FreeBSD Manual Pages
CREATE-CERT(8) System Manager's Manual CREATE-CERT(8) NAME create-cert -- create openssl client key and certificates SYNOPSIS create-cert [-nv] [-c config] -I create-cert [-nv] [-c config] -C cert create-cert [-nv] [-c config] -R create-cert [-fnv] [-c config] [-b bits] [-d days] [-D digest] FQDN ... DESCRIPTION create-cert is a script that uses openssl(1) to create self-signed host certificates and private keys for fully qualified domain names (FQDNs). A configuration file to specify certificate attributes. The -I flag is used to create an initial version of this file. The user may option- ally customize this file before running create-cert with the -R flag which creates a self-signed rootca cert and key. Once a valid configuration file, rootca cert, and key files are all present, create-cert can be used to create cert and key files for a FQDN. The FQDN will be added as a Subject Alt Name as will an addi- tional arguments. create-cert requires each FQDN (and any Subject Alt Names) to include at least one `.' in it; use the -f flag to override this restriction. IPv4 and IPv6 addresses may also be specified. Key files are created without group or world read permissions. The script always refuses to overwrite existing files. If c_rehash is found on the user's PATH, it is used to hash the certs directory after a host cert is created. OPTIONS Here are the command line options: -b bits Override the size of the key in bits when creating a cer- tificate. -d days When creating a new certificate, override the number days to certify it. -D digest When creating a new certificate, override the digest. -c config Specify the configuration file; defaults to create-cert.conf. -C cert Like -I, creates an initial configuration file but populates the values from an existing X509 root or host certificate file cert. This is a handy way to bootstrap an old tree of self-signed certs for use with create-cert. -f Normally, create-cert requires FQDNs (with at least one `.' in them). The -f flag removes this restriction. -I Create an initial configuration file; see the description for the -c flag for more details about the filename used. -n Show the shell commands but do not execute them (aka dry run). -R Create a self-signed rootca cert and private key. -v Increase verbosity. CONFIGURATION OPTIONS Here are the configuration options that may be used in create-cert.conf. country The two character country code. state The State or province. city The City or locality. organization The name of the organization or company. authority The name of the authority. rootname The root certificate authority name. email The email address of the organization. bits Size of the key in bits. Keys smaller than 2048 are not recommended. digest The format of the message digest. Possible values include md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384 and sha512. sha1 or higher is recommend and in particu- lar md5 is not recommended as iPhones reject certificates using this hash algorithm due to its weakness. days The number of days to certify the certificate. The de- fault is 3650 (10 years). EXAMPLES Here's an example work flow using create-cert to create a new rootca and host certs and keys (uninteresting output from openssl has been re- moved): % create-cert create-cert: Please use -I or -C to create a config (create- cert.conf) % create-cert -I create-cert: Creating a default in create-cert.conf % vi create-cert.conf % create-cert -R create-cert: Creating the key for the new rootca create-cert: Creating temporary rootca config create-cert: Creating the cert for the new rootca create-cert: Creating the database file for the new rootca create-cert: Creating the serial file for the new rootca % create-cert foo.example.com create-cert: Creating the key for foo.example.com create-cert: Create a cert config for foo.example.com create-cert: Create a CSR config for foo.example.com create-cert: Create a CSR for foo.example.com create-cert: Sign the certificate request for foo.example.com create-cert: Verify the the csr for foo.example.com create-cert: Remove junk we don't need create-cert: Rehashing the cert directory create-cert: Cert and key for foo.example.com successfully cre- ated % create-cert bar.example.com 203.0.113.1 create-cert: Creating the key for bar.example.com [...] create-cert: Cert and key for bar.example.com successfully cre- ated % find . -type f | sort ./certs/bar.example.com.pem ./certs/foo.example.com.pem ./certs/rootca.index ./certs/rootca.index.attr ./certs/rootca.index.attr.old ./certs/rootca.pem ./create-cert.conf ./private/bar.example.com.key ./private/foo.example.com.key ./private/rootca.key ./private/serial % openssl x509 -text -noout -in certs/bar.example.com | egrep 'Alternative|DNS' X509v3 Subject Alternative Name: DNS:bar.example.com, IP Address:203.0.113.1 Here are some examples of the error checking: % create-cert -I create-cert: Error: create-cert.conf exists % create-cert -R create-cert: Error: private/rootca.key exists create-cert: Error: certs/rootca.pem exists % create-cert bar.example.com create-cert: Error: private/bar.example.com.key exists create-cert: Error: certs/bar.example.com.pem exists FILES create-cert.conf create-cert configuration file certs public certs directory certs/rootca.index certificate database file certs/rootca.pem rootca public cert file private private key directory private/rootca.key rootca private key file private/serial certificate serial number file SEE ALSO openssl(1) AUTHOR Craig Leres BUGS FreeBSD ports 15.0 27 March 2021 CREATE-CERT(8)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | CONFIGURATION OPTIONS | EXAMPLES | FILES | SEE ALSO | AUTHOR | BUGS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=create-cert&sektion=8&manpath=FreeBSD+Ports+15.0>