GnuTLS

PKI

Private keys

certtool --generate-privkey --pkcs8 --ask-pass --pkcs-cipher=aes-256 --sec-param High --key-type=ecdsa --outfile service.key.pem

... generates a SECP256R1 private ECDSA key and encrypts it with AES256 (prompting for password) --pkcs8 should be removed to avoid password protection. --key-type=rsa --bits=4096 should be used for RSA.



CA creation and manipulation

certtool --generate-self-signed --load-privkey cakey.pem --ask-pass --template ca.cnf --outfile cacert.pem

... generates a selfsigned CA certificate from cakey.pem (generated as described in Private keys) and ca.cfg (shown bellow in Files / examples)



Client certificates

certtool --generate-request --template client.cnf --load-privkey client.key.pem --ask-pass --outfile client.req.pem

... generates a client certificate request from client.key.pem (generated as described in Private keys) using client.cnf (shown bellow in Files / examples)



certtool --generate-certificate --load-request client.req.pem --load-ca-privkey cakey.pem --ask-pass --load-ca-certificate cacert.pem --template client_signing.cnf --outfile client.cert.pem

... signs a request with the CA key using client_signing.cnf (see the one defined bellow)



certtool --load-ca-certificate cacert.pem --load-certificate client.cert.pem --load-privkey client.key.pem --ask-pass --to-p12 --outder --outfile client.p12

... produces a password protected (will prompt for password) bundle (client.p12) ready to be imported in the browser



Server certificates

certtool --generate-request --template service.cnf --load-privkey service.key.pem --outfile service.req.pem

... creates a certificate request in PEM format (using service.cnf as described bellow in Files / examples). Use --outder for DER format and --ask-pass in case the private key is protected by password.



certtool --generate-certificate --load-request service.req.pem --load-ca-privkey cakey.pem --ask-pass --load-ca-certificate cacert.pem --template server_signing.cnf --outfile service.cert.pem

... signs a request with the CA key using server_signing.cnf (see the one defined bellow)



Files / examples

country = NO
locality = "Oslo"
organization = "Pichove Undernet"
cn = "Example CA"

# serial = 007
expiration_days = 3650

ca
cert_signing_key
crl_signing_key

... when creating own CA (ca.cnf)



signing_key
encryption_key

tls_www_client

country = NO
organization = "Pichove Undernet"
cn = "myuser"

... for client certificate request (client.cnf)



honor_crq_extensions
expiration_days = 731

... when signing client certificates (client_signing.cnf)



honor_crq_extensions
expiration_days = 731
# ocsp_uri = "http://ocsp.example.com"
# ca_issuers_uri = https://my.ca.issuer

... when signing server certificates (server_signing.cnf)



signing_key
encryption_key
key_agreement

tls_www_server

country = NO
locality = "Oslo"
organization = "Pichove Undernet"
cn = "hostname.com"

dns_name = "hostname.com"
dns_name = "www.hostname.com"
ip_address = "192.168.1.6"

... for server certificate request with aliases (service.cnf)



Information

certtool --certificate-info --infile=service.cert.pem

... prints certificate information (metadata)



certtool --fingerprint --hash=SHA256 --infile=service.cert.pem

... prints fingerprint (SHA256) only (default hash is SHA1)

2026-04-11 10:55:45

minicms - © 2020-2026 Simeon Simeonov