Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

tor-gencert(1) [debian man page]

TOR-GENCERT(1)							    Tor Manual							    TOR-GENCERT(1)

NAME

       tor-gencert - Generate certs and keys for Tor directory authorities

SYNOPSIS

       tor-gencert [-h|--help] [-v] [-r|--reuse] [--create-identity-key] [-i id_file] [-c cert_file] [-m num] [-a address:port]

DESCRIPTION

       tor-gencert generates certificates and private keys for use by Tor directory authorities running the v3 Tor directory protocol, as used by
       Tor 0.2.0 and later. If you are not running a directory authority, you don't need to use tor-gencert.

       Every directory authority has a long term authority identity key (which is distinct from the identity key it uses as a Tor server); this
       key should be kept offline in a secure location. It is used to certify shorter-lived signing keys, which are kept online and used by the
       directory authority to sign votes and consensus documents.

       After you use this program to generate a signing key and a certificate, copy those files to the keys subdirectory of your Tor process, and
       send Tor a SIGHUP signal. DO NOT COPY THE IDENTITY KEY.

OPTIONS

       -v
	   Display verbose output.

       -h or --help
	   Display help text and exit.

       -r or --reuse
	   Generate a new certificate, but not a new signing key. This can be used to change the address or lifetime associated with a given key.

       --create-identity-key
	   Generate a new identity key. You should only use this option the first time you run tor-gencert; in the future, you should use the
	   identity key that's already there.

       -i FILENAME
	   Read the identity key from the specified file. If the file is not present and --create-identity-key is provided, create the identity
	   key in the specified file. Default: "./authority_identity_key"

       -s FILENAME
	   Write the signing key to the specified file. Default: "./authority_signing_key"

       -c FILENAME
	   Write the certificate to the specified file. Default: "./authority_certificate"

       -m NUM
	   Number of months that the certificate should be valid. Default: 12.

       --passphrase-fd FILEDES
	   Filedescriptor to read the file descriptor from. Ends at the first NUL or newline. Default: read from the terminal.

       -a address:port
	   If provided, advertise the address:port combination as this authority's preferred directory port in its certificate. If the address is
	   a hostname, the hostname is resolved to an IP before it's published.

BUGS

       This probably doesn't run on Windows. That's not a big issue, since we don't really want authorities to be running on Windows anyway.

SEE ALSO

       tor(1)

       See also the "dir-spec.txt" file, distributed with Tor.

AUTHORS

	   Roger Dingledine <arma@mit.edu>, Nick Mathewson <nickm@alum.mit.edu>.

AUTHOR

       Nick Mathewson
	   Author.

Tor								    09/26/2014							    TOR-GENCERT(1)

Check Out this Related Man Page

productsign(1)						    BSD General Commands Manual 					    productsign(1)

NAME

     productsign -- Sign an OS X Installer product archive

SYNOPSIS

     productsign [options] --sign identity input-product-path output-product-path

DESCRIPTION

     productsign adds a digital signature to a product archive previously created with productbuild(1).  Although you can add a digital signature
     at the time you run productbuild(1), you may wish to add a signature later, once the product archive has been tested and is ready to deploy.
     If you run productsign on a product archive that was previously signed, the existing signature will be replaced.

     To sign a product archive, you will need to have a certificate and corresponding private key -- together called an ``identity'' -- in one of
     your accessible keychains. To add a signature, specify the name of the identity using the --sign option. The identity's name is the same as
     the ``Common Name'' of the certificate.

     If you want to search for the identity in a specific keychain, specify the path to the keychain file using the --keychain option. Otherwise,
     the default keychain search path is used.

     productsign will embed the signing certificate in the product archive, as well as any intermediate certificates that are found in the key-
     chain. If you need to embed additional certificates to form a chain of trust between the signing certificate and a trusted root certificate
     on the system, use the --cert option to give the Common Name of the intermediate certificate. Multiple --cert options may be used to embed
     multiple intermediate certificates.

     The signature can optionally include a trusted timestamp. This is enabled by default when signing with a Developer ID identity, but it can be
     enabled explicitly using the --timestamp option. A timestamp server must be contacted to embed a trusted timestamp. If you aren't connected
     to the Internet, you can use --timestamp=none to disable timestamps, even for a Developer ID identity.

ARGUMENTS AND OPTIONS

     --sign identity-name
		 The name of the identity to use for signing the product archive.

     --keychain keychain-path
		 Specify a specific keychain to search for the signing identity.

     --cert certificate-name
		 Specify an intermediate certificate to be embedded in the product archive.

     --timestamp
		 Include a trusted timestamp with the signature.

     --timestamp=none
		 Disable trusted timestamp, regardless of identity.

     input-product-path
		   The product archive to be signed.

     output-product-path
		   The path to which the signed product archive will be written. Must not be the same as input-product-path.

SEE ALSO

     productbuild(1)

Mac OS								September 15, 2010							    Mac OS
Man Page