The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.

Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA. You can use the certificate to provision machines or solution users.

Option

Description

--genkey

Required for generating a private and public key.

--privkey <keyfile>

Name of the private key file.

--pubkey <keyfile

Name of the public key file.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

certool --genkey --privkey=<filename> --pubkey=<filename>

Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in the specified configuration file.

Option

Description

--gencert

Required for generating a certificate.

--cert <certfile>

Name of the certificate file. This file must be in PEM encoded format.

--privkey <keyfile>

Name of the private key file. This file must be in PEM encoded format.

--config <config_file>

Optional name of the configuration file. Defaults to certool.cfg.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

certool --gencert --privkey=<filename> --cert=<filename>

Prints the current root CA certificate in human-readable form. If you are running this command from a management node, use the machine name of the Platform Services Controller node to retrieve the root CA. This output is not usable as a certificate, it is changed to be human readable.

Option

Description

--getrootca

Required for printing the root certificate.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

certool --getrootca --server=remoteserver

Print all the fields in a certificate in human-readable form.

Option

Description

--viewcert

Required for viewing a certificate.

--cert <certfile>

Optional name of the configuration file. Defaults to certool.cfg.

Example:

 certool --viewcert --cert=<filename>

List all certificates that the VMCA server knows about. The required filter option lets you list all certificates or only revoked, active, or expired certificates.

Option

Description

--enumcert

Required for listing all certificates.

--filter [all | active]

Required filter. Specify all or active. The revoked and expired options are not currently supported.

Example:

certool --enumcert --filter=active

Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.

Option

Description

--status

Required to check the status of a certificate.

--cert <certfile>

Optional name of the configuration file. Defaults to certool.cfg.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:

certool --status --cert=<filename>

Generates a self-signed certificate based on the values in the configuration file. This command generates a certificate that is predated by three days to avoid time zone conflicts.

Option

Description

--genselfcacert

Required for generating a self-signed certificate.

--outcert <cert_file>

Name of the certificate file. This file must be in PEM encoded format.

--outprivkey <key_file>

Name of the private key file. This file must be in PEM encoded format.

--config <config_file>

Optional name of the configuration file. Defaults to certool.cfg.

Example:

certool --genselfcert --privkey=<filename> --cert=<filename>