The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.
certool --genkey
Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA.
| Option | Description |
|---|---|
| --genkey | Required for generating a private and public key. |
| --privkey <keyfile> | Name of the private key file. |
| --pubkey <keyfile> | Name of the public key file. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --genkey --privkey=<filename> --pubkey=<filename>
certool --gencert
Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in the specified configuration file. You can use the certificate to provision machine certificates or solution user certificates.
| Option | Description |
|---|---|
| --gencert | Required for generating a certificate. |
| --cert <certfile> |
Name of the certificate file. This file must be in PEM encoded format. |
| --privkey <keyfile> | Name of the private key file. This file must be in PEM encoded format. |
| --config <config_file> |
Optional name of the configuration file. Defaults to certool.cfg. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --gencert --privkey=<filename> --cert=<filename>
certool --getrootca
Prints the current root CA certificate in human-readable form. If you are running this command from a management node, use the machine name of the Platform Services Controller node to retrieve the root CA. This output is not usable as a certificate, it is changed to be human readable.
| Option | Description |
|---|---|
| --getrootca | Required for printing the root certificate. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --getrootca --server=remoteserver
certool --viewcert
Print all the fields in a certificate in human-readable form.
| Option | Description |
|---|---|
| --viewcert | Required for viewing a certificate. |
| --cert <certfile> |
Optional name of the configuration file. Defaults to certool.cfg. |
certool --viewcert --cert=<filename>
certool --enumcert
List all certificates that the VMCA server knows about. The required filter option lets you list all certificates or only revoked, active, or expired certificates.
| Option | Description |
|---|---|
| --enumcert | Required for listing all certificates. |
| --filter [all | active] | Required filter. Specify all or active. The revoked and expired options are not currently supported. |
certool --enumcert --filter=active
certool --status
Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.
| Option | Description |
|---|---|
| --status | Required to check the status of a certificate. |
| --cert <certfile> |
Optional name of the configuration file. Defaults to certool.cfg. |
| --server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --status --cert=<filename>
certool --genselfcacert
| Option | Description |
|---|---|
| --genselfcacert | Required for generating a self-signed certificate. |
| --outcert <cert_file> | Name of the certificate file. This file must be in PEM encoded format. |
| --outprivkey <key_file> | Name of the private key file. This file must be in PEM encoded format. |
| --config <config_file> |
Optional name of the configuration file. Defaults to certool.cfg. |
certool --genselfcert --privkey=<filename> --cert=<filename>
