Command line switches

The following command line switches can be used:

cmd	cmd long	Description
-q	--quiet	Do not display anything.
-b	--no-banner	Do not display the banner.
-d	--debug	Enable debug output.
-c	--configure	Generate a default configuration file. This option must be combined with -o or --output.
-g	--generate	Generate the files (RSA key, x509 certificate and PKCS12 file) from a configuration. This option must be combined with -i or --input.
-i	--input	The input file with the required configuration for generating the different objects.
-o	--output	The output file that will include the generated configuration to be used once updated.
-h	--help	Display this help and exit.

To create new certificates, a configuration file must be generated. This file must be updated with the user configuration. Then, the mtxcert.exe tool must be executed again for building the final files. The configuration file is a standard .ini file with sections. Following are the available parameters:

Section Common

Parameter	Description
CommonName=mtxcert_out	This defines the common name to be used for generating the files. Each file will be created with this common name and a dedicated extension (.key, .kep, .crt or .p12). It is important not to include special characters. The names should remain ascii names, that is, A-Z, a-z, 0-9 and the underscore (_).

Section Rsa

Parameter	Description
RsaModulus=512	This defines the RSA private key modulus (part of the key strength). Common values are 512, 1024 and 2048.
RsaExponent=65537	This defines the RSA private key exponent (part of the key strength). Common value is 65537.
RsaSymCipher=Aes_256_Cbc	This defines the symmetric cipher to be used for encrypting the private key. It is possible not to cipher the key in which case the special Null value must be used. In this case, no key password should were supplied. BMC recommends to encrypt the private key with one of the following symmetric cipher:
	Null Des_Cbc Des_Ecb Des_Cfb Des_Cfb64 Des_Ofb Des_Ede_Cbc Des_Ede Des_Ede_Ofb Des_Ede_Cfb Des_Ede3_Cbc Des_Ede3 Des_Ede3_Ofb Des_Ede3_Cfb Desx_Cbc Rc4 Rc4_40 Rc2_Cbc Rc2_Ecb Rc2_Cfb Rc2_Ofb Rc2_40_Cbc Rc2_64_Cbc Bf_Cbc Bf_Ecb	Bf_Cfb Bf_Ofb Cast5_Cbc Cast5_Ecb Cast5_Cfb Cast5_Ofb Aes_128_Cbc Aes_128_Cfb Aes_128_Cfb1 Aes_128_Cfb8 Aes_128_Ecb Aes_128_Ofb Aes_192_Cbc Aes_192_Cfb Aes_192_Cfb1 Aes_192_Cfb8 Aes_192_Ecb Aes_192_Ofb Aes_256_Cbc Aes_256_Cfb Aes_256_Cfb1 Aes_256_Cfb8 Aes_256_Ecb Aes_256_Ofb
RsaKeyPwd=	This defines the password to be used for encrypting the private key. If this password is blank and if the symmetric cipher is Null, the private key will not be ciphered. If this password is blank and if the symmetric cipher is not Null, the private key will be encrypted using the Kep algorithm. Otherwise, the private key will be encrypted using the defined symmetric cipher and the supplied password. In this case, no .kep file will be created.

Section Ca

Parameter

Description

CaCommonName=level_2

This defines the common name of the authority to be used for signing the certificate. As for the CommonName, no extension must be supplied. If the CaCommonName and the CommonName are equal, the certificate will be self signed. This way, a new root authority can be created. If the special value "Numara" is used, the certificate will be signed with the BMC authority. Otherwise, the certificate will be signed with the supplied authority. In this case, the RSA private key (extension .key) and the x509 certificate (extension .crt) must be available. An optional Kep file (extension .kep) might be available if the authority is managed with the Kep algorithm.

CaKeyPwd=

This defines the password to be used for decrypting the authority private key. If this password is blank, an optional Kep file (extension .kep) is searched. In case of success, the Kep algorithm will be used. Otherwise, the tool assume that the authority private key is not ciphered.

Section CertObj

Each line defines an entry in the specification of the target for which the certificate will be generated. It is possible to remove one or more lines and to add new ones. Also, the current parameters can be updated. It is important to have at least a well defined and unique commonName. Anyway, the details about certificates content and extensions is out of scope.

countryName=FR stateOrProvinceName=PACA localityName=Sophia Antipolis organizationName=BMC Software commonName=BMC Authority Level 3 - BMC Software Sophia Antipolis

Section CertExt

Each line defines an entry in the x509v3 extensions specification of the target for which the certificate will be generated. It is possible to remove one or more lines and to add new ones. Also, the current parameters can be updated. It is important to have at least a well defined basicConstraints. In case of authority, the value CA:TRUE should be defined. In case of final certificate, the value CA:FALSE should be used instead. Anyway, the details about certificates content and extensions is out of scope.

;subjectAltName=DNS:192.168.1.121,DNS:NOAH,DNS:NOAH.sophia.metrixsystems.com 
;subjectKeyIdentifier=hash 
;authorityKeyIdentifier=keyid,issuer:always
;keyUsage=nonRepudiation,digitalSignature,keyEncipherment basicConstraints=CA:TRUE

Section Pkcs12

Parameter	Description
Pkcs12Pwd=	This defines the password to be used for creating the PKCS12 file. The PKCS12 file is often used with the console or a browser when the SSL=3 parameter is in use. If the password is blank, no PKCS12 file will be generated.