Certificate Creation utility (createcert)

Creates X.509 certificates.

Syntax
createcert [ -r | -s ]
Option Description
-r Creates a PKCS10 certificate request. When this option is specified, createcert does not prompt for a signer or any other information used to sign a certificate.
-s filename Signs the PKCS10 certificate request that is in the specified file. The request can be DER or PEM encoded. When this option is specified, createcert does not prompt for key generation or subject information.
Remarks

Users may typically go to a third party to purchase certificates. These certificate authorities provide their own tools for creating certificates. The following tools may be especially useful to create certificates for development and testing purposes, and can also be used for production certificates.

To create a signed certificate, use createcert without options. If you want to break up the process into two steps, for example so one person creates a request and another person signs it, the first person can run createcert with -r to create a request and the second person can sign the request by running createcert with -s.

When you run createcert, you are prompted for the following information. When you specify the -r or -s option, some of these prompts do not appear.

  • Choose encryption type   This prompt only appears if you have purchased a license for ECC encryption. Choose RSA or ECC.

  • Enter RSA key length (512-16384)   This prompt only appears if you chose RSA encryption. You can choose a length between 512 bits and 16384 bits.

  • Enter ECC curve   This prompt only appears if you have purchased a license for ECC encryption and you chose the ECC encryption type above. You are prompted to choose from a list of ECC curves. The default is sect163k1.

  • Subject information   You must enter the following information, which identifies the entity:

    • Country Code
    • State/Province
    • Locality
    • Organization
    • Organizational Unit
    • Common Name

  • Enter file path of signer's certificate   Optionally, supply a location and file name for the signer's certificate. If you supply this information, the generated certificate is a signed certificate. If you do not supply this information, then the generated certificate is a self-signed root certificate.

  • Enter file path of signer's private key   Supply a location and file name to save the private key associated with the certificate request. This prompt only appears if you supplied a file in the previous prompt.

  • Enter password for signer's private key   Supply the password that was used to encrypt the signer's private key. Only supply this password if the private key was encrypted.

  • Serial number   Optionally, supply a serial number. The serial number must be a hexadecimal string of 40 digits or less. This number must be unique among all certificates signed by the current signer. If you do not supply a serial number, createcert generates a GUID as the serial number.

  • Certificate will be valid for how many years (1-100)   Specify the number of years (between 1 and 100) that the certificate is valid. After this period, the certificate expires, along with all certificates it signs.

  • Certificate Authority (y)es or (n)o   Indicate whether this certificate can be used to sign other certificates. By default, certificates are not certificate authorities (n).

  • Key usage   Supply a comma-separated list of numbers that indicate how the certificate's private key can be used. This is an advanced option; the default should be acceptable for most situations. The default depends on whether the certificate is a certificate authority or not.

  • File path to save request   This prompt only appears if you specify the -r option. Supply a location and file name for the PCKS10 certificate request.

  • Enter file path to save certificate   Supply a location and file name to save the certificate. The certificate is not saved unless you specify a location and file name.

  • Enter file path to save private key   Supply a location and file name to save the private key.

  • Enter password to protect private key   Optionally, supply a password with which to encrypt the private key. If you do not supply a password, the private key is not encrypted. This prompt only appears if you supplied a file in the previous prompt.

  • Enter file path to save identity   Supply a location and file name to save the identity. The identity file is a concatenation of the certificate, signer, and private key. This is the file that you supply to the server at startup. If the private key was not saved, createcert prompts for a password to save the private key. Otherwise, it uses the password provided earlier. The identity is not saved unless you provide a file name. If you do not save the identity file, you can manually concatenate the certificate, signer, and private key files into an identity file.

See also
Example

The following example creates a signed certificate. In the example, no file name is provided for the signer's certificate, which makes it a self-signed root certificate.

>createcert
SQL Anywhere X.509 Certificate Generator Version 11.0.1.3330
Choose encryption type ((R)SA or (E)CC): r
Enter RSA key length (512-16384): 1024
Generating key pair...
Country Code: CA
State/Province: Ontario
Locality: Waterloo
Organization: Sybase iAnywhere
Organizational Unit: Engineering
Common Name: Test Certificate
Enter file path of signer's certificate:
Certificate will be a self-signed root
Serial number [generate GUID]:
Generated serial number: bfb89a26fb854955954cabc4d056e177
Certificate valid for how many years (1-100): 10
Certificate Authority (Y/N) [N]: n
1.  Digital Signature
2.  Nonrepudiation
3.  Key Encipherment
4.  Data Encipherment
5.  Key Agreement
6.  Certificate Signing
7.  CRL Signing
8.  Encipher Only
9.  Decipher Only
Key Usage [3,4,5]: 3,4,5
Enter file path to save certificate: cert.pem
Enter file path to save private key: key.pem
Enter password to protect private key: pwd
Enter file path to save identity: id.pem

To generate an enterprise root certificate (a certificate that signs other certificates), a self-signed root certificate should be created with Certificate Authority. The procedure is similar to that shown above. However, the response to the Certificate Authority prompt should be yes and choice for roles should be option 6,7 (the default).

Certificate Authority (Y/N) [N]: y
1.  Digital Signature
2.  Nonrepudiation
3.  Key Encipherment
4.  Data Encipherment
5.  Key Agreement
6.  Certificate Signing
7.  CRL Signing
8.  Encipher Only
9.  Decipher Only
Key Usage [6,7]: 6,7