Mac OS X Panther for Unix Geeks
| certtool |
| certtool { v d D } filename [h] [v] [d] certtool y [h] [v] [k= keychain [c [p= password ]]] certtool c [h] [v] [a] [k= keychain [c [p= password ]]] certtool { r I } filename [h] [v] [d] [a] [k= keychain [c [p= password ]]] certtool i filename [h] [v] [d] [a] [k= keychain [c [p= password ]]] [r= filename [f={ 1 8 f }]] |
Description
Manages X.509 SSL/TLS certificates. It uses the Common Data Security Architecture (CDSA) in much the same way that /System/Library/OpenSSL/misc/CA.pl uses OpenSSL to ease the process of managing certificates.
As arguments, it takes a single-letter command, often followed by a filename, and possibly some options.
Options/Usage
-
- a
-
When adding an item to a keychain, this option creates a key pair and includes a private key with a more restrictive ACL than usual. (The default behavior creates a private key with no additional access restrictions, while specifying this option adds a confirmation requirement to access the private key which only certtool is allowed to bypass.)
-
- c
-
As a command, walks you through a series of interactive prompts to create a certificate and a public/private key pair to sign and possibly encrypt it. The resulting certificate (in DER format) is stored in your default keychain. (Note that the first prompt, for a key and certificate label , is asking for two space-separated items. Common choices are an organization name for the key, and a label designating the purpose of the certificate.)
As an option, instructs certtool to create a new keychain by the name given in the k option.
-
- d
-
As a command, displays the certificate contained in filename .
As an option, indicates that the format of the CSR or CRL contained in filename is DER (a binary format), instead of the default PEM (an ASCII format, which is essentially a DER certificate with Base64 encoding).
-
- D
-
Displays the certificate revocation list (CRL) contained in filename .
-
- f
-
Specifies the format of the private key in the file specified with the r option. A single character specifies the format: 1 (for OpenSSL's PKCS1, the default), 8 (PKCS8), or f (FIPS186, or BSAFE).
-
- h
-
Prints a usage statement to standard output, negating whichever command was given.
-
- i
-
Imports the certificate contained in filename into the default keychain.
-
- I
-
Imports the CRL contained in filename into the default keychain.
-
- k
-
Specifies the name of a keychain (in ~/Library/Keychains ) to use other than the default.
-
- p
-
Specifies the keychain password on the command line. To avoid password exposure, it's better to let certtool prompt for it.
-
- r
-
As a command, walks you through a series of interactive prompts to create a certificate-signing request (CSR) and a public/private key pair to sign and possibly encrypt it. The resulting CSR is stored in filename .
As an option, specifies the file containing a private key for the certificate being imported. This is useful if you've used OpenSSL to generate a certificate, instead of certtool .
-
- v
-
As a command, verifies the CSR contained in filename .
As an option, should enable verbose output, but it doesn't actually seem to make a difference.
-
- y
-
As a command, displays the certificates and CRLs in the specified keychain.
Location
/usr/bin