Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
CREATE-CERT(8)		  BSD System Manager's Manual		CREATE-CERT(8)

NAME
     create-cert -- create openssl client key and certificates

SYNOPSIS
     create-cert [-nv] [-c config] -I
     create-cert [-nv] [-c config] -C cert
     create-cert [-nv] [-c config] -R
     create-cert [-fnv]	[-c config] FQDN

DESCRIPTION
     create-cert is a script that uses openssl(1) to create self-signed	host
     certificates and private keys for fully qualified domain names (FQDNs).

     A configuration file to specify certificate attributes.  The -I flag is
     used to create an initial version of this file.  The user may optionally
     customize this file before	running	create-cert with the -R	flag which
     creates a self-signed rootca cert and key.

     Once a valid configuration	file and rootca	cert and key files are all
     present, create-cert can be used to create	cert and key files for a FQDN.
     This means	the name must have at least one	`.'  in	it; use	the -f flag to
     override this restriction.

     Key files are created without group or world read permissions.  The
     script always refuses to overwrite	existing files.	If c_rehash is found
     on	the user's PATH, it is used to hash the	directory after	a host cert is
     created.

OPTIONS
     Here are the command line options:

     -c	config	Specify	the configuration file;	defaults to create-cert.conf.

     -C	cert	Like -I, creates an initial configuration file but populate
		the values from	an existing X509 certificate file cert.	 This
		is a handy way to bootstrap an old tree	of self-signed certs
		for use	with create-cert.

     -f		Normally, create-cert requires FQDNs. The -f flag removes this
		restriction.

     -I		Create an initial configuration	file; see the description for
		the -c flag for	more details about the filename	used.

     -n		Show the shell commands	but do not execute them	(aka dry run).

     -R		Create a self-signed rootca cert and private key.

     -v		Increase verbosity.

CONFIGURATION OPTIONS
     Here are the configuration	options	that may be used in create-cert.conf.

     country	   The two character country code.

     state	   The State or	province.

     city	   The City or locality.

     organization  The name of the organization	or company.

     authority	   The name of the authority.

     rootname	   The root certificate	authority name.

     email	   The email address of	the organization.

     bits	   Size	of the key in bits. Keys smaller than 2048 are not
		   recommended.

     digest	   The format of the message digest. Possible values include
		   md2,	md5, mdc2, rmd160, sha,	sha1, sha224, sha256, sha384
		   and sha512.	sha1 or	higher is recommend and	in particular
		   md5 is not recommended as iPhones reject certificates using
		   this	hash algorithm due to its weakness.

     days	   The length of the host certificate length in	days. The de-
		   fault is 3650 (10 years).

EXAMPLES
     Here's an example work flow using create-cert to create a new rootca and
     host certs	and keys (uninteresting	output from openssl has	been removed):

	   % create-cert -I
	   create-cert:	Creating a default in create-cert.conf
	   % vi	create-cert.conf
	   % create-cert -R
	   create-cert:	Creating the key for the new rootca
	   create-cert:	Creating temporary rootca config
	   create-cert:	Creating the cert for the new rootca
	   create-cert:	Creating the database file for the new rootca
	   create-cert:	Creating the serial file for the new rootca
	   % create-cert foo.lbl.gov
	   create-cert:	Creating the key for foo.lbl.gov
	   create-cert:	Create a cert config for foo.lbl.gov
	   create-cert:	Create a CSR config for	foo.lbl.gov
	   create-cert:	Create a CSR for foo.lbl.gov
	   create-cert:	Sign the certificate request for foo.lbl.gov
	   create-cert:	Verify the the csr for foo.lbl.gov
	   create-cert:	Remove junk we don't need
	   create-cert:	Rehashing the cert directory
	   create-cert:	Cert and key for foo.lbl.gov successfully created
	   % create-cert bar.lbl.gov
	   create-cert:	Creating the key for bar.lbl.gov
	   [...]
	   create-cert:	Cert and key for bar.lbl.gov successfully created
	   % find. -type f
	   ./create-cert.conf
	   ./private/rootca.key
	   ./private/serial
	   ./private/foo.lbl.gov.key
	   ./private/bar.lbl.gov.key
	   ./certs/rootca.pem
	   ./certs/rootca.index
	   ./certs/foo.lbl.gov.pem
	   ./certs/bar.lbl.gov.pem
     Here are some examples of the error checking:

	   % create-cert -I
	   create-cert:	Error: create-cert.conf	exists
	   % create-cert -R
	   create-cert:	Error: private/rootca.key exists
	   create-cert:	Error: certs/rootca.pem	exists
	   % create-cert bar.lbl.gov
	   create-cert:	Error: private/bar.lbl.gov.key exists
	   create-cert:	Error: certs/bar.lbl.gov.pem exists

FILES
     create-cert.conf	 create-cert configuration file
     certs		 public	certs directory
     certs/rootca.index	 certificate database file
     certs/rootca.pem	 rootca	public cert file
     private		 private key directory
     private/rootca.key	 rootca	private	key file
     private/serial	 certificate serial number file

SEE ALSO
     openssl(1)

AUTHOR
     Craig Leres

BUGS
BSD				 15 April 2011				   BSD

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | CONFIGURATION OPTIONS | EXAMPLES | FILES | SEE ALSO | AUTHOR | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=create-cert&sektion=8&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help