CREATE-CERT(8)            BSD System Manager's Manual           CREATE-CERT(8)

     create-cert — create openssl client key and certificates

     create-cert [-nv] [-c config] -I
     create-cert [-nv] [-c config] -C cert
     create-cert [-nv] [-c config] -R
     create-cert [-fnv] [-c config] FQDN

     create-cert is a script that uses openssl(1) to create self-signed host
     certificates and private keys for fully qualified domain names (FQDNs).

     A configuration file to specify certificate attributes.  The -I flag is
     used to create an initial version of this file.  The user may optionally
     customize this file before running create-cert with the -R flag which
     creates a self-signed rootca cert and key.

     Once a valid configuration file and rootca cert and key files are all
     present, create-cert can be used to create cert and key files for a FQDN.
     This means the name must have at least one ‘.’  in it; use the -f flag to
     override this restriction.

     Key files are created without group or world read permissions.  The
     script always refuses to overwrite existing files. If c_rehash is found
     on the user's PATH, it is used to hash the directory after a host cert is

     Here are the command line options:

     -c config  Specify the configuration file; defaults to create-cert.conf.

     -C cert    Like -I, creates an initial configuration file but populate
                the values from an existing X509 certificate file cert.  This
                is a handy way to bootstrap an old tree of self-signed certs
                for use with create-cert.

     -f         Normally, create-cert requires FQDNs. The -f flag removes this

     -I         Create an initial configuration file; see the description for
                the -c flag for more details about the filename used.

     -n         Show the shell commands but do not execute them (aka dry run).

     -R         Create a self-signed rootca cert and private key.

     -v         Increase verbosity.

     Here are the configuration options that may be used in create-cert.conf.

     country       The two character country code.

     state         The State or province.

     city          The City or locality.

     organization  The name of the organization or company.

     authority     The name of the authority.

     rootname      The root certificate authority name.

     email         The email address of the organization.

     bits          Size of the key in bits. Keys smaller than 2048 are not

     digest        The format of the message digest. Possible values include
                   md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384
                   and sha512.  sha1 or higher is recommend and in particular
                   md5 is not recommended as iPhones reject certificates using
                   this hash algorithm due to its weakness.

     days          The length of the host certificate length in days. The
                   default is 3650 (10 years).

     Here's an example work flow using create-cert to create a new rootca and
     host certs and keys (uninteresting output from openssl has been removed):

           % create-cert -I
           create-cert: Creating a default in create-cert.conf
           % vi create-cert.conf
           % create-cert -R
           create-cert: Creating the key for the new rootca
           create-cert: Creating temporary rootca config
           create-cert: Creating the cert for the new rootca
           create-cert: Creating the database file for the new rootca
           create-cert: Creating the serial file for the new rootca
           % create-cert
           create-cert: Creating the key for
           create-cert: Create a cert config for
           create-cert: Create a CSR config for
           create-cert: Create a CSR for
           create-cert: Sign the certificate request for
           create-cert: Verify the the csr for
           create-cert: Remove junk we don't need
           create-cert: Rehashing the cert directory
           create-cert: Cert and key for successfully created
           % create-cert
           create-cert: Creating the key for
           create-cert: Cert and key for successfully created
           % find. -type f
     Here are some examples of the error checking:

           % create-cert -I
           create-cert: Error: create-cert.conf exists
           % create-cert -R
           create-cert: Error: private/rootca.key exists
           create-cert: Error: certs/rootca.pem exists
           % create-cert
           create-cert: Error: private/ exists
           create-cert: Error: certs/ exists

     create-cert.conf    create-cert configuration file
     certs               public certs directory
     certs/rootca.index  certificate database file
     certs/rootca.pem    rootca public cert file
     private             private key directory
     private/rootca.key  rootca private key file
     private/serial      certificate serial number file


     Craig Leres

BSD                            17 September 2016                           BSD