The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.
certool --genkey
Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA. You can use the certificate to provision machines or solution users.
| Option | Description |
|---|---|
| --genkey | Required for generating a private and public key. |
| --privkey <keyfile> | Name of the private key file. |
| --pubkey <keyfile | Name of the public key file. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --genkey --privkey=<filename> --pubkey=<filename>
certool --gencert
Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in the specified configuration file.
| Option | Description |
|---|---|
| --gencert | Required for generating a certificate. |
| --cert <certfile> |
Name of the certificate file. This file must be in PEM encoded format. |
| --privkey <keyfile> | Name of the private key file. This file must be in PEM encoded format. |
| --config <config_file> |
Optional name of the configuration file. Defaults to certool.cfg. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --gencert --privkey=<filename> --cert=<filename>
certool --getrootca
Prints the current root CA certificate in human-readable form. If you are running this command from a management node, use the machine name of the Platform Services Controller node to retrieve the root CA. This output is not usable as a certificate, it is changed to be human readable.
| Option | Description |
|---|---|
| --getrootca | Required for printing the root certificate. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --getrootca --server=remoteserver
certool --viewcert
Print all the fields in a certificate in human-readable form.
| Option | Description |
|---|---|
| --viewcert | Required for viewing a certificate. |
| --cert <certfile> |
Optional name of the configuration file. Defaults to certool.cfg. |
certool --viewcert --cert=<filename>
certool --enumcert
List all certificates that the VMCA server knows about. The required filter option lets you list all certificates or only revoked, active, or expired certificates.
| Option | Description |
|---|---|
| --enumcert | Required for listing all certificates. |
| --filter [all | active] | Required filter. Specify all or active. The revoked and expired options are not currently supported. |
certool --enumcert --filter=active
certool --status
Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.
| Option | Description |
|---|---|
| --status | Required to check the status of a certificate. |
| --cert <certfile> |
Optional name of the configuration file. Defaults to certool.cfg. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --status --cert=<filename>
certool --genselfcacert
| Option | Description |
|---|---|
| --genselfcacert | Required for generating a self-signed certificate. |
| --outcert <cert_file> | Name of the certificate file. This file must be in PEM encoded format. |
| --outprivkey <key_file> | Name of the private key file. This file must be in PEM encoded format. |
| --config <config_file> |
Optional name of the configuration file. Defaults to certool.cfg. |
certool --genselfcert --privkey=<filename> --cert=<filename>
