vtl createCert
Creates the client's certificate and private key that are used by NTLS. Re-creates the key and certificate if they already exist.
CAUTION! If the key and certificate are re-created, the client will need to be removed and re-registered on each of the HSM servers with which it was registered.
NOTE The client hostname/IP (-n) is the only mandatory field for certificate creation. All other fields of the certificate are used simply for display and visual confirmation purposes. The NTLA never displays certificate data fields to the user, so the content in these fields is irrelevant.
TIP Using HSM Client 10.7.0 or newer, the client private keys used for NTLS certificates are no longer encrypted with DES-EDE3-CBC, and are now encrypted with AES-256-CBC. Old certs are still accepted in NTLS links, but new ones have the key encrypted with the more secure algorithm.
Syntax
vtl createCert -n <IP/hostname> [-c <country_code>] [-curve <curve name>] [-keysize <key size>] [-keytype <key type>] [-s <state>] [-l <locality>] [-o <organization>] [-u <organization_unit>] [-e <email_address>] [-P <private_key_filename>] [-C <cert_filename>] [-d <certificate_validity_period>] [-v]
Argument(s) | Description |
---|---|
-c <country> | The country where the client computer resides. |
-C <filename> |
The specified filename (*.pem) for the certificate. Default: <IP/hostname>.pem NOTE Thales recommends using the default filename to avoid losing track of keys and certificates. |
-curve <curve_name> | Elliptic Curve name (ECC only):options are secp256k1,secp384r1,secp521r1,prime256v1 ( default is secp384r1) [HSM Client 10.7.0 or newer] |
-d <validity_period> |
Specifies the validity period for the client certificate, in days. Default: 3650 (10 years) |
-e <email_adress> | An email address to contact the certificate creator. |
-keysize <key_size> |
RSA key size (RSA only): options are 2048,3072,4096 (default is 2048) [HSM Client 10.7.0 or newer] |
-keytype <key_type> |
Key type: options are rsa, ecc, or ed25519 (default is RSA) [HSM Client 10.7.0 or newer] |
-l <locality> | The locality where the client computer resides. |
-n <IP/hostname> | [mandatory] The client hostname or IP address. This becomes the certificate Common Name (CN). |
-o <organization> | The name of the organization that owns the client computer. |
-P <filename> |
The specified filename (*Key.pem) for the private key. Default: <IP/hostname>Key.pem NOTE Thales recommends using the default filename to avoid losing track of keys and certificates. |
-s <state> | The state where the client computer resides. |
-u <unit> | The business unit or department that owns the client computer. |
-v | Verbose mode. Output extra information while creating the certificate and private key. |
-x | Deprecated option to encrypt the private key -- the private key is always encrypted by default. |
Example
Windows
vtl createCert -n test Private Key created and written to: E:\temp\clientCerts\testKey.pem Certificate created and written to: E:\temp\clientCerts\test.pem vtl createCert -n test -v Using configuration from C:\Program Files\SafeNet\LunaClient\openssl.cnf It needs to be at least 1024 Writing new private key to stdout E:\temp\clientCerts\testKey.pem' CA [CA]:CA Ontario [Ontario]:Ontario Ottawa [Ottawa]:Ottawa My company [My company]:My company []: test [test]:test []: Private Key created and written to: E:\temp\clientCerts\testKey.pem Certificate created and written to: E:\temp\clientCerts\test.pem
UNIX
vtl createCert -n test Private Key created and written to: /usr/safenet/lunaclient/cert/client/testKey.pem Certificate created and written to: /usr/safenet/lunaclient/cert/client/test.pem