@pindex certtool
@ignore
# -*- buffer-read-only: t -*- vi: set ro:
-#
+#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
-#
-# It has been AutoGen-ed October 31, 2013 at 10:38:26 AM by AutoGen 5.17
+#
+# It has been AutoGen-ed November 5, 2013 at 09:16:08 PM by AutoGen 5.18
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@exampleindent 0
@example
-certtool - GnuTLS certificate tool - Ver. @@VERSION@@
-USAGE: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
+certtool - GnuTLS certificate tool
+Usage: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
- -d, --debug=num Enable debugging.
+ -d, --debug=num Enable debugging
- it must be in the range:
0 to 9999
-V, --verbose More verbose output
-p, --generate-privkey Generate a private key
-q, --generate-request Generate a PKCS #10 certificate request
- prohibits the option 'infile'
- -e, --verify-chain Verify a PEM encoded certificate chain.
- --verify Verify a PEM encoded certificate chain using a trusted list.
+ -e, --verify-chain Verify a PEM encoded certificate chain
+ --verify Verify a PEM encoded certificate chain using a trusted list
- requires the option 'load-ca-certificate'
- --verify-crl Verify a CRL using a trusted list.
+ --verify-crl Verify a CRL using a trusted list
- requires the option 'load-ca-certificate'
- --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters.
- --get-dh-params Get the included PKCS #3 encoded Diffie-Hellman parameters.
+ --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters
+ --get-dh-params Get the included PKCS #3 encoded Diffie-Hellman parameters
--dh-info Print information PKCS #3 encoded Diffie-Hellman parameters
--load-privkey=str Loads a private key file
--load-pubkey=str Loads a public key file
--rsa Generate RSA key
--dsa Generate DSA key
--ecc Generate ECC (ECDSA) key
- --ecdsa This is an alias for 'ecc'
- --hash=str Hash algorithm to use for signing.
- --inder Use DER format for input certificates and private keys.
+ --ecdsa an alias for the 'ecc' option
+ --hash=str Hash algorithm to use for signing
+ --inder Use DER format for input certificates and private keys
- disabled as '--no-inder'
- --inraw This is an alias for 'inder'
+ --inraw an alias for the 'inder' option
--outder Use DER format for output certificates and private keys
- disabled as '--no-outder'
- --outraw This is an alias for 'outder'
+ --outraw an alias for the 'outder' option
--bits=num Specify the number of bits for key generate
- --sec-param=str Specify the security level [low, legacy, normal, high, ultra].
+ --sec-param=str Specify the security level [low, legacy, normal, high, ultra]
--disable-quick-random No effect
--template=file Template file to use for non-interactive operation
- file must pre-exist
--pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
- -v, --version[=arg] Output version information and exit
- -h, --help Display extended usage information and exit
- -!, --more-help Extended usage information passed thru pager
+ -v, --version[=arg] output version information and exit
+ -h, --help display extended usage information and exit
+ -!, --more-help extended usage information passed thru pager
Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
-
-
Tool to parse and generate X.509 certificates, requests and private keys.
It can be used interactively or non interactively by specifying the
template command line option.
@anchor{certtool debug}
@subsubheading debug option (-d)
-This is the ``enable debugging.'' option.
+This is the ``enable debugging'' option.
This option takes an argument number.
Specifies the debug level.
@anchor{certtool generate-request}
@anchor{certtool verify-chain}
@subsubheading verify-chain option (-e)
-This is the ``verify a pem encoded certificate chain.'' option.
+This is the ``verify a pem encoded certificate chain'' option.
The last certificate in the chain must be a self signed one.
@anchor{certtool verify}
@subsubheading verify option
-This is the ``verify a pem encoded certificate chain using a trusted list.'' option.
+This is the ``verify a pem encoded certificate chain using a trusted list'' option.
@noindent
This option has some usage constraints. It:
@anchor{certtool verify-crl}
@subsubheading verify-crl option
-This is the ``verify a crl using a trusted list.'' option.
+This is the ``verify a crl using a trusted list'' option.
@noindent
This option has some usage constraints. It:
@anchor{certtool get-dh-params}
@subsubheading get-dh-params option
-This is the ``get the included pkcs #3 encoded diffie-hellman parameters.'' option.
+This is the ``get the included pkcs #3 encoded diffie-hellman parameters'' option.
Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
are more efficient since GnuTLS 3.0.9.
@anchor{certtool load-privkey}
@anchor{certtool ecdsa}
@subsubheading ecdsa option
-This is an alias for the ecc option,
+This is an alias for the @code{ecc} option,
@pxref{certtool ecc, the ecc option documentation}.
@anchor{certtool hash}
@subsubheading hash option
-This is the ``hash algorithm to use for signing.'' option.
+This is the ``hash algorithm to use for signing'' option.
This option takes an argument string.
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
@anchor{certtool inder}
@subsubheading inder option
-This is the ``use der format for input certificates and private keys.'' option.
+This is the ``use der format for input certificates and private keys'' option.
The input files will be assumed to be in DER or RAW format.
Unlike options that in PEM input would allow multiple input data (e.g. multiple
certificates), when reading in DER format a single data structure is read.
@anchor{certtool inraw}
@subsubheading inraw option
-This is an alias for the inder option,
+This is an alias for the @code{inder} option,
@pxref{certtool inder, the inder option documentation}.
@anchor{certtool outder}
@anchor{certtool outraw}
@subsubheading outraw option
-This is an alias for the outder option,
+This is an alias for the @code{outder} option,
@pxref{certtool outder, the outder option documentation}.
@anchor{certtool sec-param}
@subsubheading sec-param option
-This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
+This is the ``specify the security level [low, legacy, normal, high, ultra]'' option.
This option takes an argument string @file{Security parameter}.
This is alternative to the bits option.
@anchor{certtool pkcs-cipher}
@anchor{certtool See Also}
@subsubheading certtool See Also
p11tool (1)
-
@anchor{certtool Examples}
@subsubheading certtool Examples
@subsubheading Generating private keys
@example
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
@end example
-
@anchor{certtool Files}
@subsubheading certtool Files
@subsubheading Certtool's template file format
#crl_number = 5
@end example
-
-
#
# DO NOT EDIT THIS FILE (invoke-danetool.texi)
#
-# It has been AutoGen-ed May 5, 2013 at 03:51:58 PM by AutoGen 5.17.3
+# It has been AutoGen-ed November 5, 2013 at 09:15:18 PM by AutoGen 5.18
# From the definitions ../src/danetool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
danetool - GnuTLS DANE tool
Usage: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
- -d, --debug=num Enable debugging.
+ -d, --debug=num Enable debugging
- it must be in the range:
0 to 9999
-V, --verbose More verbose output
--load-pubkey=str Loads a public key file
--load-certificate=str Loads a certificate file
--dlv=str Sets a DLV file
- --hash=str Hash algorithm to use for signing.
- --check=str Check a host's DANE TLSA entry.
- --check-ee Check only the end-entity's certificate.
- --check-ca Check only the CA's certificate.
- --insecure Do not verify any DNSSEC signature.
- --local-dns Use the local DNS server for DNSSEC resolving.
+ --hash=str Hash algorithm to use for signing
+ --check=str Check a host's DANE TLSA entry
+ --check-ee Check only the end-entity's certificate
+ --check-ca Check only the CA's certificate
+ --insecure Do not verify any DNSSEC signature
+ --local-dns Use the local DNS server for DNSSEC resolving
- disabled as '--no-local-dns'
- --inder Use DER format for input certificates and private keys.
+ --inder Use DER format for input certificates and private keys
- disabled as '--no-inder'
--inraw an alias for the 'inder' option
--tlsa-rr Print the DANE RR data on a certificate or public key
- requires the option 'host'
--host=str Specify the hostname to be used in the DANE RR
--proto=str The protocol set for DANE data (tcp, udp etc.)
- --port=num Specify the port number for the DANE data.
+ --port=num Specify the port number for the DANE data
--ca Whether the provided certificate or public key is a Certificate
-Authority.
- --x509 Use the hash of the X.509 certificate, rather than the public key.
+Authority
+ --x509 Use the hash of the X.509 certificate, rather than the public key
--local an alias for the 'domain' option
- enabled by default
- --domain The provided certificate or public key is issued by the local domain.
+ --domain The provided certificate or public key is issued by the local domain
- disabled as '--no-domain'
- enabled by default
-v, --version[=arg] output version information and exit
@anchor{danetool debug}
@subsubheading debug option (-d)
-This is the ``enable debugging.'' option.
+This is the ``enable debugging'' option.
This option takes an argument number.
Specifies the debug level.
@anchor{danetool load-pubkey}
@anchor{danetool hash}
@subsubheading hash option
-This is the ``hash algorithm to use for signing.'' option.
+This is the ``hash algorithm to use for signing'' option.
This option takes an argument string.
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
@anchor{danetool check}
@subsubheading check option
-This is the ``check a host's dane tlsa entry.'' option.
+This is the ``check a host's dane tlsa entry'' option.
This option takes an argument string.
Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host has to be provided using --load-certificate.
@anchor{danetool check-ee}
@subsubheading check-ee option
-This is the ``check only the end-entity's certificate.'' option.
+This is the ``check only the end-entity's certificate'' option.
Checks the end-entity's certificate only. Trust anchors or CAs are not considered.
@anchor{danetool check-ca}
@subsubheading check-ca option
-This is the ``check only the ca's certificate.'' option.
+This is the ``check only the ca's certificate'' option.
Checks the trust anchor's and CA's certificate only. End-entities are not considered.
@anchor{danetool insecure}
@subsubheading insecure option
-This is the ``do not verify any dnssec signature.'' option.
+This is the ``do not verify any dnssec signature'' option.
Ignores any DNSSEC signature verification results.
@anchor{danetool local-dns}
@subsubheading local-dns option
-This is the ``use the local dns server for dnssec resolving.'' option.
+This is the ``use the local dns server for dnssec resolving'' option.
This option will use the local DNS server for DNSSEC.
This is disabled by default due to many servers not allowing DNSSEC.
@anchor{danetool inder}
@subsubheading inder option
-This is the ``use der format for input certificates and private keys.'' option.
+This is the ``use der format for input certificates and private keys'' option.
The input files will be assumed to be in DER or RAW format.
Unlike options that in PEM input would allow multiple input data (e.g. multiple
certificates), when reading in DER format a single data structure is read.
@anchor{danetool ca}
@subsubheading ca option
-This is the ``whether the provided certificate or public key is a certificate authority.'' option.
+This is the ``whether the provided certificate or public key is a certificate authority'' option.
Marks the DANE RR as a CA certificate if specified.
@anchor{danetool x509}
@subsubheading x509 option
-This is the ``use the hash of the x.509 certificate, rather than the public key.'' option.
+This is the ``use the hash of the x.509 certificate, rather than the public key'' option.
This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.
@anchor{danetool local}
@subsubheading local option
@anchor{danetool domain}
@subsubheading domain option
-This is the ``the provided certificate or public key is issued by the local domain.'' option.
+This is the ``the provided certificate or public key is issued by the local domain'' option.
@noindent
This option has some usage constraints. It:
@pindex gnutls-cli
@ignore
# -*- buffer-read-only: t -*- vi: set ro:
-#
+#
# DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi)
-#
-# It has been AutoGen-ed October 23, 2013 at 12:34:45 PM by AutoGen 5.17
+#
+# It has been AutoGen-ed November 5, 2013 at 09:16:06 PM by AutoGen 5.18
# From the definitions ../src/cli-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@exampleindent 0
@example
-gnutls-cli - GnuTLS client - Ver. @@VERSION@@
-USAGE: gnutls-cli [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostname]
+gnutls-cli - GnuTLS client
+Usage: gnutls-cli [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostname]
- -d, --debug=num Enable debugging.
+ -d, --debug=num Enable debugging
- it must be in the range:
0 to 9999
-V, --verbose More verbose output
- disabled as '--no-tofu'
--dane Enable DANE certificate verification (DNSSEC)
- disabled as '--no-dane'
- --local-dns Use the local DNS server for DNSSEC resolving.
+ --local-dns Use the local DNS server for DNSSEC resolving
- disabled as '--no-local-dns'
--ca-verification Disable CA certificate verification
- disabled as '--no-ca-verification'
- disabled as '--no-ocsp'
-r, --resume Establish a session and resume
-e, --rehandshake Establish a session and rehandshake
- -s, --starttls Connect, establish a plain session and start TLS.
+ -s, --starttls Connect, establish a plain session and start TLS
-u, --udp Use DTLS (datagram TLS) over UDP
--mtu=num Set MTU for datagram TLS
- it must be in the range:
--inline-commands Inline commands of the form ^<cmd>^
--inline-commands-prefix=str Change the default (^) used as a delimiter for inline commands. The
value is a single US-ASCII character (octets 0 - 127).
- -v, --version[=arg] Output version information and exit
- -h, --help Display extended usage information and exit
- -!, --more-help Extended usage information passed thru pager
+ -v, --version[=arg] output version information and exit
+ -h, --help display extended usage information and exit
+ -!, --more-help extended usage information passed thru pager
Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
Operands and options may be intermixed. They will be reordered.
-
-
Simple client program to set up a TLS connection to some other computer. It
sets up a TLS connection and forwards data from the standard input to the
secured socket and vice versa.
@anchor{gnutls-cli debug}
@subheading debug option (-d)
-This is the ``enable debugging.'' option.
+This is the ``enable debugging'' option.
This option takes an argument number.
Specifies the debug level.
@anchor{gnutls-cli tofu}
@anchor{gnutls-cli local-dns}
@subheading local-dns option
-This is the ``use the local dns server for dnssec resolving.'' option.
+This is the ``use the local dns server for dnssec resolving'' option.
This option will use the local DNS server for DNSSEC.
This is disabled by default due to many servers not allowing DNSSEC.
@anchor{gnutls-cli ca-verification}
@anchor{gnutls-cli starttls}
@subheading starttls option (-s)
-This is the ``connect, establish a plain session and start tls.'' option.
+This is the ``connect, establish a plain session and start tls'' option.
The TLS session will be initiated when EOF or a SIGALRM is received.
@anchor{gnutls-cli dh-bits}
@subheading dh-bits option
@anchor{gnutls-cli See Also}
@subheading gnutls-cli See Also
gnutls-cli-debug(1), gnutls-serv(1)
-
@anchor{gnutls-cli Examples}
@subheading gnutls-cli Examples
@subheading Connecting using PSK authentication
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
@end example
-
#
# DO NOT EDIT THIS FILE (invoke-psktool.texi)
#
-# It has been AutoGen-ed May 5, 2013 at 03:51:57 PM by AutoGen 5.17.3
+# It has been AutoGen-ed November 5, 2013 at 09:15:17 PM by AutoGen 5.18
# From the definitions ../src/psk-args.def
# and the template file agtexi-cmd.tpl
@end ignore
psktool - GnuTLS PSK tool
Usage: psktool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
- -d, --debug=num Enable debugging.
+ -d, --debug=num Enable debugging
- it must be in the range:
0 to 9999
-s, --keysize=num specify the key size in bytes
- it must be in the range:
0 to 512
-u, --username=str specify a username
- -p, --passwd=str specify a password file.
+ -p, --passwd=str specify a password file
-v, --version[=arg] output version information and exit
-h, --help display extended usage information and exit
-!, --more-help extended usage information passed thru pager
@anchor{psktool debug}
@subsubheading debug option (-d)
-This is the ``enable debugging.'' option.
+This is the ``enable debugging'' option.
This option takes an argument number.
Specifies the debug level.
@anchor{psktool exit status}
@pindex srptool
@ignore
# -*- buffer-read-only: t -*- vi: set ro:
-#
+#
# DO NOT EDIT THIS FILE (invoke-srptool.texi)
-#
-# It has been AutoGen-ed October 4, 2013 at 07:16:06 PM by AutoGen 5.17
+#
+# It has been AutoGen-ed November 5, 2013 at 09:22:58 PM by AutoGen 5.18
# From the definitions ../src/srptool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@exampleindent 0
@example
-srptool - GnuTLS SRP tool - Ver. @@VERSION@@
-USAGE: srptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
+srptool - GnuTLS SRP tool
+Usage: srptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
- -d, --debug=num Enable debugging.
+ -d, --debug=num Enable debugging
- it must be in the range:
0 to 9999
- -i, --index=num specify the index of the group parameters in tpasswd.conf to use.
+ -i, --index=num specify the index of the group parameters in tpasswd.conf to use
-u, --username=str specify a username
- -p, --passwd=str specify a password file.
- -s, --salt=num specify salt size.
+ -p, --passwd=str specify a password file
+ -s, --salt=num specify salt size
--verify just verify the password.
-v, --passwd-conf=str specify a password conf file.
--create-conf=str Generate a password configuration file.
- -v, --version[=arg] Output version information and exit
- -h, --help Display extended usage information and exit
- -!, --more-help Extended usage information passed thru pager
+ -v, --version[=arg] output version information and exit
+ -h, --help display extended usage information and exit
+ -!, --more-help extended usage information passed thru pager
Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
-
-
Simple program that emulates the programs in the Stanford SRP (Secure
Remote Password) libraries using GnuTLS. It is intended for use in places
where you don't expect SRP authentication to be the used for system users.
@anchor{srptool debug}
@subsubheading debug option (-d)
-This is the ``enable debugging.'' option.
+This is the ``enable debugging'' option.
This option takes an argument number.
Specifies the debug level.
@anchor{srptool verify}
@anchor{srptool See Also}
@subsubheading srptool See Also
gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1)
-
@anchor{srptool Examples}
@subsubheading srptool Examples
To create @file{tpasswd.conf} which holds the g and n values for SRP protocol
@example
$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test
@end example
-