"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [

]>

<refentry>

  <refentryinfo>

    <date>&dat;;</date>

    <title>Cryptography Utilities</title>

    <productname>crypto-utils</productname>

    <productnumber>&version;</productnumber>

  </refentryinfo>

  <refmeta>

    <refentrytitle>genkey</refentrytitle>

    <manvolnum>1</manvolnum>

  </refmeta>

  <refnamediv>

    <refname>genkey</refname>

    <refpurpose>generate SSL certificates and certificate requests</refpurpose>

  </refnamediv>

  <refsynopsisdiv>

    <cmdsynopsis>

      <command>genkey</command>

      <arg><option>--test</option></arg>

      <arg><option>--days <replaceable>count</replaceable></option></arg>

      <group>

        <arg><option>--genreq</option></arg>

        <arg><option>--makeca</option></arg>

        <arg><option>--nss</option></arg>

        <arg><option>--renew</option></arg>

        <arg><option>--cacert</option></arg>

      </group>

      <arg choice="req"><replaceable>hostname</replaceable></arg>

    </cmdsynopsis>

  </refsynopsisdiv>

  <refsect1>

    <title>Description</title>

    <para><command>genkey</command> is an interactive command-line

    tool which can be used to generate SSL certificates or Certificate

    Signing Requests (CSR).  Generated certificates are stored in the

    directory <filename>/etc/pki/tls/certs/</filename>, and the

    corresponding private key in

    <filename>/etc/pki/tls/private/</filename>. </para>

    <para>When using mod_nss the private key is stored in the

    nss database. Consult the nss.conf file in

    <filename>/etc/httpd/conf.d/</filename>

    for the location of the database. </para>

    <para><command>genkey</command> will prompt for the size of key

    desired; whether or not to generate a CSR; whether or not an

    encrypted private key is desired; the certificate subject DN

    details.</para>

    <para><command>genkey</command> generates random data for the

    private key using the truerand library and also by prompting the

    user for entry of random text.</para>

    <para><option>nss</option> indicates that mod_nss database 

    should be used to store keys and certificates.</para>

  </refsect1>

  <refsect1>

    <title>Options</title>

    <variablelist>

      <varlistentry>

        <term><option>--makeca</option></term>

        <listitem><simpara>Generate a Certificate Authority

        keypair and certificate.</simpara></listitem>

      </varlistentry>

      <varlistentry>

        <term><option>--genreq</option></term>

        <listitem><simpara>Generate a Certificate Signing Request for

        an existing private key, which can be submitted to a CA (for

        example, for renewal).</simpara></listitem>

      </varlistentry>

      <varlistentry>

        <term><option>--renew</option></term>

        <listitem><simpara>Used with --genreq to indicate a renewal,

        the existing keypair will be used. Certs and keys must reside

        in the nss database, therefore --nss is also required. Pem file

        based cert renewal is not currently supported.</simpara></listitem>

      </varlistentry>

      <varlistentry>

        <term><option>--cacert</option></term>

        <listitem><simpara>The certificate renewal is for a CA, needed for openssl certs only.</simpara></listitem>

      </varlistentry>

      <varlistentry>

        <term><option>--days</option> <replaceable>count</replaceable></term>

        <listitem><simpara>When generating a self-signed certificate,

        specify that the number of days for which the certificate is

        valid be <replaceable>count</replaceable> rather than the default

        value of 30.</simpara></listitem>

      </varlistentry>

      <varlistentry>

        <term><option>--test</option></term>

        <listitem><simpara>For test purposes only; omit the slow

        process of generating random data.</simpara></listitem>

      </varlistentry>

    </variablelist>

  </refsect1>

  <refsect1>

    <title>Examples</title>

    <para>The following example will create a self-signed certificate

    and private key for the hostname

    <literal>www.example.com</literal>:

      <programlisting>

        # genkey --days 120 www.example.com

      </programlisting>

    </para>

    <para>The following example will create a self-signed certificate

    and private key for the hostname <literal>www.nssexample.com</literal>

    which will be stored in cert and key in the nss database. If no nickname

    is given the tool will extract it from mod_nss's nss configuration file.

      <programlisting>

        # genkey --days --nss 120 www.nssexample.com

      </programlisting>

    </para>

    <para>The following example will generate a certificate signing

     request for a new mod_nss style cert specified by its nickname, 

    <literal>Server-Cert</literal>:

      <programlisting>

        # genkey --genreq --nss --days 120 Server-Cert

      </programlisting>

    </para>

    <para>The following example will generate a certificate signing request

    for the renewal of an existing mod_nss cert specified by its nickname, 

    <literal>Server-Cert</literal>:

      <programlisting>

        # genkey --genreq --renew --nss --days 120 Server-Cert

      </programlisting>

    </para>

  </refsect1>    

  <refsect1>

    <title>Files</title>

    <para><filename>/etc/pki/tls/openssl.cnf</filename></para>

  </refsect1>

  <refsect1>

    <title>See also</title>

    <para>certwatch(1), keyrand(1)</para>

  </refsect1>

</refentry>

-->