+++ /dev/null
-@node certtool Invocation
-@subsection Invoking certtool
-@pindex certtool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-certtool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:55 AM by AutoGen 5.18.2
-# From the definitions ../src/certtool-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Tool to parse and generate X.509 certificates, requests and private keys.
-It can be used interactively or non interactively by
-specifying the template command line option.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{certtool usage}
-@subsubheading certtool help/usage (@option{--help})
-@cindex certtool help
-
-This is the automatically generated usage text for certtool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-certtool - GnuTLS certificate tool
-Usage: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -V, --verbose More verbose output
- - may appear multiple times
- --infile=file Input file
- - file must pre-exist
- --outfile=str Output file
- -s, --generate-self-signed Generate a self-signed certificate
- -c, --generate-certificate Generate a signed certificate
- --generate-proxy Generates a proxy certificate
- --generate-crl Generate a CRL
- -u, --update-certificate Update a signed certificate
- -p, --generate-privkey Generate a private key
- -q, --generate-request Generate a PKCS #10 certificate request
- - prohibits the option 'infile'
- -e, --verify-chain Verify a PEM encoded certificate chain
- --verify Verify a PEM encoded certificate chain using a trusted list
- --verify-crl Verify a CRL using a trusted list
- - requires the option 'load-ca-certificate'
- --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters
- --get-dh-params Get the included PKCS #3 encoded Diffie-Hellman parameters
- --dh-info Print information PKCS #3 encoded Diffie-Hellman parameters
- --load-privkey=str Loads a private key file
- --load-pubkey=str Loads a public key file
- --load-request=file Loads a certificate request file
- - file must pre-exist
- --load-certificate=str Loads a certificate file
- --load-ca-privkey=str Loads the certificate authority's private key file
- --load-ca-certificate=str Loads the certificate authority's certificate file
- --password=str Password to use
- --hex-numbers Print big number in an easier format to parse
- --cprint In certain operations it prints the information is C-friendly format
- --null-password Enforce a NULL password
- -i, --certificate-info Print information on the given certificate
- --certificate-pubkey Print certificate's public key
- --pgp-certificate-info Print information on the given OpenPGP certificate
- --pgp-ring-info Print information on the given OpenPGP keyring structure
- -l, --crl-info Print information on the given CRL structure
- --crq-info Print information on the given certificate request
- --no-crq-extensions Do not use extensions in certificate requests
- --p12-info Print information on a PKCS #12 structure
- --p7-info Print information on a PKCS #7 structure
- --smime-to-p7 Convert S/MIME to PKCS #7 structure
- -k, --key-info Print information on a private key
- --pgp-key-info Print information on an OpenPGP private key
- --pubkey-info Print information on a public key
- --v1 Generate an X.509 version 1 certificate (with no extensions)
- --to-p12 Generate a PKCS #12 structure
- - requires the option 'load-certificate'
- --to-p8 Generate a PKCS #8 structure
- -8, --pkcs8 Use PKCS #8 format for private keys
- -!, --rsa Generate RSA key
- -", --dsa Generate DSA key
- -#, --ecc Generate ECC (ECDSA) key
- -$, --ecdsa an alias for the 'ecc' option
- -%, --hash=str Hash algorithm to use for signing
- -&, --inder Use DER format for input certificates, private keys, and DH parameters
- - disabled as '--no-inder'
- -', --inraw an alias for the 'inder' option
- -(, --outder Use DER format for output certificates, private keys, and DH parameters
- - disabled as '--no-outder'
- -), --outraw an alias for the 'outder' option
- -*, --bits=num Specify the number of bits for key generate
- -+, --sec-param=str Specify the security level [low, legacy, normal, high, ultra]
- -,, --disable-quick-random No effect
- --, --template=file Template file to use for non-interactive operation
- - file must pre-exist
- -., --pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Tool to parse and generate X.509 certificates, requests and private keys.
-It can be used interactively or non interactively by specifying the
-template command line option.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{certtool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{certtool generate-request}
-@subsubheading generate-request option (-q)
-
-This is the ``generate a pkcs #10 certificate request'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must not appear in combination with any of the following options:
-infile.
-@end itemize
-
-Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.
-@anchor{certtool verify-chain}
-@subsubheading verify-chain option (-e)
-
-This is the ``verify a pem encoded certificate chain'' option.
-The last certificate in the chain must be a self signed one.
-@anchor{certtool verify}
-@subsubheading verify option
-
-This is the ``verify a pem encoded certificate chain using a trusted list'' option.
-The trusted certificate list can be loaded with --load-ca-certificate. If no
-certificate list is provided, then the system's certificate list is used.
-@anchor{certtool verify-crl}
-@subsubheading verify-crl option
-
-This is the ``verify a crl using a trusted list'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-load-ca-certificate.
-@end itemize
-
-The trusted certificate list must be loaded with --load-ca-certificate.
-@anchor{certtool get-dh-params}
-@subsubheading get-dh-params option
-
-This is the ``get the included pkcs #3 encoded diffie-hellman parameters'' option.
-Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
-are more efficient since GnuTLS 3.0.9.
-@anchor{certtool load-privkey}
-@subsubheading load-privkey option
-
-This is the ``loads a private key file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{certtool load-pubkey}
-@subsubheading load-pubkey option
-
-This is the ``loads a public key file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{certtool load-certificate}
-@subsubheading load-certificate option
-
-This is the ``loads a certificate file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{certtool load-ca-privkey}
-@subsubheading load-ca-privkey option
-
-This is the ``loads the certificate authority's private key file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{certtool load-ca-certificate}
-@subsubheading load-ca-certificate option
-
-This is the ``loads the certificate authority's certificate file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{certtool cprint}
-@subsubheading cprint option
-
-This is the ``in certain operations it prints the information is c-friendly format'' option.
-In certain operations it prints the information is C-friendly format, suitable for including into C programs.
-@anchor{certtool null-password}
-@subsubheading null-password option
-
-This is the ``enforce a null password'' option.
-This option enforces a NULL password. This may be different than the empty password in some schemas.
-@anchor{certtool pubkey-info}
-@subsubheading pubkey-info option
-
-This is the ``print information on a public key'' option.
-The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.
-@anchor{certtool to-p12}
-@subsubheading to-p12 option
-
-This is the ``generate a pkcs #12 structure'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-load-certificate.
-@end itemize
-
-It requires a certificate, a private key and possibly a CA certificate to be specified.
-@anchor{certtool rsa}
-@subsubheading rsa option
-
-This is the ``generate rsa key'' option.
-When combined with --generate-privkey generates an RSA private key.
-@anchor{certtool dsa}
-@subsubheading dsa option
-
-This is the ``generate dsa key'' option.
-When combined with --generate-privkey generates a DSA private key.
-@anchor{certtool ecc}
-@subsubheading ecc option
-
-This is the ``generate ecc (ecdsa) key'' option.
-When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.
-@anchor{certtool ecdsa}
-@subsubheading ecdsa option
-
-This is an alias for the @code{ecc} option,
-@pxref{certtool ecc, the ecc option documentation}.
-
-@anchor{certtool hash}
-@subsubheading hash option
-
-This is the ``hash algorithm to use for signing'' option.
-This option takes a string argument.
-Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
-@anchor{certtool inder}
-@subsubheading inder option
-
-This is the ``use der format for input certificates, private keys, and dh parameters '' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-inder.
-@end itemize
-
-The input files will be assumed to be in DER or RAW format.
-Unlike options that in PEM input would allow multiple input data (e.g. multiple
-certificates), when reading in DER format a single data structure is read.
-@anchor{certtool inraw}
-@subsubheading inraw option
-
-This is an alias for the @code{inder} option,
-@pxref{certtool inder, the inder option documentation}.
-
-@anchor{certtool outder}
-@subsubheading outder option
-
-This is the ``use der format for output certificates, private keys, and dh parameters'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-outder.
-@end itemize
-
-The output will be in DER or RAW format.
-@anchor{certtool outraw}
-@subsubheading outraw option
-
-This is an alias for the @code{outder} option,
-@pxref{certtool outder, the outder option documentation}.
-
-@anchor{certtool sec-param}
-@subsubheading sec-param option
-
-This is the ``specify the security level [low, legacy, normal, high, ultra]'' option.
-This option takes a string argument @file{Security parameter}.
-This is alternative to the bits option.
-@anchor{certtool pkcs-cipher}
-@subsubheading pkcs-cipher option
-
-This is the ``cipher to use for pkcs #8 and #12 operations'' option.
-This option takes a string argument @file{Cipher}.
-Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
-@anchor{certtool exit status}
-@subsubheading certtool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{certtool See Also}
-@subsubheading certtool See Also
- p11tool (1)
-@anchor{certtool Examples}
-@subsubheading certtool Examples
-@subsubheading Generating private keys
-To create an RSA private key, run:
-@example
-$ certtool --generate-privkey --outfile key.pem --rsa
-@end example
-
-To create a DSA or elliptic curves (ECDSA) private key use the
-above command combined with 'dsa' or 'ecc' options.
-
-@subsubheading Generating certificate requests
-To create a certificate request (needed when the certificate is issued by
-another party), run:
-@example
-certtool --generate-request --load-privkey key.pem \
- --outfile request.pem
-@end example
-
-If the private key is stored in a smart card you can generate
-a request by specifying the private key object URL.
-@example
-$ ./certtool --generate-request --load-privkey "pkcs11:..." \
- --load-pubkey "pkcs11:..." --outfile request.pem
-@end example
-
-
-@subsubheading Generating a self-signed certificate
-To create a self signed certificate, use the command:
-@example
-$ certtool --generate-privkey --outfile ca-key.pem
-$ certtool --generate-self-signed --load-privkey ca-key.pem \
- --outfile ca-cert.pem
-@end example
-
-Note that a self-signed certificate usually belongs to a certificate
-authority, that signs other certificates.
-
-@subsubheading Generating a certificate
-To generate a certificate using the previous request, use the command:
-@example
-$ certtool --generate-certificate --load-request request.pem \
- --outfile cert.pem --load-ca-certificate ca-cert.pem \
- --load-ca-privkey ca-key.pem
-@end example
-
-To generate a certificate using the private key only, use the command:
-@example
-$ certtool --generate-certificate --load-privkey key.pem \
- --outfile cert.pem --load-ca-certificate ca-cert.pem \
- --load-ca-privkey ca-key.pem
-@end example
-
-@subsubheading Certificate information
-To view the certificate information, use:
-@example
-$ certtool --certificate-info --infile cert.pem
-@end example
-
-@subsubheading PKCS #12 structure generation
-To generate a PKCS #12 structure using the previous key and certificate,
-use the command:
-@example
-$ certtool --load-certificate cert.pem --load-privkey key.pem \
- --to-p12 --outder --outfile key.p12
-@end example
-
-Some tools (reportedly web browsers) have problems with that file
-because it does not contain the CA certificate for the certificate.
-To work around that problem in the tool, you can use the
---load-ca-certificate parameter as follows:
-
-@example
-$ certtool --load-ca-certificate ca.pem \
- --load-certificate cert.pem --load-privkey key.pem \
- --to-p12 --outder --outfile key.p12
-@end example
-
-@subsubheading Diffie-Hellman parameter generation
-To generate parameters for Diffie-Hellman key exchange, use the command:
-@example
-$ certtool --generate-dh-params --outfile dh.pem --sec-param normal
-@end example
-
-@subsubheading Proxy certificate generation
-Proxy certificate can be used to delegate your credential to a
-temporary, typically short-lived, certificate. To create one from the
-previously created certificate, first create a temporary key and then
-generate a proxy certificate for it, using the commands:
-
-@example
-$ certtool --generate-privkey > proxy-key.pem
-$ certtool --generate-proxy --load-ca-privkey key.pem \
- --load-privkey proxy-key.pem --load-certificate cert.pem \
- --outfile proxy-cert.pem
-@end example
-
-@subsubheading Certificate revocation list generation
-To create an empty Certificate Revocation List (CRL) do:
-
-@example
-$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
- --load-ca-certificate x509-ca.pem
-@end example
-
-To create a CRL that contains some revoked certificates, place the
-certificates in a file and use @code{--load-certificate} as follows:
-
-@example
-$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
- --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
-@end example
-
-To verify a Certificate Revocation List (CRL) do:
-
-@example
-$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
-@end example
-@anchor{certtool Files}
-@subsubheading certtool Files
-@subsubheading Certtool's template file format
-A template file can be used to avoid the interactive questions of
-certtool. Initially create a file named 'cert.cfg' that contains the information
-about the certificate. The template can be used as below:
-
-@example
-$ certtool --generate-certificate --load-privkey key.pem \
- --template cert.cfg --outfile cert.pem \
- --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
-@end example
-
-An example certtool template file that can be used to generate a certificate
-request or a self signed certificate follows.
-
-@example
-# X.509 Certificate options
-#
-# DN options
-
-# The organization of the subject.
-organization = "Koko inc."
-
-# The organizational unit of the subject.
-unit = "sleeping dept."
-
-# The locality of the subject.
-# locality =
-
-# The state of the certificate owner.
-state = "Attiki"
-
-# The country of the subject. Two letter code.
-country = GR
-
-# The common name of the certificate owner.
-cn = "Cindy Lauper"
-
-# A user id of the certificate owner.
-#uid = "clauper"
-
-# Set domain components
-#dc = "name"
-#dc = "domain"
-
-# If the supported DN OIDs are not adequate you can set
-# any OID here.
-# For example set the X.520 Title and the X.520 Pseudonym
-# by using OID and string pairs.
-#dn_oid = 2.5.4.12 Dr.
-#dn_oid = 2.5.4.65 jackal
-
-# This is deprecated and should not be used in new
-# certificates.
-# pkcs9_email = "none@@none.org"
-
-# An alternative way to set the certificate's distinguished name directly
-# is with the "dn" option. The attribute names allowed are:
-# C (country), street, O (organization), OU (unit), title, CN (common name),
-# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
-# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
-# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
-# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
-# jurisdictionOfIncorporationStateOrProvinceName,
-# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
-
-#dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
-
-# The serial number of the certificate
-serial = 007
-
-# In how many days, counting from today, this certificate will expire.
-# Use -1 if there is no expiration date.
-expiration_days = 700
-
-# Alternatively you may set concrete dates and time. The GNU date string
-# formats are accepted. See:
-# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
-
-#activation_date = "2004-02-29 16:21:42"
-#expiration_date = "2025-02-29 16:24:41"
-
-# X.509 v3 extensions
-
-# A dnsname in case of a WWW server.
-#dns_name = "www.none.org"
-#dns_name = "www.morethanone.org"
-
-# A subject alternative name URI
-#uri = "http://www.example.com"
-
-# An IP address in case of a server.
-#ip_address = "192.168.1.1"
-
-# An email in case of a person
-email = "none@@none.org"
-
-# Challenge password used in certificate requests
-challenge_password = 123456
-
-# Password when encrypting a private key
-#password = secret
-
-# An URL that has CRLs (certificate revocation lists)
-# available. Needed in CA certificates.
-#crl_dist_points = "http://www.getcrl.crl/getcrl/"
-
-# Whether this is a CA certificate or not
-#ca
-
-# for microsoft smart card logon
-# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
-
-### Other predefined key purpose OIDs
-
-# Whether this certificate will be used for a TLS client
-#tls_www_client
-
-# Whether this certificate will be used for a TLS server
-#tls_www_server
-
-# Whether this certificate will be used to sign data (needed
-# in TLS DHE ciphersuites).
-signing_key
-
-# Whether this certificate will be used to encrypt data (needed
-# in TLS RSA ciphersuites). Note that it is preferred to use different
-# keys for encryption and signing.
-encryption_key
-
-# Whether this key will be used to sign other certificates.
-#cert_signing_key
-
-# Whether this key will be used to sign CRLs.
-#crl_signing_key
-
-# Whether this key will be used to sign code.
-#code_signing_key
-
-# Whether this key will be used to sign OCSP data.
-#ocsp_signing_key
-
-# Whether this key will be used for time stamping.
-#time_stamping_key
-
-# Whether this key will be used for IPsec IKE operations.
-#ipsec_ike_key
-
-### end of key purpose OIDs
-
-# When generating a certificate from a certificate
-# request, then honor the extensions stored in the request
-# and store them in the real certificate.
-#honor_crq_extensions
-
-# Path length contraint. Sets the maximum number of
-# certificates that can be used to certify this certificate.
-# (i.e. the certificate chain length)
-#path_len = -1
-#path_len = 2
-
-# OCSP URI
-# ocsp_uri = http://my.ocsp.server/ocsp
-
-# CA issuers URI
-# ca_issuers_uri = http://my.ca.issuer
-
-# Certificate policies
-# policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
-# policy1_txt = "This is a long policy to summarize"
-# policy1_url = http://www.example.com/a-policy-to-read
-
-# policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
-# policy2_txt = "This is a short policy"
-# policy2_url = http://www.example.com/another-policy-to-read
-
-
-# Options for proxy certificates
-# proxy_policy_language = 1.3.6.1.5.5.7.21.1
-
-
-# Options for generating a CRL
-
-# next CRL update will be in 43 days (wow)
-#crl_next_update = 43
-
-# this is the 5th CRL by this CA
-#crl_number = 5
-
-@end example
+++ /dev/null
-@node danetool Invocation
-@subsection Invoking danetool
-@pindex danetool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-danetool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:58 AM by AutoGen 5.18.2
-# From the definitions ../src/danetool-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Tool to generate and check DNS resource records for the DANE protocol.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{danetool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{danetool usage}
-@subsubheading danetool help/usage (@option{--help})
-@cindex danetool help
-
-This is the automatically generated usage text for danetool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-danetool - GnuTLS DANE tool
-Usage: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -V, --verbose More verbose output
- - may appear multiple times
- --infile=file Input file
- - file must pre-exist
- --outfile=str Output file
- --load-pubkey=str Loads a public key file
- --load-certificate=str Loads a certificate file
- --dlv=str Sets a DLV file
- --hash=str Hash algorithm to use for signing
- --check=str Check a host's DANE TLSA entry
- --check-ee Check only the end-entity's certificate
- --check-ca Check only the CA's certificate
- --insecure Do not verify any DNSSEC signature
- --local-dns Use the local DNS server for DNSSEC resolving
- - disabled as '--no-local-dns'
- --inder Use DER format for input certificates and private keys
- - disabled as '--no-inder'
- --inraw an alias for the 'inder' option
- --tlsa-rr Print the DANE RR data on a certificate or public key
- - requires the option 'host'
- --host=str Specify the hostname to be used in the DANE RR
- --proto=str The protocol set for DANE data (tcp, udp etc.)
- --port=num Specify the port number for the DANE data
- --ca Whether the provided certificate or public key is a Certificate
-Authority
- --x509 Use the hash of the X.509 certificate, rather than the public key
- --local an alias for the 'domain' option
- - enabled by default
- --domain The provided certificate or public key is issued by the local domain
- - disabled as '--no-domain'
- - enabled by default
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Tool to generate and check DNS resource records for the DANE protocol.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{danetool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{danetool load-pubkey}
-@subsubheading load-pubkey option
-
-This is the ``loads a public key file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{danetool load-certificate}
-@subsubheading load-certificate option
-
-This is the ``loads a certificate file'' option.
-This option takes a string argument.
-This can be either a file or a PKCS #11 URL
-@anchor{danetool dlv}
-@subsubheading dlv option
-
-This is the ``sets a dlv file'' option.
-This option takes a string argument.
-This sets a DLV file to be used for DNSSEC verification.
-@anchor{danetool hash}
-@subsubheading hash option
-
-This is the ``hash algorithm to use for signing'' option.
-This option takes a string argument.
-Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
-@anchor{danetool check}
-@subsubheading check option
-
-This is the ``check a host's dane tlsa entry'' option.
-This option takes a string argument.
-Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host has to be provided using --load-certificate.
-@anchor{danetool check-ee}
-@subsubheading check-ee option
-
-This is the ``check only the end-entity's certificate'' option.
-Checks the end-entity's certificate only. Trust anchors or CAs are not considered.
-@anchor{danetool check-ca}
-@subsubheading check-ca option
-
-This is the ``check only the ca's certificate'' option.
-Checks the trust anchor's and CA's certificate only. End-entities are not considered.
-@anchor{danetool insecure}
-@subsubheading insecure option
-
-This is the ``do not verify any dnssec signature'' option.
-Ignores any DNSSEC signature verification results.
-@anchor{danetool local-dns}
-@subsubheading local-dns option
-
-This is the ``use the local dns server for dnssec resolving'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-local-dns.
-@end itemize
-
-This option will use the local DNS server for DNSSEC.
-This is disabled by default due to many servers not allowing DNSSEC.
-@anchor{danetool inder}
-@subsubheading inder option
-
-This is the ``use der format for input certificates and private keys'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-inder.
-@end itemize
-
-The input files will be assumed to be in DER or RAW format.
-Unlike options that in PEM input would allow multiple input data (e.g. multiple
-certificates), when reading in DER format a single data structure is read.
-@anchor{danetool inraw}
-@subsubheading inraw option
-
-This is an alias for the @code{inder} option,
-@pxref{danetool inder, the inder option documentation}.
-
-@anchor{danetool tlsa-rr}
-@subsubheading tlsa-rr option
-
-This is the ``print the dane rr data on a certificate or public key'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-host.
-@end itemize
-
-This command prints the DANE RR data needed to enable DANE on a DNS server.
-@anchor{danetool host}
-@subsubheading host option
-
-This is the ``specify the hostname to be used in the dane rr'' option.
-This option takes a string argument @file{Hostname}.
-This command sets the hostname for the DANE RR.
-@anchor{danetool proto}
-@subsubheading proto option
-
-This is the ``the protocol set for dane data (tcp, udp etc.)'' option.
-This option takes a string argument @file{Protocol}.
-This command specifies the protocol for the service set in the DANE data.
-@anchor{danetool ca}
-@subsubheading ca option
-
-This is the ``whether the provided certificate or public key is a certificate authority'' option.
-Marks the DANE RR as a CA certificate if specified.
-@anchor{danetool x509}
-@subsubheading x509 option
-
-This is the ``use the hash of the x.509 certificate, rather than the public key'' option.
-This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.
-@anchor{danetool local}
-@subsubheading local option
-
-This is an alias for the @code{domain} option,
-@pxref{danetool domain, the domain option documentation}.
-
-@anchor{danetool domain}
-@subsubheading domain option
-
-This is the ``the provided certificate or public key is issued by the local domain'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-domain.
-@item
-It is enabled by default.
-@end itemize
-
-DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.
-@anchor{danetool exit status}
-@subsubheading danetool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{danetool See Also}
-@subsubheading danetool See Also
- certtool (1)
-@anchor{danetool Examples}
-@subsubheading danetool Examples
-@subsubheading DANE TLSA RR generation
-
-To create a DANE TLSA resource record for a certificate (or public key)
-that was issued localy and may or may not be signed by a CA use the following command.
-@example
-$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
-@end example
-
-To create a DANE TLSA resource record for a CA signed certificate, which will
-be marked as such use the following command.
-@example
-$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
- --no-domain
-@end example
-
-The former is useful to add in your DNS entry even if your certificate is signed
-by a CA. That way even users who do not trust your CA will be able to verify your
-certificate using DANE.
-
-In order to create a record for the CA signer of your certificate use the following.
-@example
-$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
- --ca --no-domain
-@end example
-
-To read a server's DANE TLSA entry, use:
-@example
-$ danetool --check www.example.com --proto tcp --port 443
-@end example
-
-To verify a server's DANE TLSA entry, use:
-@example
-$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem
-@end example
+++ /dev/null
-@node gnutls-cli-debug Invocation
-@section Invoking gnutls-cli-debug
-@pindex gnutls-cli-debug
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-gnutls-cli-debug.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:53 AM by AutoGen 5.18.2
-# From the definitions ../src/cli-debug-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-TLS debug client. It sets up multiple TLS connections to
-a server and queries its capabilities. It was created to assist in debugging
-GnuTLS, but it might be useful to extract a TLS server's capabilities.
-It connects to a TLS server, performs tests and print the server's
-capabilities. If called with the `-v' parameter more checks will be performed.
-Can be used to check for servers with special needs or bugs.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli-debug} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{gnutls-cli-debug usage}
-@subheading gnutls-cli-debug help/usage (@option{--help})
-@cindex gnutls-cli-debug help
-
-This is the automatically generated usage text for gnutls-cli-debug.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-gnutls-cli-debug - GnuTLS debug client
-Usage: gnutls-cli-debug [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -V, --verbose More verbose output
- - may appear multiple times
- -p, --port=num The port to connect to
- - it must be in the range:
- 0 to 65536
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-Operands and options may be intermixed. They will be reordered.
-
-TLS debug client. It sets up multiple TLS connections to a server and
-queries its capabilities. It was created to assist in debugging GnuTLS,
-but it might be useful to extract a TLS server's capabilities. It connects
-to a TLS server, performs tests and print the server's capabilities. If
-called with the `-v' parameter more checks will be performed. Can be used
-to check for servers with special needs or bugs.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{gnutls-cli-debug debug}
-@subheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{gnutls-cli-debug exit status}
-@subheading gnutls-cli-debug exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{gnutls-cli-debug See Also}
-@subheading gnutls-cli-debug See Also
-gnutls-cli(1), gnutls-serv(1)
-@anchor{gnutls-cli-debug Examples}
-@subheading gnutls-cli-debug Examples
-@example
-$ ../src/gnutls-cli-debug localhost
-Resolving 'localhost'...
-Connecting to '127.0.0.1:443'...
-Checking for SSL 3.0 support... yes
-Checking whether %COMPAT is required... no
-Checking for TLS 1.0 support... yes
-Checking for TLS 1.1 support... no
-Checking fallback from TLS 1.1 to... TLS 1.0
-Checking for TLS 1.2 support... no
-Checking whether we need to disable TLS 1.0... N/A
-Checking for Safe renegotiation support... yes
-Checking for Safe renegotiation support (SCSV)... yes
-Checking for HTTPS server name... not checked
-Checking for version rollback bug in RSA PMS... no
-Checking for version rollback bug in Client Hello... no
-Checking whether the server ignores the RSA PMS version... no
-Checking whether the server can accept Hello Extensions... yes
-Checking whether the server can accept small records (512 bytes)... yes
-Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
-Checking whether the server can accept a bogus TLS record version in the client hello... yes
-Checking for certificate information... N/A
-Checking for trusted CAs... N/A
-Checking whether the server understands TLS closure alerts... partially
-Checking whether the server supports session resumption... yes
-Checking for export-grade ciphersuite support... no
-Checking RSA-export ciphersuite info... N/A
-Checking for anonymous authentication support... no
-Checking anonymous Diffie-Hellman group info... N/A
-Checking for ephemeral Diffie-Hellman support... no
-Checking ephemeral Diffie-Hellman group info... N/A
-Checking for ephemeral EC Diffie-Hellman support... yes
-Checking ephemeral EC Diffie-Hellman group info...
- Curve SECP256R1
-Checking for AES-GCM cipher support... no
-Checking for AES-CBC cipher support... yes
-Checking for CAMELLIA cipher support... no
-Checking for 3DES-CBC cipher support... yes
-Checking for ARCFOUR 128 cipher support... yes
-Checking for ARCFOUR 40 cipher support... no
-Checking for MD5 MAC support... yes
-Checking for SHA1 MAC support... yes
-Checking for SHA256 MAC support... no
-Checking for ZLIB compression support... no
-Checking for max record size... no
-Checking for OpenPGP authentication support... no
-@end example
+++ /dev/null
-@node gnutls-cli Invocation
-@section Invoking gnutls-cli
-@pindex gnutls-cli
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:52 AM by AutoGen 5.18.2
-# From the definitions ../src/cli-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Simple client program to set up a TLS connection to some other computer.
-It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{gnutls-cli usage}
-@subheading gnutls-cli help/usage (@option{--help})
-@cindex gnutls-cli help
-
-This is the automatically generated usage text for gnutls-cli.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-gnutls-cli - GnuTLS client
-Usage: gnutls-cli [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostname]
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -V, --verbose More verbose output
- - may appear multiple times
- --tofu Enable trust on first use authentication
- - disabled as '--no-tofu'
- --dane Enable DANE certificate verification (DNSSEC)
- - disabled as '--no-dane'
- --local-dns Use the local DNS server for DNSSEC resolving
- - disabled as '--no-local-dns'
- --ca-verification Disable CA certificate verification
- - disabled as '--no-ca-verification'
- - enabled by default
- --ocsp Enable OCSP certificate verification
- - disabled as '--no-ocsp'
- -r, --resume Establish a session and resume
- -e, --rehandshake Establish a session and rehandshake
- -s, --starttls Connect, establish a plain session and start TLS
- -u, --udp Use DTLS (datagram TLS) over UDP
- --mtu=num Set MTU for datagram TLS
- - it must be in the range:
- 0 to 17000
- --crlf Send CR LF instead of LF
- --x509fmtder Use DER format for certificates to read from
- -f, --fingerprint Send the openpgp fingerprint, instead of the key
- --print-cert Print peer's certificate in PEM format
- --dh-bits=num The minimum number of bits allowed for DH
- --priority=str Priorities string
- --x509cafile=str Certificate file or PKCS #11 URL to use
- --x509crlfile=file CRL file to use
- - file must pre-exist
- --pgpkeyfile=file PGP Key file to use
- - file must pre-exist
- --pgpkeyring=file PGP Key ring file to use
- - file must pre-exist
- --pgpcertfile=file PGP Public Key (certificate) file to use
- - file must pre-exist
- --x509keyfile=str X.509 key file or PKCS #11 URL to use
- --x509certfile=str X.509 Certificate file or PKCS #11 URL to use
- --pgpsubkey=str PGP subkey to use (hex or auto)
- --srpusername=str SRP username to use
- --srppasswd=str SRP password to use
- --pskusername=str PSK username to use
- --pskkey=str PSK key (in hex) to use
- -p, --port=str The port or service to connect to
- --insecure Don't abort program if server certificate can't be validated
- --ranges Use length-hiding padding to prevent traffic analysis
- --benchmark-ciphers Benchmark individual ciphers
- --benchmark-soft-ciphers Benchmark individual software ciphers (no hw acceleration)
- --benchmark-tls-kx Benchmark TLS key exchange methods
- --benchmark-tls-ciphers Benchmark TLS ciphers
- -l, --list Print a list of the supported algorithms and modes
- --noticket Don't allow session tickets
- --srtp-profiles=str Offer SRTP profiles
- --alpn=str Application layer protocol
- - may appear multiple times
- -b, --heartbeat Activate heartbeat support
- --recordsize=num The maximum record size to advertize
- - it must be in the range:
- 0 to 4096
- --disable-sni Do not send a Server Name Indication (SNI)
- --disable-extensions Disable all the TLS extensions
- --inline-commands Inline commands of the form ^<cmd>^
- --inline-commands-prefix=str Change the default (^) used as a delimiter for inline commands. The
-value is a single US-ASCII character (octets 0 - 127).
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-Operands and options may be intermixed. They will be reordered.
-
-Simple client program to set up a TLS connection to some other computer. It
-sets up a TLS connection and forwards data from the standard input to the
-secured socket and vice versa.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{gnutls-cli debug}
-@subheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{gnutls-cli tofu}
-@subheading tofu option
-
-This is the ``enable trust on first use authentication'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-tofu.
-@end itemize
-
-This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.
-@anchor{gnutls-cli dane}
-@subheading dane option
-
-This is the ``enable dane certificate verification (dnssec)'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-dane.
-@end itemize
-
-This option will, in addition to certificate authentication using
-the trusted CAs, verify the server certificates using on the DANE information
-available via DNSSEC.
-@anchor{gnutls-cli local-dns}
-@subheading local-dns option
-
-This is the ``use the local dns server for dnssec resolving'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-local-dns.
-@end itemize
-
-This option will use the local DNS server for DNSSEC.
-This is disabled by default due to many servers not allowing DNSSEC.
-@anchor{gnutls-cli ca-verification}
-@subheading ca-verification option
-
-This is the ``disable ca certificate verification'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-ca-verification.
-@item
-It is enabled by default.
-@end itemize
-
-This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.
-@anchor{gnutls-cli ocsp}
-@subheading ocsp option
-
-This is the ``enable ocsp certificate verification'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-ocsp.
-@end itemize
-
-This option will enable verification of the peer's certificate using ocsp
-@anchor{gnutls-cli resume}
-@subheading resume option (-r)
-
-This is the ``establish a session and resume'' option.
-Connect, establish a session, reconnect and resume.
-@anchor{gnutls-cli rehandshake}
-@subheading rehandshake option (-e)
-
-This is the ``establish a session and rehandshake'' option.
-Connect, establish a session and rehandshake immediately.
-@anchor{gnutls-cli starttls}
-@subheading starttls option (-s)
-
-This is the ``connect, establish a plain session and start tls'' option.
-The TLS session will be initiated when EOF or a SIGALRM is received.
-@anchor{gnutls-cli dh-bits}
-@subheading dh-bits option
-
-This is the ``the minimum number of bits allowed for dh'' option.
-This option takes a number argument.
-This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.
-@anchor{gnutls-cli priority}
-@subheading priority option
-
-This is the ``priorities string'' option.
-This option takes a string argument.
-TLS algorithms and protocols to enable. You can
-use predefined sets of ciphersuites such as PERFORMANCE,
-NORMAL, SECURE128, SECURE256.
-
-Check the GnuTLS manual on section ``Priority strings'' for more
-information on allowed keywords
-@anchor{gnutls-cli ranges}
-@subheading ranges option
-
-This is the ``use length-hiding padding to prevent traffic analysis'' option.
-When possible (e.g., when %NEW_PADDING is specified), use length-hiding padding to prevent traffic analysis.
-@anchor{gnutls-cli list}
-@subheading list option (-l)
-
-This is the ``print a list of the supported algorithms and modes'' option.
-Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
-@anchor{gnutls-cli alpn}
-@subheading alpn option
-
-This is the ``application layer protocol'' option.
-This option takes a string argument.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
-
-This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.
-@anchor{gnutls-cli disable-extensions}
-@subheading disable-extensions option
-
-This is the ``disable all the tls extensions'' option.
-This option disables all TLS extensions. Deprecated option. Use the priority string.
-@anchor{gnutls-cli inline-commands}
-@subheading inline-commands option
-
-This is the ``inline commands of the form ^<cmd>^'' option.
-Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume and renegotiate.
-@anchor{gnutls-cli inline-commands-prefix}
-@subheading inline-commands-prefix option
-
-This is the ``change the default (^) used as a delimiter for inline commands.
- the value is a single us-ascii character (octets 0 - 127).'' option.
-This option takes a string argument.
-Change the default (^) delimiter used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option
-@anchor{gnutls-cli exit status}
-@subheading gnutls-cli exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{gnutls-cli See Also}
-@subheading gnutls-cli See Also
-gnutls-cli-debug(1), gnutls-serv(1)
-@anchor{gnutls-cli Examples}
-@subheading gnutls-cli Examples
-@subheading Connecting using PSK authentication
-To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
-@example
-$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
- --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
- --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
-Resolving 'localhost'...
-Connecting to '127.0.0.1:5556'...
-- PSK authentication.
-- Version: TLS1.1
-- Key Exchange: PSK
-- Cipher: AES-128-CBC
-- MAC: SHA1
-- Compression: NULL
-- Handshake was completed
-
-- Simple Client Mode:
-@end example
-By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
-
-@subheading Listing ciphersuites in a priority string
-To list the ciphersuites in a priority string:
-@example
-$ ./gnutls-cli --priority SECURE192 -l
-Cipher suites for SECURE192
-TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
-TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
-TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
-TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
-TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
-TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
-
-Certificate types: CTYPE-X.509
-Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
-Compression: COMP-NULL
-Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
-PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
-@end example
-
-@subheading Connecting using a PKCS #11 token
-To connect to a server using a certificate and a private key present in a PKCS #11 token you
-need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
-
-Those can be found using "p11tool --list-tokens" and then listing all the objects in the
-needed token, and using the appropriate.
-@example
-$ p11tool --list-tokens
-
-Token 0:
-URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
-Label: Test
-Manufacturer: EnterSafe
-Model: PKCS15
-Serial: 1234
-
-$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
-
-Object 0:
-URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert
-Type: X.509 Certificate
-Label: client
-ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
-
-$ export MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert"
-$ export MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=private"
-
-$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT
-@end example
-Notice that the private key only differs from the certificate in the object-type.
+++ /dev/null
-@node gnutls-serv Invocation
-@section Invoking gnutls-serv
-@pindex gnutls-serv
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-gnutls-serv.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:54 AM by AutoGen 5.18.2
-# From the definitions ../src/serv-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Server program that listens to incoming TLS connections.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-serv} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{gnutls-serv usage}
-@subheading gnutls-serv help/usage (@option{--help})
-@cindex gnutls-serv help
-
-This is the automatically generated usage text for gnutls-serv.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-gnutls-serv - GnuTLS server
-Usage: gnutls-serv [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- --noticket Don't accept session tickets
- -g, --generate Generate Diffie-Hellman and RSA-export parameters
- -q, --quiet Suppress some messages
- --nodb Do not use a resumption database
- --http Act as an HTTP server
- --echo Act as an Echo server
- -u, --udp Use DTLS (datagram TLS) over UDP
- --mtu=num Set MTU for datagram TLS
- - it must be in the range:
- 0 to 17000
- --srtp-profiles=str Offer SRTP profiles
- -a, --disable-client-cert Do not request a client certificate
- -r, --require-client-cert Require a client certificate
- -b, --heartbeat Activate heartbeat support
- --x509fmtder Use DER format for certificates to read from
- --priority=str Priorities string
- --dhparams=file DH params file to use
- - file must pre-exist
- --x509cafile=str Certificate file or PKCS #11 URL to use
- --x509crlfile=file CRL file to use
- - file must pre-exist
- --pgpkeyfile=file PGP Key file to use
- - file must pre-exist
- --pgpkeyring=file PGP Key ring file to use
- - file must pre-exist
- --pgpcertfile=file PGP Public Key (certificate) file to use
- - file must pre-exist
- --x509keyfile=str X.509 key file or PKCS #11 URL to use
- --x509certfile=str X.509 Certificate file or PKCS #11 URL to use
- --x509dsakeyfile=str Alternative X.509 key file or PKCS #11 URL to use
- --x509dsacertfile=str Alternative X.509 Certificate file or PKCS #11 URL to use
- --x509ecckeyfile=str Alternative X.509 key file or PKCS #11 URL to use
- --x509ecccertfile=str Alternative X.509 Certificate file or PKCS #11 URL to use
- --pgpsubkey=str PGP subkey to use (hex or auto)
- --srppasswd=file SRP password file to use
- - file must pre-exist
- --srppasswdconf=file SRP password configuration file to use
- - file must pre-exist
- --pskpasswd=file PSK password file to use
- - file must pre-exist
- --pskhint=str PSK identity hint to use
- --ocsp-response=file The OCSP response to send to client
- - file must pre-exist
- -p, --port=num The port to connect to
- -l, --list Print a list of the supported algorithms and modes
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Server program that listens to incoming TLS connections.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{gnutls-serv debug}
-@subheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{gnutls-serv heartbeat}
-@subheading heartbeat option (-b)
-
-This is the ``activate heartbeat support'' option.
-Regularly ping client via heartbeat extension messages
-@anchor{gnutls-serv priority}
-@subheading priority option
-
-This is the ``priorities string'' option.
-This option takes a string argument.
-TLS algorithms and protocols to enable. You can
-use predefined sets of ciphersuites such as PERFORMANCE,
-NORMAL, SECURE128, SECURE256.
-
-Check the GnuTLS manual on section ``Priority strings'' for more
-information on allowed keywords
-@anchor{gnutls-serv ocsp-response}
-@subheading ocsp-response option
-
-This is the ``the ocsp response to send to client'' option.
-This option takes a file argument.
-If the client requested an OCSP response, return data from this file to the client.
-@anchor{gnutls-serv list}
-@subheading list option (-l)
-
-This is the ``print a list of the supported algorithms and modes'' option.
-Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
-@anchor{gnutls-serv exit status}
-@subheading gnutls-serv exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{gnutls-serv See Also}
-@subheading gnutls-serv See Also
-gnutls-cli-debug(1), gnutls-cli(1)
-@anchor{gnutls-serv Examples}
-@subheading gnutls-serv Examples
-Running your own TLS server based on GnuTLS can be useful when
-debugging clients and/or GnuTLS itself. This section describes how to
-use @code{gnutls-serv} as a simple HTTPS server.
-
-The most basic server can be started as:
-
-@example
-gnutls-serv --http
-@end example
-
-It will only support anonymous ciphersuites, which many TLS clients
-refuse to use.
-
-The next step is to add support for X.509. First we generate a CA:
-
-@example
-$ certtool --generate-privkey > x509-ca-key.pem
-$ echo 'cn = GnuTLS test CA' > ca.tmpl
-$ echo 'ca' >> ca.tmpl
-$ echo 'cert_signing_key' >> ca.tmpl
-$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
- --template ca.tmpl --outfile x509-ca.pem
-...
-@end example
-
-Then generate a server certificate. Remember to change the dns_name
-value to the name of your server host, or skip that command to avoid
-the field.
-
-@example
-$ certtool --generate-privkey > x509-server-key.pem
-$ echo 'organization = GnuTLS test server' > server.tmpl
-$ echo 'cn = test.gnutls.org' >> server.tmpl
-$ echo 'tls_www_server' >> server.tmpl
-$ echo 'encryption_key' >> server.tmpl
-$ echo 'signing_key' >> server.tmpl
-$ echo 'dns_name = test.gnutls.org' >> server.tmpl
-$ certtool --generate-certificate --load-privkey x509-server-key.pem \
- --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
- --template server.tmpl --outfile x509-server.pem
-...
-@end example
-
-For use in the client, you may want to generate a client certificate
-as well.
-
-@example
-$ certtool --generate-privkey > x509-client-key.pem
-$ echo 'cn = GnuTLS test client' > client.tmpl
-$ echo 'tls_www_client' >> client.tmpl
-$ echo 'encryption_key' >> client.tmpl
-$ echo 'signing_key' >> client.tmpl
-$ certtool --generate-certificate --load-privkey x509-client-key.pem \
- --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
- --template client.tmpl --outfile x509-client.pem
-...
-@end example
-
-To be able to import the client key/certificate into some
-applications, you will need to convert them into a PKCS#12 structure.
-This also encrypts the security sensitive key with a password.
-
-@example
-$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
- --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
- --outder --outfile x509-client.p12
-@end example
-
-For icing, we'll create a proxy certificate for the client too.
-
-@example
-$ certtool --generate-privkey > x509-proxy-key.pem
-$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
-$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
- --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
- --load-certificate x509-client.pem --template proxy.tmpl \
- --outfile x509-proxy.pem
-...
-@end example
-
-Then start the server again:
-
-@example
-$ gnutls-serv --http \
- --x509cafile x509-ca.pem \
- --x509keyfile x509-server-key.pem \
- --x509certfile x509-server.pem
-@end example
-
-Try connecting to the server using your web browser. Note that the
-server listens to port 5556 by default.
-
-While you are at it, to allow connections using DSA, you can also
-create a DSA key and certificate for the server. These credentials
-will be used in the final example below.
-
-@example
-$ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
-$ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
- --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
- --template server.tmpl --outfile x509-server-dsa.pem
-...
-@end example
-
-The next step is to create OpenPGP credentials for the server.
-
-@example
-gpg --gen-key
-...enter whatever details you want, use 'test.gnutls.org' as name...
-@end example
-
-Make a note of the OpenPGP key identifier of the newly generated key,
-here it was @code{5D1D14D8}. You will need to export the key for
-GnuTLS to be able to use it.
-
-@example
-gpg -a --export 5D1D14D8 > openpgp-server.txt
-gpg --export 5D1D14D8 > openpgp-server.bin
-gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
-gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
-@end example
-
-Let's start the server with support for OpenPGP credentials:
-
-@example
-gnutls-serv --http \
- --pgpkeyfile openpgp-server-key.txt \
- --pgpcertfile openpgp-server.txt
-@end example
-
-The next step is to add support for SRP authentication. This requires
-an SRP password file created with @code{srptool}.
-To start the server with SRP support:
-
-@example
-gnutls-serv --http \
- --srppasswdconf srp-tpasswd.conf \
- --srppasswd srp-passwd.txt
-@end example
-
-Let's also start a server with support for PSK. This would require
-a password file created with @code{psktool}.
-
-@example
-gnutls-serv --http \
- --pskpasswd psk-passwd.txt
-@end example
-
-Finally, we start the server with all the earlier parameters and you
-get this command:
-
-@example
-gnutls-serv --http \
- --x509cafile x509-ca.pem \
- --x509keyfile x509-server-key.pem \
- --x509certfile x509-server.pem \
- --x509dsakeyfile x509-server-key-dsa.pem \
- --x509dsacertfile x509-server-dsa.pem \
- --pgpkeyfile openpgp-server-key.txt \
- --pgpcertfile openpgp-server.txt \
- --srppasswdconf srp-tpasswd.conf \
- --srppasswd srp-passwd.txt \
- --pskpasswd psk-passwd.txt
-@end example
+++ /dev/null
-@node ocsptool Invocation
-@subsection Invoking ocsptool
-@pindex ocsptool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-ocsptool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:56 AM by AutoGen 5.18.2
-# From the definitions ../src/ocsptool-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Ocsptool is a program that can parse and print information about
-OCSP requests/responses, generate requests and verify responses.
-
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{ocsptool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{ocsptool usage}
-@subsubheading ocsptool help/usage (@option{--help})
-@cindex ocsptool help
-
-This is the automatically generated usage text for ocsptool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-ocsptool - GnuTLS OCSP tool
-Usage: ocsptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -V, --verbose More verbose output
- - may appear multiple times
- --infile=file Input file
- - file must pre-exist
- --outfile=str Output file
- --ask[=arg] Ask an OCSP/HTTP server on a certificate validity
- - requires these options:
- load-cert
- load-issuer
- -e, --verify-response Verify response
- -i, --request-info Print information on a OCSP request
- -j, --response-info Print information on a OCSP response
- -q, --generate-request Generate an OCSP request
- --nonce Don't add nonce to OCSP request
- - disabled as '--no-nonce'
- --load-issuer=file Read issuer certificate from file
- - file must pre-exist
- --load-cert=file Read certificate to check from file
- - file must pre-exist
- --load-trust=file Read OCSP trust anchors from file
- - prohibits the option 'load-signer'
- - file must pre-exist
- --load-signer=file Read OCSP response signer from file
- - prohibits the option 'load-trust'
- - file must pre-exist
- --inder Use DER format for input certificates and private keys
- - disabled as '--no-inder'
- -Q, --load-request=file Read DER encoded OCSP request from file
- - file must pre-exist
- -S, --load-response=file Read DER encoded OCSP response from file
- - file must pre-exist
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Ocsptool is a program that can parse and print information about OCSP
-requests/responses, generate requests and verify responses.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{ocsptool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{ocsptool ask}
-@subsubheading ask option
-
-This is the ``ask an ocsp/http server on a certificate validity'' option.
-This option takes an optional string argument @file{server name|url}.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-load-cert, load-issuer.
-@end itemize
-
-Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.
-@anchor{ocsptool exit status}
-@subsubheading ocsptool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{ocsptool See Also}
-@subsubheading ocsptool See Also
- certtool (1)
-@anchor{ocsptool Examples}
-@subsubheading ocsptool Examples
-@subsubheading Print information about an OCSP request
-
-To parse an OCSP request and print information about the content, the
-@code{-i} or @code{--request-info} parameter may be used as follows.
-The @code{-Q} parameter specify the name of the file containing the
-OCSP request, and it should contain the OCSP request in binary DER
-format.
-
-@example
-$ ocsptool -i -Q ocsp-request.der
-@end example
-
-The input file may also be sent to standard input like this:
-
-@example
-$ cat ocsp-request.der | ocsptool --request-info
-@end example
-
-@subsubheading Print information about an OCSP response
-
-Similar to parsing OCSP requests, OCSP responses can be parsed using
-the @code{-j} or @code{--response-info} as follows.
-
-@example
-$ ocsptool -j -Q ocsp-response.der
-$ cat ocsp-response.der | ocsptool --response-info
-@end example
-
-@subsubheading Generate an OCSP request
-
-The @code{-q} or @code{--generate-request} parameters are used to
-generate an OCSP request. By default the OCSP request is written to
-standard output in binary DER format, but can be stored in a file
-using @code{--outfile}. To generate an OCSP request the issuer of the
-certificate to check needs to be specified with @code{--load-issuer}
-and the certificate to check with @code{--load-cert}. By default PEM
-format is used for these files, although @code{--inder} can be used to
-specify that the input files are in DER format.
-
-@example
-$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \
- --outfile ocsp-request.der
-@end example
-
-When generating OCSP requests, the tool will add an OCSP extension
-containing a nonce. This behaviour can be disabled by specifying
-@code{--no-nonce}.
-
-@subsubheading Verify signature in OCSP response
-
-To verify the signature in an OCSP response the @code{-e} or
-@code{--verify-response} parameter is used. The tool will read an
-OCSP response in DER format from standard input, or from the file
-specified by @code{--load-response}. The OCSP response is verified
-against a set of trust anchors, which are specified using
-@code{--load-trust}. The trust anchors are concatenated certificates
-in PEM format. The certificate that signed the OCSP response needs to
-be in the set of trust anchors, or the issuer of the signer
-certificate needs to be in the set of trust anchors and the OCSP
-Extended Key Usage bit has to be asserted in the signer certificate.
-
-@example
-$ ocsptool -e --load-trust issuer.pem \
- --load-response ocsp-response.der
-@end example
-
-The tool will print status of verification.
-
-@subsubheading Verify signature in OCSP response against given certificate
-
-It is possible to override the normal trust logic if you know that a
-certain certificate is supposed to have signed the OCSP response, and
-you want to use it to check the signature. This is achieved using
-@code{--load-signer} instead of @code{--load-trust}. This will load
-one certificate and it will be used to verify the signature in the
-OCSP response. It will not check the Extended Key Usage bit.
-
-@example
-$ ocsptool -e --load-signer ocsp-signer.pem \
- --load-response ocsp-response.der
-@end example
-
-This approach is normally only relevant in two situations. The first
-is when the OCSP response does not contain a copy of the signer
-certificate, so the @code{--load-trust} code would fail. The second
-is if you want to avoid the indirect mode where the OCSP response
-signer certificate is signed by a trust anchor.
-
-@subsubheading Real-world example
-
-Here is an example of how to generate an OCSP request for a
-certificate and to verify the response. For illustration we'll use
-the @code{blog.josefsson.org} host, which (as of writing) uses a
-certificate from CACert. First we'll use @code{gnutls-cli} to get a
-copy of the server certificate chain. The server is not required to
-send this information, but this particular one is configured to do so.
-
-@example
-$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
-@end example
-
-Use a text editor on @code{chain.pem} to create three files for each
-separate certificates, called @code{cert.pem} for the first
-certificate for the domain itself, secondly @code{issuer.pem} for the
-intermediate certificate and @code{root.pem} for the final root
-certificate.
-
-The domain certificate normally contains a pointer to where the OCSP
-responder is located, in the Authority Information Access Information
-extension. For example, from @code{certtool -i < cert.pem} there is
-this information:
-
-@example
-Authority Information Access Information (not critical):
-Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
-Access Location URI: http://ocsp.CAcert.org/
-@end example
-
-This means the CA support OCSP queries over HTTP. We are now ready to
-create a OCSP request for the certificate.
-
-@example
-$ ocsptool --ask ocsp.CAcert.org --load-issuer issuer.pem \
- --load-cert cert.pem --outfile ocsp-response.der
-@end example
-
-The request is sent via HTTP to the OCSP server address specified. If the
-address is ommited ocsptool will use the address stored in the certificate.
+++ /dev/null
-@node p11tool Invocation
-@subsection Invoking p11tool
-@pindex p11tool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-p11tool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:51:01 AM by AutoGen 5.18.2
-# From the definitions ../src/p11tool-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Program that allows handling data from PKCS #11 smart cards
-and security modules.
-
-To use PKCS #11 tokens with gnutls the configuration file
-/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
-Alternatively the p11-kit configuration files have to be setup.
-
-To provide the PIN for all the operations below use the environment variable
-GNUTLS_PIN.
-
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{p11tool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{p11tool usage}
-@subsubheading p11tool help/usage (@option{--help})
-@cindex p11tool help
-
-This is the automatically generated usage text for p11tool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-p11tool - GnuTLS PKCS #11 tool
-Usage: p11tool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [url]
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- --outfile=str Output file
- --list-tokens List all available tokens
- --export Export the object specified by the URL
- --export-chain Export the certificate specified by the URL and its chain of trust
- --list-mechanisms List all available mechanisms in a token
- --list-all List all available objects in a token
- --list-all-certs List all available certificates in a token
- --list-certs List all certificates that have an associated private key
- --list-all-privkeys List all available private keys in a token
- --list-all-trusted List all available certificates marked as trusted
- --initialize Initializes a PKCS #11 token
- --write Writes the loaded objects to a PKCS #11 token
- --delete Deletes the objects matching the PKCS #11 URL
- --generate-random=num Generate random data
- --generate-rsa Generate an RSA private-public key pair
- --generate-dsa Generate an RSA private-public key pair
- --generate-ecc Generate an RSA private-public key pair
- --label=str Sets a label for the write operation
- --trusted Marks the object to be written as trusted
- - disabled as '--no-trusted'
- --private Marks the object to be written as private
- - disabled as '--no-private'
- - enabled by default
- --login Force login to token
- - disabled as '--no-login'
- --detailed-url Print detailed URLs
- - disabled as '--no-detailed-url'
- --secret-key=str Provide a hex encoded secret key
- --load-privkey=file Private key file to use
- - file must pre-exist
- --load-pubkey=file Public key file to use
- - file must pre-exist
- --load-certificate=file Certificate file to use
- - file must pre-exist
- -8, --pkcs8 Use PKCS #8 format for private keys
- --bits=num Specify the number of bits for key generate
- --sec-param=str Specify the security level
- --inder Use DER/RAW format for input
- - disabled as '--no-inder'
- --inraw an alias for the 'inder' option
- --outder Use DER format for output certificates, private keys, and DH parameters
- - disabled as '--no-outder'
- --outraw an alias for the 'outder' option
- --provider=file Specify the PKCS #11 provider library
- - file must pre-exist
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-Operands and options may be intermixed. They will be reordered.
-
-Program that allows handling data from PKCS #11 smart cards and security
-modules.
-
-To use PKCS #11 tokens with gnutls the configuration file
-/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the
-form 'load=/usr/lib/opensc-pkcs11.so'. Alternatively the p11-kit
-configuration files have to be setup.
-
-To provide the PIN for all the operations below use the environment
-variable GNUTLS_PIN.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{p11tool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{p11tool export-chain}
-@subsubheading export-chain option
-
-This is the ``export the certificate specified by the url and its chain of trust'' option.
-Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.
-@anchor{p11tool write}
-@subsubheading write option
-
-This is the ``writes the loaded objects to a pkcs #11 token'' option.
-It can be used to write private keys, certificates or secret keys to a token.
-@anchor{p11tool generate-random}
-@subsubheading generate-random option
-
-This is the ``generate random data'' option.
-This option takes a number argument.
-Asks the token to generate a number of bytes of random bytes.
-@anchor{p11tool generate-rsa}
-@subsubheading generate-rsa option
-
-This is the ``generate an rsa private-public key pair'' option.
-Generates an RSA private-public key pair on the specified token.
-@anchor{p11tool generate-dsa}
-@subsubheading generate-dsa option
-
-This is the ``generate an rsa private-public key pair'' option.
-Generates an RSA private-public key pair on the specified token.
-@anchor{p11tool generate-ecc}
-@subsubheading generate-ecc option
-
-This is the ``generate an rsa private-public key pair'' option.
-Generates an RSA private-public key pair on the specified token.
-@anchor{p11tool private}
-@subsubheading private option
-
-This is the ``marks the object to be written as private'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-private.
-@item
-It is enabled by default.
-@end itemize
-
-The written object will require a PIN to be used.
-@anchor{p11tool sec-param}
-@subsubheading sec-param option
-
-This is the ``specify the security level'' option.
-This option takes a string argument @file{Security parameter}.
-This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra].
-@anchor{p11tool inder}
-@subsubheading inder option
-
-This is the ``use der/raw format for input'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-inder.
-@end itemize
-
-Use DER/RAW format for input certificates and private keys.
-@anchor{p11tool inraw}
-@subsubheading inraw option
-
-This is an alias for the @code{inder} option,
-@pxref{p11tool inder, the inder option documentation}.
-
-@anchor{p11tool outder}
-@subsubheading outder option
-
-This is the ``use der format for output certificates, private keys, and dh parameters'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-outder.
-@end itemize
-
-The output will be in DER or RAW format.
-@anchor{p11tool outraw}
-@subsubheading outraw option
-
-This is an alias for the @code{outder} option,
-@pxref{p11tool outder, the outder option documentation}.
-
-@anchor{p11tool provider}
-@subsubheading provider option
-
-This is the ``specify the pkcs #11 provider library'' option.
-This option takes a file argument.
-This will override the default options in /etc/gnutls/pkcs11.conf
-@anchor{p11tool exit status}
-@subsubheading p11tool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{p11tool See Also}
-@subsubheading p11tool See Also
- certtool (1)
-@anchor{p11tool Examples}
-@subsubheading p11tool Examples
-To view all tokens in your system use:
-@example
-$ p11tool --list-tokens
-@end example
-
-To view all objects in a token use:
-@example
-$ p11tool --login --list-all "pkcs11:TOKEN-URL"
-@end example
-
-To store a private key and a certificate in a token run:
-@example
-$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
- --label "Mykey"
-$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
- --label "Mykey"
-@end example
-Note that some tokens require the same label to be used for the certificate
-and its corresponding private key.
-
-To generate an RSA private key inside the token use:
-@example
-$ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" \
- --outfile MyNewKey.pub "pkcs11:TOKEN-URL"
-@end example
-The bits parameter in the above example is explicitly set because some
-tokens only support a limited number of bits. The output file is the
-corresponding public key. This key can be used to general a certificate
-request with certtool.
-@example
-certtool --generate-request --load-privkey "pkcs11:KEY-URL" \
- --load-pubkey MyNewKey.pub --outfile request.pem
-@end example
+++ /dev/null
-@node psktool Invocation
-@subsubsection Invoking psktool
-@pindex psktool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-psktool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:51:00 AM by AutoGen 5.18.2
-# From the definitions ../src/psk-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Program that generates random keys for use with TLS-PSK. The
-keys are stored in hexadecimal format in a key file.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{psktool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{psktool usage}
-@subsubheading psktool help/usage (@option{--help})
-@cindex psktool help
-
-This is the automatically generated usage text for psktool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-psktool - GnuTLS PSK tool
-Usage: psktool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -s, --keysize=num specify the key size in bytes
- - it must be in the range:
- 0 to 512
- -u, --username=str specify a username
- -p, --passwd=str specify a password file
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Program that generates random keys for use with TLS-PSK. The keys are
-stored in hexadecimal format in a key file.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{psktool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{psktool exit status}
-@subsubheading psktool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{psktool See Also}
-@subsubheading psktool See Also
- gnutls-cli-debug (1), gnutls-serv (1), srptool (1), certtool (1)
-@anchor{psktool Examples}
-@subsubheading psktool Examples
-To add a user 'psk_identity' in @file{passwd.psk} for use with GnuTLS run:
-@example
-$ ./psktool -u psk_identity -p passwd.psk
-Generating a random key for user 'psk_identity'
-Key stored to passwd.psk
-$ cat psks.txt
-psk_identity:88f3824b3e5659f52d00e959bacab954b6540344
-$
-@end example
-
-This command will create @file{passwd.psk} if it does not exist
-and will add user 'psk_identity' (you will also be prompted for a password).
+++ /dev/null
-@node srptool Invocation
-@subsubsection Invoking srptool
-@pindex srptool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-srptool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:50:59 AM by AutoGen 5.18.2
-# From the definitions ../src/srptool-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Simple program that emulates the programs in the Stanford SRP (Secure
-Remote Password) libraries using GnuTLS. It is intended for use in places
-where you don't expect SRP authentication to be the used for system users.
-
-In brief, to use SRP you need to create two files. These are the password
-file that holds the users and the verifiers associated with them and the
-configuration file to hold the group parameters (called tpasswd.conf).
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{srptool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{srptool usage}
-@subsubheading srptool help/usage (@option{--help})
-@cindex srptool help
-
-This is the automatically generated usage text for srptool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-srptool - GnuTLS SRP tool
-Usage: srptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- -i, --index=num specify the index of the group parameters in tpasswd.conf to use
- -u, --username=str specify a username
- -p, --passwd=str specify a password file
- -s, --salt=num specify salt size
- --verify just verify the password.
- -v, --passwd-conf=str specify a password conf file.
- --create-conf=str Generate a password configuration file.
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Simple program that emulates the programs in the Stanford SRP (Secure
-Remote Password) libraries using GnuTLS. It is intended for use in places
-where you don't expect SRP authentication to be the used for system users.
-
-In brief, to use SRP you need to create two files. These are the password
-file that holds the users and the verifiers associated with them and the
-configuration file to hold the group parameters (called tpasswd.conf).
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{srptool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{srptool verify}
-@subsubheading verify option
-
-This is the ``just verify the password.'' option.
-Verifies the password provided against the password file.
-@anchor{srptool passwd-conf}
-@subsubheading passwd-conf option (-v)
-
-This is the ``specify a password conf file.'' option.
-This option takes a string argument.
-Specify a filename or a PKCS #11 URL to read the CAs from.
-@anchor{srptool create-conf}
-@subsubheading create-conf option
-
-This is the ``generate a password configuration file.'' option.
-This option takes a string argument.
-This generates a password configuration file (tpasswd.conf)
-containing the required for TLS parameters.
-@anchor{srptool exit status}
-@subsubheading srptool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{srptool See Also}
-@subsubheading srptool See Also
- gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1)
-@anchor{srptool Examples}
-@subsubheading srptool Examples
-To create @file{tpasswd.conf} which holds the g and n values for SRP protocol
-(generator and a large prime), run:
-@example
-$ srptool --create-conf /etc/tpasswd.conf
-@end example
-
-This command will create @file{/etc/tpasswd} and will add user 'test' (you
-will also be prompted for a password). Verifiers are stored by default
-in the way libsrp expects.
-@example
-$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test
-@end example
-
-
-This command will check against a password. If the password matches
-the one in @file{/etc/tpasswd} you will get an ok.
-@example
-$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test
-@end example
+++ /dev/null
-@node tpmtool Invocation
-@subsection Invoking tpmtool
-@pindex tpmtool
-@ignore
-# -*- buffer-read-only: t -*- vi: set ro:
-#
-# DO NOT EDIT THIS FILE (invoke-tpmtool.texi)
-#
-# It has been AutoGen-ed November 24, 2013 at 09:51:02 AM by AutoGen 5.18.2
-# From the definitions ../src/tpmtool-args.def
-# and the template file agtexi-cmd.tpl
-@end ignore
-
-
-Program that allows handling cryptographic data from the TPM chip.
-
-This section was generated by @strong{AutoGen},
-using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program.
-This software is released under the GNU General Public License, version 3 or later.
-
-
-@anchor{tpmtool usage}
-@subsubheading tpmtool help/usage (@option{--help})
-@cindex tpmtool help
-
-This is the automatically generated usage text for tpmtool.
-
-The text printed is the same whether selected with the @code{help} option
-(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
-the usage text by passing it through a pager program.
-@code{more-help} is disabled on platforms without a working
-@code{fork(2)} function. The @code{PAGER} environment variable is
-used to select the program, defaulting to @file{more}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-tpmtool - GnuTLS TPM tool
-Usage: tpmtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-
- -d, --debug=num Enable debugging
- - it must be in the range:
- 0 to 9999
- --infile=file Input file
- - file must pre-exist
- --outfile=str Output file
- --generate-rsa Generate an RSA private-public key pair
- --register Any generated key will be registered in the TPM
- - requires the option 'generate-rsa'
- --signing Any generated key will be a signing key
- - requires the option 'generate-rsa'
- -- and prohibits the option 'legacy'
- --legacy Any generated key will be a legacy key
- - requires the option 'generate-rsa'
- -- and prohibits the option 'signing'
- --user Any registered key will be a user key
- - requires the option 'register'
- -- and prohibits the option 'system'
- --system Any registred key will be a system key
- - requires the option 'register'
- -- and prohibits the option 'user'
- --pubkey=str Prints the public key of the provided key
- --list Lists all stored keys in the TPM
- --delete=str Delete the key identified by the given URL (UUID).
- --sec-param=str Specify the security level [low, legacy, normal, high, ultra].
- --bits=num Specify the number of bits for key generate
- --inder Use the DER format for keys.
- - disabled as '--no-inder'
- --outder Use DER format for output keys
- - disabled as '--no-outder'
- -v, --version[=arg] output version information and exit
- -h, --help display extended usage information and exit
- -!, --more-help extended usage information passed thru pager
-
-Options are specified by doubled hyphens and their name or by a single
-hyphen and the flag character.
-
-Program that allows handling cryptographic data from the TPM chip.
-
-Please send bug reports to: <bugs@@gnutls.org>
-@end example
-@exampleindent 4
-
-@anchor{tpmtool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging'' option.
-This option takes a number argument.
-Specifies the debug level.
-@anchor{tpmtool generate-rsa}
-@subsubheading generate-rsa option
-
-This is the ``generate an rsa private-public key pair'' option.
-Generates an RSA private-public key pair in the TPM chip.
-The key may be stored in filesystem and protected by a PIN, or stored (registered)
-in the TPM chip flash.
-@anchor{tpmtool user}
-@subsubheading user option
-
-This is the ``any registered key will be a user key'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-register.
-@item
-must not appear in combination with any of the following options:
-system.
-@end itemize
-
-The generated key will be stored in a user specific persistent storage.
-@anchor{tpmtool system}
-@subsubheading system option
-
-This is the ``any registred key will be a system key'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-register.
-@item
-must not appear in combination with any of the following options:
-user.
-@end itemize
-
-The generated key will be stored in system persistent storage.
-@anchor{tpmtool sec-param}
-@subsubheading sec-param option
-
-This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
-This option takes a string argument @file{Security parameter}.
-This is alternative to the bits option. Note however that the
-values allowed by the TPM chip are quantized and given values may be rounded up.
-@anchor{tpmtool inder}
-@subsubheading inder option
-
-This is the ``use the der format for keys.'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-inder.
-@end itemize
-
-The input files will be assumed to be in the portable
-DER format of TPM. The default format is a custom format used by various
-TPM tools
-@anchor{tpmtool outder}
-@subsubheading outder option
-
-This is the ``use der format for output keys'' option.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-can be disabled with --no-outder.
-@end itemize
-
-The output will be in the TPM portable DER format.
-@anchor{tpmtool exit status}
-@subsubheading tpmtool exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-@anchor{tpmtool See Also}
-@subsubheading tpmtool See Also
- p11tool (1), certtool (1)
-@anchor{tpmtool Examples}
-@subsubheading tpmtool Examples
-To generate a key that is to be stored in filesystem use:
-@example
-$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
-@end example
-
-To generate a key that is to be stored in TPM's flash use:
-@example
-$ tpmtool --generate-rsa --bits 2048 --register --user
-@end example
-
-To get the public key of a TPM key use:
-@example
-$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
- --outfile pubkey.pem
-@end example
-
-or if the key is stored in the filesystem:
-@example
-$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
-@end example
-
-To list all keys stored in TPM use:
-@example
-$ tpmtool --list
-@end example