x509cert —
X.509 certificate tool
x509cert |
[-C] [-c
issuercert] [-k
issuerkey] [-s
serial] [-b
notbefore] [-d
duration] [-a
altname]... key
[subject] |
x509cert |
-r [-a
altname]... key
[subject] |
x509cert is a tool to generate X.509 certificates and
certificate requests.
The key must be a PEM-encoded RSA or EC
private key in raw or PKCS#8 format. Keys can be generated using the
brssl(1) tool.
The subject is given as an RFC 4514 string
representation of an X.501 DistinguishedName. For example,
“C=US,CN=example.com”. If not given, an empty DN is used.
-C- Set the CA flag in a basicConstraints extension. This
indicates that the subject is a certificate authority, and its public key
can be used to verify certificates.
-c- The certificate of the authority with which to sign the certificate. The
corresponding key must be given with the
-k
option.
-k- The private key to sign the certificate with. The corresponding
certificate must be given with the
-c option.
-s- The serial number in the resulting certificate, given as a hexadecimal
string of at most 16 bytes. If not specified, a random 16 byte serial is
generated using getentropy(3).
-b- The Unix time at which the certificate becomes valid. If not specified,
defaults to the current time.
-d- The duration for which the certificate is valid, in seconds. If followed
by ‘d’ or ‘y’, the duration is in units of
days or years respectively. If the duration is ‘-1’, the
time 99991231235959Z is used for the notAfter field,
meaning there is no well-defined expiration. If not specified, defaults to
30 days.
-a- Add a subjectAltName extension containing a
dNSName given by altname. May be
specified multiple times.
-r- Generate a CertificateRequest instead of a
Certificate.
Generate a self-signed certificate with a common name of example.com using the
private key in key.pem.
x509cert CN=example.com key.pem >
cert.pem
Generate a certificate request for example.org with alternate name
www.example.org.
x509cert -r -a www.example.org
CN=example.org key.pem > req.pem