<?xml version='1.0' encoding='utf-8'?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ <!ENTITY date SYSTEM "date.xml"> <!ENTITY version SYSTEM "version.xml"> ]> <refentry> <refentryinfo> <date>&date;</date> <title>Cryptography Utilities</title> <productname>crypto-utils</productname> <productnumber>&version;</productnumber> </refentryinfo> <refmeta> <refentrytitle>genkey</refentrytitle> <manvolnum>1</manvolnum> </refmeta> <refnamediv> <refname>genkey</refname> <refpurpose>generate SSL certificates and certificate requests</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>genkey</command> <arg><option>--test</option></arg> <arg><option>--days <replaceable>count</replaceable></option></arg> <group> <arg><option>--genreq</option></arg> <arg><option>--makeca</option></arg> <arg><option>--nss</option></arg> <arg><option>--renew</option></arg> <arg><option>--cacert</option></arg> </group> <arg choice="req"><replaceable>hostname</replaceable></arg> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para><command>genkey</command> is an interactive command-line tool which can be used to generate SSL certificates or Certificate Signing Requests (CSR). Generated certificates are stored in the directory <filename>/etc/pki/tls/certs/</filename>, and the corresponding private key in <filename>/etc/pki/tls/private/</filename>. </para> <para>When using mod_nss the private key is stored in the nss database. Consult the nss.conf file in <filename>/etc/httpd/conf.d/</filename> for the location of the database. </para> <para><command>genkey</command> will prompt for the size of key desired; whether or not to generate a CSR; whether or not an encrypted private key is desired; the certificate subject DN details.</para> <para><command>genkey</command> generates random data for the private key using the truerand library and also by prompting the user for entry of random text.</para> <para><option>nss</option> indicates that mod_nss database should be used to store keys and certificates.</para> </refsect1> <refsect1> <title>Options</title> <variablelist> <varlistentry> <term><option>--makeca</option></term> <listitem><simpara>Generate a Certificate Authority keypair and certificate.</simpara></listitem> </varlistentry> <varlistentry> <term><option>--genreq</option></term> <listitem><simpara>Generate a Certificate Signing Request for an existing private key, which can be submitted to a CA (for example, for renewal).</simpara></listitem> </varlistentry> <varlistentry> <term><option>--renew</option></term> <listitem><simpara>Used with --genreq to indicate a renewal, the existing keypair will be used. Certs and keys must reside in the nss database, therefore --nss is also required. Pem file based cert renewal is not currently supported.</simpara></listitem> </varlistentry> <varlistentry> <term><option>--cacert</option></term> <listitem><simpara>The certificate renewal is for a CA, needed for openssl certs only.</simpara></listitem> </varlistentry> <varlistentry> <term><option>--days</option> <replaceable>count</replaceable></term> <listitem><simpara>When generating a self-signed certificate, specify that the number of days for which the certificate is valid be <replaceable>count</replaceable> rather than the default value of 30.</simpara></listitem> </varlistentry> <varlistentry> <term><option>--test</option></term> <listitem><simpara>For test purposes only; omit the slow process of generating random data.</simpara></listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>Examples</title> <para>The following example will create a self-signed certificate and private key for the hostname <literal>www.example.com</literal>: <programlisting> # genkey --days 120 www.example.com </programlisting> </para> <para>The following example will create a self-signed certificate and private key for the hostname <literal>www.nssexample.com</literal> which will be stored in cert and key in the nss database. If no nickname is given the tool will extract it from mod_nss's nss configuration file. <programlisting> # genkey --days --nss 120 www.nssexample.com </programlisting> </para> <para>The following example will generate a certificate signing request for a new mod_nss style cert specified by its nickname, <literal>Server-Cert</literal>: <programlisting> # genkey --genreq --nss --days 120 Server-Cert </programlisting> </para> <para>The following example will generate a certificate signing request for the renewal of an existing mod_nss cert specified by its nickname, <literal>Server-Cert</literal>: <programlisting> # genkey --genreq --renew --nss --days 120 Server-Cert </programlisting> </para> </refsect1> <refsect1> <title>Files</title> <para><filename>/etc/pki/tls/openssl.cnf</filename></para> </refsect1> <refsect1> <title>See also</title> <para>certwatch(1), keyrand(1)</para> </refsect1> </refentry> <!-- LocalWords: keypair certwatch -->