Generating certificates with the mtxcert.exe tool

mtxcert.exe is a command line tool aimed at easing the creation of RSA keys, x509 certificates and PKCS12 files. Concerning the certificates, the tool can be used for creating new root authorities, intermediate authorities or final certificates. mtxcert.exe does not echo anything on the standard output. Instead, the mtxcert.log file is used each time the tool is executed. mtxcert.exe returns 0 on success and something different otherwise. The section concerns this new binary mtxcert.exe (mtxagent for linux) in the ${AGENT_BIN} directory. It generates the following certificates:

  • X509 Certificates (extension .crt)
  • RSA Private Keys (extension .key)
  • Kep files (extension .kep)
  • Pkcs12 files (extension .p12)

Any standard can be used for generating authorities such as the command line tool openssl. However, this tool makes the process easier with an already deployed binary and it already includes the KEP functionality.

Syntax:

mtxcert.exe [-hqbdcg] [-i <input>] [-o <output>]

Command line switches

The following command line switches can be used:

cmd

cmd long

Description

-q

--quiet

Do not display anything.

-b

--no-banner

Do not display the banner.

-d

--debug

Enable debug output.

-c

--configure

Generate a default configuration file. This option must be combined with -o or --output.

-g

--generate

Generate the files (RSA key, x509 certificate and PKCS12 file) from a configuration. This option must be combined with -i or --input.

-i

--input

The input file with the required configuration for generating the different objects.

-o

--output

The output file that will include the generated configuration to be used once updated.

-h

--help

Display this help and exit.

To create new certificates, a configuration file must be generated. This file must be updated with the user configuration. Then, the mtxcert.exe tool must be executed again for building the final files. The configuration file is a standard .ini file with sections. Following are the available parameters:

Parameter

Description

Section [Common]

CommonName=mtxcert_out

This defines the common name to be used for generating the files. Each file will be created with this common name and a dedicated extension (.key, .kep, .crt or .p12). It is important not to include special characters. The names should remain ascii names, that is, A-Z, a-z, 0-9 and the underscore (_).

Section [Rsa]

RsaModulus=512

This defines the RSA private key modulus (part of the key strength). Common values are 512, 1024 and 2048.

RsaExponent=65537

This defines the RSA private key exponent (part of the key strength). Common value is 65537.

RsaSymCipher=Aes_256_Cbc

This defines the symmetric cipher to be used for encrypting the private key. It is possible not to cipher the key in which case the special Null value must be used. In this case, no key password should were supplied. BMC recommends to encrypt the private key with one of the following symmetric cipher:


  • Null
  • Des_Cbc
  • Des_Ecb
  • Des_Cfb
  • Des_Cfb64
  • Des_Ofb
  • Des_Ede_Cbc
  • Des_Ede
  • Des_Ede_Ofb
  • Des_Ede_Cfb
  • Des_Ede3_Cbc
  • Des_Ede3
  • Des_Ede3_Ofb
  • Des_Ede3_Cfb
  • Desx_Cbc
  • Rc4
  • Rc4_40
  • Rc2_Cbc
  • Rc2_Ecb
  • Rc2_Cfb
  • Rc2_Ofb
  • Rc2_40_Cbc
  • Rc2_64_Cbc
  • Bf_Cbc
  • Bf_Ecb
  • Bf_Cfb
  • Bf_Ofb
  • Cast5_Cbc
  • Cast5_Ecb
  • Cast5_Cfb
  • Cast5_Ofb
  • Aes_128_Cbc
  • Aes_128_Cfb
  • Aes_128_Cfb1
  • Aes_128_Cfb8
  • Aes_128_Ecb
  • Aes_128_Ofb
  • Aes_192_Cbc
  • Aes_192_Cfb
  • Aes_192_Cfb1
  • Aes_192_Cfb8
  • Aes_192_Ecb
  • Aes_192_Ofb
  • Aes_256_Cbc
  • Aes_256_Cfb
  • Aes_256_Cfb1
  • Aes_256_Cfb8
  • Aes_256_Ecb
  • Aes_256_Ofb

RsaKeyPwd=

This defines the password to be used for encrypting the private key. If this password is blank and if the symmetric cipher is Null, the private key will not be ciphered. If this password is blank and if the symmetric cipher is not Null, the private key will be encrypted using the Kep algorithm. Otherwise, the private key will be encrypted using the defined symmetric cipher and the supplied password. In this case, no .kep file will be created.

Section [Ca]

CaCommonName=level_2

This defines the common name of the authority to be used for signing the certificate. As for the CommonName, no extension must be supplied. If the CaCommonName and the CommonName are equal, the certificate will be self signed. This way, a new root authority can be created. If the special value "Numara" is used, the certificate will be signed with the BMC authority. Otherwise, the certificate will be signed with the supplied authority. In this case, the RSA private key (extension .key) and the x509 certificate (extension .crt) must be available. An optional Kep file (extension .kep) might be available if the authority is managed with the Kep algorithm.

CaKeyPwd=

This defines the password to be used for decrypting the authority private key. If this password is blank, an optional Kep file (extension .kep) is searched. In case of success, the Kep algorithm will be used. Otherwise, the tool assume that the authority private key is not ciphered.

Section [CertObj]

Each line defines an entry in the specification of the target for which the certificate will be generated. It is possible to remove one or more lines and to add new ones. Also, the current parameters can be updated. It is important to have at least a well defined and unique commonName. Anyway, the details about certificates content and extensions is out of scope.

countryName=FR stateOrProvinceName=PACA localityName=Sophia Antipolis organizationName=BMC Software commonName=BMC Authority Level 3 - BMC Software Sophia Antipolis

Section [CertExt]

Each line defines an entry in the x509v3 extensions specification of the target for which the certificate will be generated. It is possible to remove one or more lines and to add new ones. Also, the current parameters can be updated. It is important to have at least a well defined basicConstraints. In case of authority, the value CA:TRUE should be defined. In case of final certificate, the value CA:FALSE should be used instead. Anyway, the details about certificates content and extensions is out of scope.

;subjectAltName=DNS:192.168.1.121,DNS:NOAH,DNS:NOAH.sophia.metrixsystems.com 
;subjectKeyIdentifier=hash 
;authorityKeyIdentifier=keyid,issuer:always
;keyUsage=nonRepudiation,digitalSignature,keyEncipherment basicConstraints=CA:TRUE

Section [Pkcs12]

Pkcs12Pwd=

This defines the password to be used for creating the PKCS12 file. The PKCS12 file is often used with the console or a browser when the SSL=3 parameter is in use. If the password is blank, no PKCS12 file will be generated.


Was this page helpful? Yes No Submitting... Thank you

Comments