-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathx509cert.1
114 lines (114 loc) · 2.46 KB
/
x509cert.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
.Dd May 4, 2021
.Dt X509CERT 1
.Os
.Sh NAME
.Nm x509cert
.Nd X.509 certificate tool
.Sh SYNOPSIS
.Nm
.Op Fl C
.Op Fl c Ar issuercert
.Op Fl k Ar issuerkey
.Op Fl s Ar serial
.Op Fl b Ar notbefore
.Op Fl d Ar duration
.Oo Fl a Ar altname Oc Ns ...
.Ar key
.Op Ar subject
.Nm
.Fl r
.Oo Fl a Ar altname Oc Ns ...
.Ar key
.Op Ar subject
.Sh DESCRIPTION
.Nm
is a tool to generate X.509 certificates and certificate requests.
.Pp
The
.Ar key
must be a PEM-encoded RSA or EC private key in raw or PKCS#8 format.
Keys can be generated using the
.Xr brssl 1
tool.
.Pp
The
.Ar subject
is given as an RFC 4514 string representation of an X.501
DistinguishedName.
For example,
.Qq C=US,CN=example.com .
If not given, an empty DN is used.
.Sh OPTIONS
.Bl -tag -width Ds
.It Fl C
Set the CA flag in a
.Em basicConstraints
extension.
This indicates that the subject is a certificate authority, and its
public key can be used to verify certificates.
.It Fl c
The certificate of the authority with which to sign the certificate.
The corresponding key must be given with the
.Fl k
option.
.It Fl k
The private key to sign the certificate with.
The corresponding certificate must be given with the
.Fl c
option.
.It Fl s
The serial number in the resulting certificate, given as a hexadecimal
string of at most 16 bytes.
If not specified, a random 16 byte serial is generated using
.Xr getentropy 3 .
.It Fl b
The Unix time at which the certificate becomes valid.
If not specified, defaults to the current time.
.It Fl d
The duration for which the certificate is valid, in seconds.
If followed by
.Sq d
or
.Sq y ,
the duration is in units of days or years respectively.
If the duration is
.Sq -1 ,
the time 99991231235959Z is used for the
.Em notAfter
field, meaning there is no well-defined expiration.
If not specified, defaults to 30 days.
.It Fl a
Add a
.Em subjectAltName
extension containing a
.Em dNSName
given by
.Ar altname .
May be specified multiple times.
.It Fl r
Generate a
.Em CertificateRequest
instead of a
.Em Certificate .
.El
.Sh EXAMPLES
Generate a private key with
.Xr brssl 1
and store it in
.Pa key.pem .
.Pp
.Dl brssl skey -gen ec -rawpem key.pem
.Pp
Generate a self-signed certificate with a common name of example.com
using the private key in
.Pa key.pem .
.Pp
.Dl x509cert key.pem CN=example.com > cert.pem
.Pp
Generate a certificate request for example.org with alternate name
www.example.org.
.Pp
.Dl x509cert -r -a www.example.org key.pem CN=example.org > req.pem
.Sh SEE ALSO
.Xr brssl 1 ,
.Xr x509cert 3