-d number, --debug=number
Enable debugging. This option takes an integer number as
its argument. The value of number is constrained to
being:
in the range 0 through 9999
Specifies the debug level.
-V, --verbose
More verbose output. This option may appear an unlimited
number of times.
--infile=file
Input file.
--outfile=string
Output file.
Certificate related options
-i, --certificate-info
Print information on the given certificate.
--pubkey-info
Print information on a public key.
The option combined with --load-request, --load-pubkey,
--load-privkey and --load-certificate will extract the
public key of the object in question.
-s, --generate-self-signed
Generate a self-signed certificate.
-c, --generate-certificate
Generate a signed certificate.
--generate-proxy
Generates a proxy certificate.
-u, --update-certificate
Update a signed certificate.
--fingerprint
Print the fingerprint of the given certificate.
This is a simple hash of the DER encoding of the
certificate. It can be combined with the --hash parameter.
However, it is recommended for identification to use the
key-id which depends only on the certificate's key.
--key-id
Print the key ID of the given certificate.
This is a hash of the public key of the given certificate.
It identifies the key uniquely, remains the same on a
certificate renewal and depends only on signed fields of
the certificate.
--certificate-pubkey
Print certificate's public key.
This option is deprecated as a duplicate of --pubkey-info
NOTE: THIS OPTION IS DEPRECATED
--v1 Generate an X.509 version 1 certificate (with no
extensions).
--sign-params=string
Sign a certificate with a specific signature algorithm.
This option can be combined with --generate-certificate,
to sign the certificate with a specific signature
algorithm variant. The only option supported is 'RSA-PSS',
and should be specified when the signer does not have a
certificate which is marked for RSA-PSS use only.
Certificate request related options
--crq-info
Print information on the given certificate request.
-q, --generate-request
Generate a PKCS #10 certificate request. This option must
not appear in combination with any of the following
options: infile.
Will generate a PKCS #10 certificate request. To specify a
private key use --load-privkey.
--no-crq-extensions
Do not use extensions in certificate requests.
PKCS#12 file related options
--p12-info
Print information on a PKCS #12 structure.
This option will dump the contents and print the metadata
of the provided PKCS #12 structure.
--p12-name=string
The PKCS #12 friendly name to use.
The name to be used for the primary certificate and
private key in a PKCS #12 file.
--to-p12
Generate a PKCS #12 structure.
It requires a certificate, a private key and possibly a CA
certificate to be specified.
Private key related options
-k, --key-info
Print information on a private key.
--p8-info
Print information on a PKCS #8 structure.
This option will print information about encrypted PKCS #8
structures. That option does not require the decryption of
the structure.
--to-rsa
Convert an RSA-PSS key to raw RSA format.
It requires an RSA-PSS key as input and will output a raw
RSA key. This command is necessary for compatibility with
applications that cannot read RSA-PSS keys.
-p, --generate-privkey
Generate a private key.
When generating RSA-PSS private keys, the --hash option
will restrict the allowed hash for the key; in the same
keys the --salt-size option is also acceptable.
--key-type=string
Specify the key type to use on key generation.
This option can be combined with --generate-privkey, to
specify the key type to be generated. Valid options are,
'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, and 'ed448'.'.
When combined with certificate generation it can be used
to specify an RSA-PSS certificate when an RSA key is
given.
--bits=number
Specify the number of bits for key generation. This
option takes an integer number as its argument.
--curve=string
Specify the curve used for EC key generation.
Supported values are secp192r1, secp224r1, secp256r1,
secp384r1 and secp521r1.
--sec-param=security parameter
Specify the security level [low, legacy, medium, high,
ultra].
This is alternative to the bits option.
--to-p8
Convert a given key to a PKCS #8 structure.
This needs to be combined with --load-privkey.
-8, --pkcs8
Use PKCS #8 format for private keys.
--provable
Generate a private key or parameters from a seed using a
provable method.
This will use the FIPS PUB186-4 algorithms (i.e., Shawe-
Taylor) for provable key generation. When specified the
private keys or parameters will be generated from a seed,
and can be later validated with --verify-provable-privkey
to be correctly generated from the seed. You may specify
--seed or allow GnuTLS to generate one (recommended). This
option can be combined with --generate-privkey or
--generate-dh-params.
That option applies to RSA and DSA keys. On the DSA keys
the PQG parameters are generated using the seed, and on
RSA the two primes.
--verify-provable-privkey
Verify a private key generated from a seed using a
provable method.
This will use the FIPS-186-4 algorithms for provable key
generation. You may specify --seed or use the seed stored
in the private key structure.
--seed=string
When generating a private key use the given hex-encoded
seed.
The seed acts as a security parameter for the private key,
and thus a seed size which corresponds to the security
level of the private key should be provided (e.g.,
256-bits seed).
CRL related options
-l, --crl-info
Print information on the given CRL structure.
--generate-crl
Generate a CRL.
This option generates a Certificate Revocation List. When
combined with --load-crl it would use the loaded CRL as
base for the generated (i.e., all revoked certificates in
the base will be copied to the new CRL). To add new
certificates to the CRL use --load-certificate.
--verify-crl
Verify a Certificate Revocation List using a trusted list.
This option must appear in combination with the following
options: load-ca-certificate.
The trusted certificate list must be loaded with --load-
ca-certificate.
Certificate verification related options
-e, --verify-chain
Verify a PEM encoded certificate chain.
Verifies the validity of a certificate chain. That is, an
ordered set of certificates where each one is the issuer
of the previous, and the first is the end-certificate to
be validated. In a proper chain the last certificate is a
self signed one. It can be combined with --verify-purpose
or --verify-hostname.
--verify
Verify a PEM encoded certificate (chain) against a trusted
set.
The trusted certificate list can be loaded with --load-ca-
certificate. If no certificate list is provided, then the
system's trusted certificate list is used. Note that
during verification multiple paths may be explored. On a
successful verification the successful path will be the
last one. It can be combined with --verify-purpose or
--verify-hostname.
--verify-hostname=string
Specify a hostname to be used for certificate chain
verification.
This is to be combined with one of the verify certificate
options.
--verify-email=string
Specify a email to be used for certificate chain
verification. This option must not appear in combination
with any of the following options: verify-hostname.
This is to be combined with one of the verify certificate
options.
--verify-purpose=string
Specify a purpose OID to be used for certificate chain
verification.
This object identifier restricts the purpose of the
certificates to be verified. Example purposes are
1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL)
etc. Note that a CA certificate without a purpose set
(extended key usage) is valid for any purpose.
--verify-allow-broken
Allow broken algorithms, such as MD5 for verification.
This can be combined with --p7-verify, --verify or
--verify-chain.
--verify-profile=string
Specify a security level profile to be used for
verification.
This option can be used to specify a certificate
verification profile. Certificate
verification profiles correspond to the security
level. This should be one of
'none', 'very weak', 'low', 'legacy', 'medium',
'high', 'ultra',
'future'. Note that by default no profile is applied,
unless one is set
as minimum in the gnutls configuration file.
PKCS#7 structure options
--p7-generate
Generate a PKCS #7 structure.
This option generates a PKCS #7 certificate container
structure. To add certificates in the structure use
--load-certificate and --load-crl.
--p7-sign
Signs using a PKCS #7 structure.
This option generates a PKCS #7 structure containing a
signature for the provided data from infile. The data are
stored within the structure. The signer certificate has to
be specified using --load-certificate and --load-privkey.
The input to --load-certificate can be a list of
certificates. In case of a list, the first certificate is
used for signing and the other certificates are included
in the structure.
--p7-detached-sign
Signs using a detached PKCS #7 structure.
This option generates a PKCS #7 structure containing a
signature for the provided data from infile. The signer
certificate has to be specified using --load-certificate
and --load-privkey. The input to --load-certificate can be
a list of certificates. In case of a list, the first
certificate is used for signing and the other certificates
are included in the structure.
--p7-include-cert, --no-p7-include-cert
The signer's certificate will be included in the cert
list.. The no-p7-include-cert form will disable the
option. This option is enabled by default.
This options works with --p7-sign or --p7-detached-sign
and will include or exclude the signer's certificate into
the generated signature.
--p7-time, --no-p7-time
Will include a timestamp in the PKCS #7 structure. The
no-p7-time form will disable the option.
This option will include a timestamp in the generated
signature
--p7-show-data, --no-p7-show-data
Will show the embedded data in the PKCS #7 structure. The
no-p7-show-data form will disable the option.
This option can be combined with --p7-verify or --p7-info
and will display the embedded signed data in the PKCS #7
structure.
--p7-info
Print information on a PKCS #7 structure.
--p7-verify
Verify the provided PKCS #7 structure.
This option verifies the signed PKCS #7 structure. The
certificate list to use for verification can be specified
with --load-ca-certificate. When no certificate list is
provided, then the system's certificate list is used.
Alternatively a direct signer can be provided using
--load-certificate. A key purpose can be enforced with the
--verify-purpose option, and the --load-data option will
utilize detached data.
--smime-to-p7
Convert S/MIME to PKCS #7 structure.
Other options
--generate-dh-params
Generate PKCS #3 encoded Diffie-Hellman parameters.
The will generate random parameters to be used with
Diffie-Hellman key exchange. The output parameters will be
in PKCS #3 format. Note that it is recommended to use the
--get-dh-params option instead.
NOTE: THIS OPTION IS DEPRECATED
--get-dh-params
List the included PKCS #3 encoded Diffie-Hellman
parameters.
Returns stored DH parameters in GnuTLS. Those parameters
returned are defined in RFC7919, and can be considered
standard parameters for a TLS key exchange. This option is
provided for old applications which require DH parameters
to be specified; modern GnuTLS applications should not
require them.
--dh-info
Print information PKCS #3 encoded Diffie-Hellman
parameters.
--load-privkey=string
Loads a private key file.
This can be either a file or a PKCS #11 URL
--load-pubkey=string
Loads a public key file.
This can be either a file or a PKCS #11 URL
--load-request=string
Loads a certificate request file.
This option can be used with a file
--load-certificate=string
Loads a certificate file.
This option can be used with a file
--load-ca-privkey=string
Loads the certificate authority's private key file.
This can be either a file or a PKCS #11 URL
--load-ca-certificate=string
Loads the certificate authority's certificate file.
This can be either a file or a PKCS #11 URL
--load-crl=string
Loads the provided CRL.
This option can be used with a file
--load-data=string
Loads auxiliary data.
This option can be used with a file
--password=string
Password to use.
You can use this option to specify the password in the
command line instead of reading it from the tty. Note,
that the command line arguments are available for view in
others in the system. Specifying password as '' is the
same as specifying no password.
--null-password
Enforce a NULL password.
This option enforces a NULL password. This is different
than the empty or no password in schemas like PKCS #8.
--empty-password
Enforce an empty password.
This option enforces an empty password. This is different
than the NULL or no password in schemas like PKCS #8.
--hex-numbers
Print big number in an easier format to parse.
--cprint
In certain operations it prints the information in C-
friendly format.
In certain operations it prints the information in C-
friendly format, suitable for including into C programs.
--rsa Generate RSA key.
When combined with --generate-privkey generates an RSA
private key.
NOTE: THIS OPTION IS DEPRECATED
--dsa Generate DSA key.
When combined with --generate-privkey generates a DSA
private key.
NOTE: THIS OPTION IS DEPRECATED
--ecc Generate ECC (ECDSA) key.
When combined with --generate-privkey generates an
elliptic curve private key to be used with ECDSA.
NOTE: THIS OPTION IS DEPRECATED
--ecdsa
This is an alias for the --ecc option.
NOTE: THIS OPTION IS DEPRECATED
--hash=string
Hash algorithm to use for signing.
Available hash functions are SHA1, RMD160, SHA256, SHA384,
SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
--salt-size=number
Specify the RSA-PSS key default salt size. This option
takes an integer number as its argument.
Typical keys shouldn't set or restrict this option.
--inder, --no-inder
Use DER format for input certificates, private keys, and
DH parameters . The no-inder form will disable the
option.
The input files will be assumed to be in DER or RAW
format. Unlike options that in PEM input would allow
multiple input data (e.g. multiple certificates), when
reading in DER format a single data structure is read.
--inraw
This is an alias for the --inder option.
--outder, --no-outder
Use DER format for output certificates, private keys, and
DH parameters. The no-outder form will disable the
option.
The output will be in DER or RAW format.
--outraw
This is an alias for the --outder option.
--disable-quick-random
No effect.
NOTE: THIS OPTION IS DEPRECATED
--template=string
Template file to use for non-interactive operation.
--stdout-info
Print information to stdout instead of stderr.
--ask-pass
Enable interaction for entering password when in batch
mode..
This option will enable interaction to enter password when
in batch mode. That is useful when the template option has
been specified.
--pkcs-cipher=cipher
Cipher to use for PKCS #8 and #12 operations.
Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
aes-256, rc2-40, arcfour.
--provider=string
Specify the PKCS #11 provider library.
This will override the default options in
/etc/gnutls/pkcs11.conf
--text, --no-text
Output textual information before PEM-encoded
certificates, private keys, etc. The no-text form will
disable the option. This option is enabled by default.
Output textual information before PEM-encoded data
-h, --help
Display usage information and exit.
-!, --more-help
Pass the extended usage information through a pager.
-v [{v|c|n --version [{v|c|n}]}]
Output version of program and exit. The default mode is
`v', a simple version. The `c' mode will print copyright
information and `n' will print the full copyright notice.
