The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.

certool --genkey

Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA.

Option Description
--genkey Required for generating a private and public key.
--privkey <keyfile> Name of the private key file.
--pubkey <keyfile> Name of the public key file.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --genkey --privkey=<filename> --pubkey=<filename>

certool --gencert

Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in the specified configuration file. You can use the certificate to provision machine certificates or solution user certificates.

Option Description
--gencert Required for generating a certificate.

--cert <certfile>

Name of the certificate file. This file must be in PEM encoded format.

--privkey <keyfile> Name of the private key file. This file must be in PEM encoded format.

--config <config_file>

Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --gencert --privkey=<filename> --cert=<filename> --config=<config_file>

certool --getrootca

Prints the current root CA certificate in human-readable form. This output is not usable as a certificate, it is changed to be human readable.

Option Description
--getrootca Required for printing the root certificate.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --getrootca --server=remoteserver

certool --viewcert

Print all the fields in a certificate in human-readable form.

Option Description
--viewcert Required for viewing a certificate.

--cert <certfile>

Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields.

Example:
 certool --viewcert --cert=<filename>

certool --enumcert

List all certificates that the VMCA server knows about. The required filter option lets you list all certificates or only revoked, active, or expired certificates.

Option Description
--enumcert Required for listing all certificates.
--filter [all | active] Required filter. Specify all or active. The revoked and expired options are not currently supported.
Example:
certool --enumcert --filter=active

certool --status

Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.

Option Description
--status Required to check the status of a certificate.

--cert <certfile>

Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --status --cert=<filename>

certool --genselfcacert

Generates a self-signed certificate based on the values in the configuration file. This command generates a certificate that is predated by three days to avoid time zone conflicts.
Option Description
--genselfcacert Required for generating a self-signed certificate.
--outcert <cert_file> Name of the certificate file. This file must be in PEM encoded format.
--outprivkey <key_file> Name of the private key file. This file must be in PEM encoded format.

--config <config_file>

Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields.

Example:
certool --genselfcert --privkey=<filename> --cert=<filename> --config=<config_file>