f		Normally, create-cert requires FQDNs. The -f flag removes this
		restriction.

     -I		Create an initial configuration file; see the description for
		the -c flag for more details about the filename used.

     -n		Show the shell commands but do not execute them (aka dry run).

     -R		Create a self-signed rootca cert and private key.

     -v		Increase verbosity.

CONFIGURATION OPTIONS
     Here are the configuration options that may be used in create-cert.conf.

     country	   The two character country code.

     state	   The State or province.

     city	   The City or locality.

     organization  The name of the organization or company.

     authority	   The name of the authority.

     rootname	   The root certificate authority name.

     email	   The email address of the organization.

     bits	   Size of the key in bits. Keys smaller than 2048 are not
		   recommended.

     digest	   The format of the message digest. Possible values include
		   md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384
		   and sha512.	sha1 or higher is recommend and in particular
		   md5 is not recommended as iPhones reject certificates using
		   this hash algorithm due to its weakness.

     days	   The length of the host certificate length in days. The
		   default is 3650 (10 years).

EXAMPLES
     Here's an example work flow using create-cert to create a new rootca and
     host certs and keys (uninteresting output from openssl has been removed):

	   % create-cert -I
	   create-cert: Creating a default in create-cert.conf
	   % vi create-cert.conf
	   % create-cert -R
	   create-cert: Creating the key for the new rootca
	   create-cert: Creating temporary rootca config
	   create-cert: Creating the cert for the new rootca
	   create-cert: Creating the database file for the new rootca
	   create-cert: Creating the serial file for the new rootca
	   % create-cert foo.lbl.gov
	   create-cert: Creating the key for foo.lbl.gov
	   create-cert: Create a cert config for foo.lbl.gov
	   create-cert: Create a CSR config for foo.lbl.gov
	   create-cert: Create a CSR for foo.lbl.gov
	   create-cert: Sign the certificate request for foo.lbl.gov
	   create-cert: Verify the the csr for foo.lbl.gov
	   create-cert: Remove junk we don't need
	   create-cert: Rehashing the cert directory
	   create-cert: Cert and key for foo.lbl.gov successfully created
	   % create-cert bar.lbl.gov
	   create-cert: Creating the key for bar.lbl.gov
	   [...]
	   create-cert: Cert and key for bar.lbl.gov successfully created
	   % find. -type f
	   ./create-cert.conf
	   ./private/rootca.key
	   ./private/serial
	   ./private/foo.lbl.gov.key
	   ./private/bar.lbl.gov.key
	   ./certs/rootca.pem
	   ./certs/rootca.index
	   ./certs/foo.lbl.gov.pem
	   ./certs/bar.lbl.gov.pem
     Here are some examples of the error checking:

	   % create-cert -I
	   create-cert: Error: create-cert.conf exists
	   % create-cert -R
	   create-cert: Error: private/rootca.key exists
	   create-cert: Error: certs/rootca.pem exists
	   % create-cert bar.lbl.gov
	   create-cert: Error: private/bar.lbl.gov.key exists
	   create-cert: Error: certs/bar.lbl.gov.pem exists

FILES
     create-cert.conf	 create-cert configuration file
     certs		 public certs directory
     certs/rootca.index	 certificate database file
     certs/rootca.pem	 rootca public cert file
     private		 private key directory
     private/rootca.key	 rootca private key file
     private/serial	 certificate serial number file

SEE ALSO
     openssl(1)

AUTHOR
     Craig Leres

BUGS
BSD				 15 April 2011				   BSD

Vote for polarhome