certcreate Command

Purpose

certcreate requests a new certificate for the specified user.

Syntax

certcreate [-S servicename] [-s startdate] [-e enddate] { -f file | [-b | -t] } [-p privatekeystore] -l label [-a subject_alt_name] subject_distinguished_name [user-name]

Description

The certcreate command invokes the end-entity services and libraries and requests that a new certificate be created with the identifying information contained on the command line. Which service to use is specified by the -S option. Available services are defined in /usr/lib/security/pki/ca.cfg. Certificate requests without the -S option are created using the local service. It is an error to specify a servicename which does not have an entry in the /usr/lib/security/pki/ca.cfg file. The service entry in the ca.cfg file specifies which CA to send the request.

If the -s option is not given, the current day's date shall be used. If the -e option is not given, the validity value from the policy.cfg file will be used. If this value does not exist, then one year from the starting date shall be used as the validity period. Both startdate and enddate shall have the same format as the expires attribute used by the chuser command. The format is 10-character string in the MMDDhhmmyy form, where MM refers to month, DD refers to day, hh refers to hour, mm refers to minute, and yy refers to last 2 digits of the years 1939 through 2038. All characters are numeric.

If the -f option is given, the new certificate shall be DER encoded and stored in the named file in a binary format. Otherwise, it shall be DER encoded and output to stdout, either in binary or in hexadecimal format. If -b option is given then the output will be displayed to stdout in binary, otherwise it will be hexadecimal. If neither -b nor -t is given, a binary format will be used.

The corresponding private key shall be stored in a private keystore or device, as required by the underlying commands or libraries. If -p option is given, the private key will be stored in private keystore specified. If -p option is not given the default will be /var/pki/ security/keys/<username>.

The -l option must be specified. The label is a variable length text string that will be used as an alias for the private key in the keystore.

The value of subject_alt_name will be an Internet electronic mail address (RFC2459 defines this to be a rfc822Name). This value is optional. If no value is provided, the certificate will not have an rfc822Name subject alternative name extension. Subject_distinguished_name shall be restricted to the valid set of values for PKI certificates. This is defined to be an X.501 type Name by RFC2459.

The certcreate command issues one or more prompts and request a password in order to generate the certificate and store it in the user's private keystore. If the user has an existing keystore, the user will be prompted once for the password. If the keystore does not exist, then it will be created and the user will be asked to re-enter the password again for confirmation. The command will fail if it is unable to open /dev/tty for the current process.

Flags

Item Description
-S servicename Specifies which service module to use.
-s startdate Specifies the date on which the certificate will become valid.
-e enddate Specifies the date on which the certificate will become invalid.
-f file Specifies the file that certificate will be stored.
-p privatekeystore Specifies the location of the private keystore.
-l label Specifies the label of the private key in the keystore.
-a subject_alt_name Specifies the subject alternative name of the certificate owner.
-b Specifies the format of the certificate data to be binary.
-t Specifies the format of the certificate data to be hexadecimal.

Exit Status

Item Description
0 The command completed successfully.
>0 An error occurred.

Security

This is a setuid command.

Root and invokers belonging to group security can create certificates for anyone. A non-privileged user can only create certificates for himself with the following rules while specifying a private keystore location:
  • The invoker can specify the default private keystore: /var/pki/security/keys/<user-name>
  • The invoker can specify a private keystore that they have access to write.
A non-privileged user can not request a certificate for others.

Audit

This command records the following event information:

CERT_Create <username>

Examples

$ certcreate -S local -s 0831112702 -e 1231235902 -f 
cert.der -p file:/home/bob/bob.priv -l signcert 
bob@ibm.com ou=finance,cn=Bob%20James bob
In the above example, the certificate will be valid from August 31, 2002 11:27 AM until December 31, 2002, 11:59 PM. The certificate will be placed in file cert.der and the private key will be stored in bob.priv with an alias signcert.
The following example uses the defaults for the start date, end date, and the private keystore.
$ certcreate -l signcert bob@ibm.com ou=finance,cn=Bob James > cert.der

Files

/usr/lib/security/pki/ca.cfg

/usr/lib/security/pki/policy.cfg