X.509 certificate tool
x509cert is a tool to generate X.509 certificates and
The key must be a PEM-encoded RSA or EC
private key in raw or PKCS#8 format. Keys can be generated using the
The subject is given as an RFC 4514 string
representation of an X.501 DistinguishedName. For example,
“C=US,CN=example.com”. If not given, an empty DN is used.
Generate a self-signed certificate with a common name of example.com using the
private key in key.pem.
- Set the CA flag in a basicConstraints extension. This
indicates that the subject is a certificate authority, and its public key
can be used to verify certificates.
- The certificate of the authority with which to sign the certificate. The
corresponding key must be given with the
- The private key to sign the certificate with. The corresponding
certificate must be given with the
- The serial number in the resulting certificate, given as a hexadecimal
string of at most 16 bytes. If not specified, a random 16 byte serial is
generated using getentropy(3).
- The Unix time at which the certificate becomes valid. If not specified,
defaults to the current time.
- The duration for which the certificate is valid, in seconds. If followed
by ‘d’ or ‘y’, the duration is in units of
days or years respectively. If the duration is ‘-1’, the
time 99991231235959Z is used for the notAfter field,
meaning there is no well-defined expiration. If not specified, defaults to
- Add a subjectAltName extension containing a
dNSName given by altname. May be
specified multiple times.
- Generate a CertificateRequest instead of a
x509cert CN=example.com key.pem >
Generate a certificate request for example.org with alternate name
x509cert -r -a www.example.org
CN=example.org key.pem > req.pem