certtool |
certtool { v d D } filename [h] [v] [d] certtool y [h] [v] [k= keychain [c [p= password ]]] certtool c [h] [v] [a] [k= keychain [c [p= password ]]] certtool { r I } filename [h] [v] [d] [a] [k= keychain [c [p= password ]]] certtool i filename [h] [v] [d] [a] [k= keychain [c [p= password ]]] [r= filename [f={ 1 8 f }]] |
Manages X.509 SSL/TLS certificates. It uses the Common Data Security Architecture (CDSA) in much the same way that /System/Library/OpenSSL/misc/CA.pl uses OpenSSL to ease the process of managing certificates.
As arguments, it takes a single-letter command, often followed by a filename, and possibly some options.
When adding an item to a keychain, this option creates a key pair and includes a private key with a more restrictive ACL than usual. (The default behavior creates a private key with no additional access restrictions, while specifying this option adds a confirmation requirement to access the private key which only certtool is allowed to bypass.)
As a command, walks you through a series of interactive prompts to create a certificate and a public/private key pair to sign and possibly encrypt it. The resulting certificate (in DER format) is stored in your default keychain. (Note that the first prompt, for a key and certificate label , is asking for two space-separated items. Common choices are an organization name for the key, and a label designating the purpose of the certificate.)
As an option, instructs certtool to create a new keychain by the name given in the k option.
As a command, displays the certificate contained in filename .
As an option, indicates that the format of the CSR or CRL contained in filename is DER (a binary format), instead of the default PEM (an ASCII format, which is essentially a DER certificate with Base64 encoding).
Displays the certificate revocation list (CRL) contained in filename .
Specifies the format of the private key in the file specified with the r option. A single character specifies the format: 1 (for OpenSSL's PKCS1, the default), 8 (PKCS8), or f (FIPS186, or BSAFE).
Prints a usage statement to standard output, negating whichever command was given.
Imports the certificate contained in filename into the default keychain.
Imports the CRL contained in filename into the default keychain.
Specifies the name of a keychain (in ~/Library/Keychains ) to use other than the default.
Specifies the keychain password on the command line. To avoid password exposure, it's better to let certtool prompt for it.
As a command, walks you through a series of interactive prompts to create a certificate-signing request (CSR) and a public/private key pair to sign and possibly encrypt it. The resulting CSR is stored in filename .
As an option, specifies the file containing a private key for the certificate being imported. This is useful if you've used OpenSSL to generate a certificate, instead of certtool .
As a command, verifies the CSR contained in filename .
As an option, should enable verbose output, but it doesn't actually seem to make a difference.
As a command, displays the certificates and CRLs in the specified keychain.
/usr/bin