Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
CREATE-CERT(8)		  BSD System Manager's Manual		CREATE-CERT(8)

     create-cert -- create openssl client key and certificates

     create-cert [-nv] [-c config] -I
     create-cert [-nv] [-c config] -C cert
     create-cert [-nv] [-c config] -R
     create-cert [-fnv]	[-c config] FQDN

     create-cert is a script that uses openssl(1) to create self-signed	host
     certificates and private keys for fully qualified domain names (FQDNs).

     A configuration file to specify certificate attributes.  The -I flag is
     used to create an initial version of this file.  The user may optionally
     customize this file before	running	create-cert with the -R	flag which
     creates a self-signed rootca cert and key.

     Once a valid configuration	file and rootca	cert and key files are all
     present, create-cert can be used to create	cert and key files for a FQDN.
     This means	the name must have at least one	`.'  in	it; use	the -f flag to
     override this restriction.

     Key files are created without group or world read permissions.  The
     script always refuses to overwrite	existing files.	If c_rehash is found
     on	the user's PATH, it is used to hash the	directory after	a host cert is

     Here are the command line options:

     -c	config	Specify	the configuration file;	defaults to create-cert.conf.

     -C	cert	Like -I, creates an initial configuration file but populate
		the values from	an existing X509 certificate file cert.	 This
		is a handy way to bootstrap an old tree	of self-signed certs
		for use	with create-cert.

     -f		Normally, create-cert requires FQDNs. The -f flag removes this

     -I		Create an initial configuration	file; see the description for
		the -c flag for	more details about the filename	used.

     -n		Show the shell commands	but do not execute them	(aka dry run).

     -R		Create a self-signed rootca cert and private key.

     -v		Increase verbosity.

     Here are the configuration	options	that may be used in create-cert.conf.

     country	   The two character country code.

     state	   The State or	province.

     city	   The City or locality.

     organization  The name of the organization	or company.

     authority	   The name of the authority.

     rootname	   The root certificate	authority name.

     email	   The email address of	the organization.

     bits	   Size	of the key in bits. Keys smaller than 2048 are not

     digest	   The format of the message digest. Possible values include
		   md2,	md5, mdc2, rmd160, sha,	sha1, sha224, sha256, sha384
		   and sha512.	sha1 or	higher is recommend and	in particular
		   md5 is not recommended as iPhones reject certificates using
		   this	hash algorithm due to its weakness.

     days	   The length of the host certificate length in	days. The de-
		   fault is 3650 (10 years).

     Here's an example work flow using create-cert to create a new rootca and
     host certs	and keys (uninteresting	output from openssl has	been removed):

	   % create-cert -I
	   create-cert:	Creating a default in create-cert.conf
	   % vi	create-cert.conf
	   % create-cert -R
	   create-cert:	Creating the key for the new rootca
	   create-cert:	Creating temporary rootca config
	   create-cert:	Creating the cert for the new rootca
	   create-cert:	Creating the database file for the new rootca
	   create-cert:	Creating the serial file for the new rootca
	   % create-cert
	   create-cert:	Creating the key for
	   create-cert:	Create a cert config for
	   create-cert:	Create a CSR config for
	   create-cert:	Create a CSR for
	   create-cert:	Sign the certificate request for
	   create-cert:	Verify the the csr for
	   create-cert:	Remove junk we don't need
	   create-cert:	Rehashing the cert directory
	   create-cert:	Cert and key for successfully created
	   % create-cert
	   create-cert:	Creating the key for
	   create-cert:	Cert and key for successfully created
	   % find. -type f
     Here are some examples of the error checking:

	   % create-cert -I
	   create-cert:	Error: create-cert.conf	exists
	   % create-cert -R
	   create-cert:	Error: private/rootca.key exists
	   create-cert:	Error: certs/rootca.pem	exists
	   % create-cert
	   create-cert:	Error: private/ exists
	   create-cert:	Error: certs/ exists

     create-cert.conf	 create-cert configuration file
     certs		 public	certs directory
     certs/rootca.index	 certificate database file
     certs/rootca.pem	 rootca	public cert file
     private		 private key directory
     private/rootca.key	 rootca	private	key file
     private/serial	 certificate serial number file


     Craig Leres

BSD				 15 April 2011				   BSD


Want to link to this manual page? Use this URL:

home | help