The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.
certool --genkey
Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA. You can use the certificate to provision machines or solution users.
Option |
Description |
|---|---|
--genkey |
Required for generating a private and public key. |
--privkey <keyfile> |
Name of the private key file. |
--pubkey <keyfile |
Name of the public key file. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
Example:
certool --genkey --privkey=<filename> --pubkey=<filename>
certool --gencert
Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in the specified configuration file.
Option |
Description |
|---|---|
--gencert |
Required for generating a certificate. |
--cert <certfile> |
Name of the certificate file. This file must be in PEM encoded format. |
--privkey <keyfile> |
Name of the private key file. This file must be in PEM encoded format. |
--config <config_file> |
Optional name of the configuration file. Defaults to certool.cfg. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
Example:
certool --gencert --privkey=<filename> --cert=<filename>
certool --getrootca
Prints the current root CA certificate in human-readable form. If you are running this command from a management node, use the machine name of the Platform Services Controller node to retrieve the root CA. This output is not usable as a certificate, it is changed to be human readable.
Option |
Description |
|---|---|
--getrootca |
Required for printing the root certificate. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
Example:
certool --getrootca --server=remoteserver
certool --viewcert
Print all the fields in a certificate in human-readable form.
Option |
Description |
|---|---|
--viewcert |
Required for viewing a certificate. |
--cert <certfile> |
Optional name of the configuration file. Defaults to certool.cfg. |
Example:
certool --viewcert --cert=<filename>
certool --enumcert
List all certificates that the VMCA server knows about. The required filter option lets you list all certificates or only revoked, active, or expired certificates.
Option |
Description |
|---|---|
--enumcert |
Required for listing all certificates. |
--filter [all | active] |
Required filter. Specify all or active. The revoked and expired options are not currently supported. |
Example:
certool --enumcert --filter=active
certool --status
Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.
Option |
Description |
|---|---|
--status |
Required to check the status of a certificate. |
--cert <certfile> |
Optional name of the configuration file. Defaults to certool.cfg. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
Example:
certool --status --cert=<filename>
certool --genselfcacert
Generates a self-signed certificate based on the values in the configuration file. This command generates a certificate that is predated by three days to avoid time zone conflicts.
Option |
Description |
|---|---|
--genselfcacert |
Required for generating a self-signed certificate. |
--outcert <cert_file> |
Name of the certificate file. This file must be in PEM encoded format. |
--outprivkey <key_file> |
Name of the private key file. This file must be in PEM encoded format. |
--config <config_file> |
Optional name of the configuration file. Defaults to certool.cfg. |
Example:
certool --genselfcert --privkey=<filename> --cert=<filename>