The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.

certool --genkey

Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA. You can use the certificate to provision machines or solution users.

Option Description
--genkey Required for generating a private and public key.
--privkey <keyfile> Name of the private key file.
--pubkey <keyfile Name of the public key file.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --genkey --privkey=<filename> --pubkey=<filename>

certool --gencert

Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in the specified configuration file.

Option Description
--gencert Required for generating a certificate.

--cert <certfile>

Name of the certificate file. This file must be in PEM encoded format.

--privkey <keyfile> Name of the private key file. This file must be in PEM encoded format.

--config <config_file>

Optional name of the configuration file. Defaults to certool.cfg.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --gencert --privkey=<filename> --cert=<filename>

certool --getrootca

Prints the current root CA certificate in human-readable form. If you are running this command from a management node, use the machine name of the Platform Services Controller node to retrieve the root CA. This output is not usable as a certificate, it is changed to be human readable.

Option Description
--getrootca Required for printing the root certificate.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --getrootca --server=remoteserver

certool --viewcert

Print all the fields in a certificate in human-readable form.

Option Description
--viewcert Required for viewing a certificate.

--cert <certfile>

Optional name of the configuration file. Defaults to certool.cfg.

Example:
 certool --viewcert --cert=<filename>

certool --enumcert

List all certificates that the VMCA server knows about. The required filter option lets you list all certificates or only revoked, active, or expired certificates.

Option Description
--enumcert Required for listing all certificates.
--filter [all | active] Required filter. Specify all or active. The revoked and expired options are not currently supported.
Example:
certool --enumcert --filter=active

certool --status

Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.

Option Description
--status Required to check the status of a certificate.

--cert <certfile>

Optional name of the configuration file. Defaults to certool.cfg.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --status --cert=<filename>

certool --genselfcacert

Generates a self-signed certificate based on the values in the configuration file. This command generates a certificate that is predated by three days to avoid time zone conflicts.
Option Description
--genselfcacert Required for generating a self-signed certificate.
--outcert <cert_file> Name of the certificate file. This file must be in PEM encoded format.
--outprivkey <key_file> Name of the private key file. This file must be in PEM encoded format.

--config <config_file>

Optional name of the configuration file. Defaults to certool.cfg.

Example:
certool --genselfcert --privkey=<filename> --cert=<filename>