X509CERT(1) General Commands Manual X509CERT(1)

X.509 certificate tool

x509cert [-C] [-c issuercert] [-k issuerkey] [-s serial] [-b notbefore] [-d duration] [-a altname]... key [subject]

x509cert -r [-a altname]... key [subject]

x509cert is a tool to generate X.509 certificates and certificate requests.

The key must be a PEM-encoded RSA or EC private key in raw or PKCS#8 format. Keys can be generated using the brssl(1) tool.

The subject is given as an RFC 4514 string representation of an X.501 DistinguishedName. For example, “C=US,CN=example.com”. If not given, an empty DN is used.

Set the CA flag in a basicConstraints extension. This indicates that the subject is a certificate authority, and its public key can be used to verify certificates.
The certificate of the authority with which to sign the certificate. The corresponding key must be given with the -k option.
The private key to sign the certificate with. The corresponding certificate must be given with the -c option.
The serial number in the resulting certificate, given as a hexadecimal string of at most 16 bytes. If not specified, a random 16 byte serial is generated using getentropy(3).
The Unix time at which the certificate becomes valid. If not specified, defaults to the current time.
The duration for which the certificate is valid, in seconds. If followed by ‘d’ or ‘y’, the duration is in units of days or years respectively. If the duration is ‘-1’, the time 99991231235959Z is used for the notAfter field, meaning there is no well-defined expiration. If not specified, defaults to 30 days.
Add a subjectAltName extension containing a dNSName given by altname. May be specified multiple times.
Generate a CertificateRequest instead of a Certificate.

Generate a self-signed certificate with a common name of example.com using the private key in key.pem.

x509cert CN=example.com key.pem > cert.pem

Generate a certificate request for example.org with alternate name www.example.org.

x509cert -r -a www.example.org CN=example.org key.pem > req.pem

brssl(1), x509cert(3)
May 4, 2021 Linux 5.11.4+