The certool initialization commands allow you to generate certificate signing requests, view and generate certificates and keys that are signed by VMCA, import root certificates, and perform other certificate management operations.

In many cases, you pass a configuration file in to a certool command. See Changing certool Configuration. See Replace Existing VMCA-Signed Certificates With New VMCA-Signed Certificates for some usage examples.

certool --initcsr

Generates a Certificate Signing Request (CSR). The command generates a PKCS10 file and a private key.

Option

Description

--initcsr

Required for generating CSRs.

--privkey <key_file>

Name of the private key file.

--pubkey <key_file>

Name of the public key file.

--csrfile <csr_file>

File name for the CSR file to be sent to the CA provider.

--config <config_file>

Optional name of the configuration file. Defaults to certool.cfg.

Example:

certool --initcsr --privkey=<filename> --pubkey=<filename> --csrfile=<filename>

certool --selfca

Creates a self-signed certificate and provisions the VMCA server with a self-signed root CA. Using this option is one of the simplest ways to provision the VMCA server. You can instead provision the VMCA server with a third-party root certificate so that VMCA is an intermediate CA. See Use VMCA as an Intermediate Certificate Authority.

This command generates a certificate that is predated by three days to avoid time zone conflicts.

Option

Description

--selfca

Required for generating a self-signed certificate.

--predate <number_of_minutes>

Allows you to set the Valid Not Before field of the root certificate to the specified number of minutes before the current time. This option can be helpful to account for potential time zone issues. The maximum is three days.

--config <config_file>

Optional name of the configuration file. Defaults to certool.cfg.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

machine-70-59:/usr/lib/vmware-vmca/bin # ./certool --predate=2280  --selfca --server= 192.0.2.24 --srp-upn=administrator@vsphere.local

certool --rootca

Imports a root certificate. Adds the specified certificate and private key to VMCA. VMCA always uses the most recent root certificate for signing, but other root certificates remain available. That means you can update your infrastructure one step at a time, and finally delete certificates that you no longer use.

Option

Description

--rootca

Required for importing a root CA.

--cert <certfile>

Optional name of the configuration file. Defaults to certool.cfg.

--privkey <key_file>

Name of the private key file. This file must be in PEM encoded format.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

certool --rootca --cert=root.cert --privkey=privatekey.pem

certool --getdc

Returns the default domain name that is used by vmdir.

Option

Description

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

--port <port_num>

Optional port number. Defaults to port 389.

Example:

certool --getdc

certool --waitVMDIR

Wait until the VMware Directory Service is running or until the timeout specified by --wait has elapsed. Use this option in conjunction with other options to schedule certain tasks, for example returning the default domain name.

Option

Description

--wait

Optional number of minutes to wait. Defaults to 3.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

--port <port_num>

Optional port number. Defaults to port 389.

Example:

certool --waitVMDIR --wait 5

certool --waitVMCA

Wait until the VMCA service is running or until the specified timeout has elapsed. Use this option in conjunction with other options to schedule certain tasks, for example, generating a certificate.

Option

Description

--wait

Optional number of minutes to wait. Defaults to 3.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

--port <port_num>

Optional port number. Defaults to port 389.

Example:

certool --waitVMCA --selfca

certool --publish-roots

Forces an update of root certificates. This command requires administrative privileges.

Option

Description

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

certool --publish-roots