SSCG(8) System Administration Utilities SSCG(8)

sscg - Tool for generating x.509 certificates

sscg [OPTION...]

Display no output unless there is an error.
Display progress messages.
Enable logging of debug messages. Implies verbose. Warning! This will print private key information to the screen!
Display the version number and exit.
Overwrite any pre-existing files in the requested locations
Certificate lifetime (days). (default: 398)
Certificate DN: Country (C). (default: "US")
Certificate DN: State or Province (ST).
Certificate DN: Locality (L).
Certificate DN: Organization (O). (default: "Unspecified")
Certificate DN: Organizational Unit (OU).
Certificate DN: Email Address (Email).
The valid hostname of the certificate. Must be an FQDN. (default: current system FQDN)
Optional additional valid hostnames for the certificate. In addition to hostnames, this option also accepts explicit values supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple times.
Unused. Retained for compatibility with earlier versions of sscg.
Strength of the certificate private keys in bits. (default: 2048)
Hashing algorithm to use for signing. (default: "sha256")
Cipher to use for encrypting key files. (default: "aes-256-cbc")
Path where the public CA certificate will be stored. (default: "./ca.crt")
File mode of the created CA certificate.
Path where the CA's private key will be stored. If unspecified, the key will be destroyed rather than written to the disk.
File mode of the created CA key.
Provide a password for the CA key file. Note that this will be visible in the process table for all users, so it should be used for testing purposes only. Use --ca-keypassfile or --ca-key-password-prompt for secure password entry.
A file containing the password to encrypt the CA key file.
Prompt to enter a password for the CA key file.
Path where an (empty) Certificate Revocation List file will be created, for applications that expect such a file to exist. If unspecified, no such file will be created.
File mode of the created Certificate Revocation List.
Path where the public service certificate will be stored. (default "./service.pem")
File mode of the created certificate.
Path where the service's private key will be stored. (default "service-key.pem")
File mode of the created certificate key.
Provide a password for the service key file. Note that this will be visible in the process table for all users, so this flag should be used for testing purposes only. Use --cert-keypassfile or --cert-key-password-prompt for secure password entry.
A file containing the password to encrypt the service key file.
Prompt to enter a password for the service key file.
Path where a client authentication certificate will be stored.
File mode of the created certificate.
Path where the client's private key will be stored. (default is the client-file)
File mode of the created certificate key.
Provide a password for the client key file. Note that this will be visible in the process table for all users, so this flag should be used for testing purposes only. Use --client-keypassfile or --client-key-password-prompt for secure password entry.
A file containing the password to encrypt the client key file.
Prompt to enter a password for the client key file.
A file to contain a set of Diffie-Hellman parameters. (Default: "./dhparams.pem")
Do not create the dhparams file
Output well-known DH parameters. The available named groups are: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096, modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default: "ffdhe4096")
The length of the prime number to generate for dhparams, in bits. If set to non-zero, the parameters will be generated rather than using a well-known group. (default: 0)
The generator value for dhparams. (default: 2)

-?, --help
Show this help message
Display brief usage message
June 2023 sscg 3.0.4