When you run
certool --gencert and certain other certificate initialization or management commands, the CLI reads all the values from a configuration file. You can edit the existing file, override the default configuration file (certool.cfg) by using the
-–config=<file name> option, or override different values on the command line.
The configuration file has several fields with the following default values:
Country = US Name= Acme Organization = AcmeOrg OrgUnit = AcmeOrg Engineering State = California Locality = Palo Alto IPAddress = 127.0.0.1 Email = firstname.lastname@example.org Hostname = server.acme.com
- Create a backup of the configuration file and then edit the file. If you are using the default configuration file, you do not have to specify it. Otherwise, for example, if you changed the configuration file name, use the --config command-line option.
- Override the configuration file value on the command line. For example, to override Locality, run this command:
certool -–gencert -–privkey=private.key –-Locality="Mountain View"
- For solution user certificates, the name is <sol_user name>@<domain> by convention, but you can change the name if a different convention is used in your environment.
- For machine SSL certificates, the FQDN of the machine is used because the SSL client checks the CN field of the Subject name of the certificate when verifying the machine's host name. Because a machine can have more than one alias, certificates have the Subject Alternative Name field extension where you can specify other names (DNS names, IP addresses, and so on). However, VMCA allows only one DNSName (in the Hostname field) and no other Alias options. If the IP address is specified by the user, it is stored in SubAltName as well.