MobiLink Synchronization Reference
Utilities
Use the gencert utility to create a new elliptic-curve or RSA certificate, or to sign a pre-generated certificate request.
For more information about security of MobiLink synchronization, see Transport-Layer Security.
gencert [ -c | -s ] [ -r ] [ -q ]
Option | Description |
---|---|
-c | Generate a certificate authority certificate. |
-q request-file | Sign a pre-generated certificate request. |
-r | Generate a self-signed root certificate. |
-s | Generate a server identity certificate. |
This utility creates a new X509 certificate. When first started, it prompts whether you want to generate an elliptic-curve or RSA certificate.
If you are generating an elliptic-curve certificate, gencert generates an elliptic-curve key pair. If you are generating an RSA certificate, it prompts for a key size between 512 and 2028, and then creates a certificate using RSA.
The gencert utility then requests values for the distinguished fields. These fields include the country, state or province, locality, organization, organizational unit, and common name, the serial number, and an expiry date. It then requests the file name of a certificate that is to sign the new certificate.
If no certificate name is supplied, the new certificate becomes a root certificate. If a certificate file name is supplied, gencert reads and validates the certificate chain and requests the name of the file that contains the signer's private key. It then requests the password for that private key.
Then the utility requests the password that is to protect the new private key.
This utility writes three different types of files. One file contains only the new certificate. Another contains only the encrypted private key, and a third file contains both the certificate and the encrypted private key.
Often, not all three files are needed. For example, if the certificate is to be a certificate authority, used to sign other certificates, the file that contains only the certificates is distributed as a trusted root certificate to clients. The file containing the encrypted private key is stored securely. In this case, security is improved by storing the private key and the certificate separately, so the third file is not generated.
If, instead, the certificate is to identify a server, the encrypted private key should be stored with the certificate, so the utility writes only the file that contains both pieces of information.
If the signing certificate is not a root certificate, but is instead part of a chain, gencert reads and validates the entire chain before issuing the new certificate.
When generating a server identity certificate, the entire chain is always saved. Otherwise, saving the entire chain is optional.
When signing a pre-generated certificate request, gencert only prompts for a serial number, expiry date, the certificate and private key of the signer, and an output file for the signed certificate.
Gencert can sign any request that is generated by the Certicom reqtool utility or any other third party application that generates certificate requests in the appropriate format, such as the Microsoft IIS Web server or the Netscape iPlanet Web server. Following is an example of a certificate that is in the appropriate format:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIBqjCCARMCAQAwajELMAkGA1UEBhMCVDTALBgNVBAgTBHRlc3QxDTALBgNV BAcTBHRlc3QxDTALBgNVBAoTBHRlc3QxDBgNVBAsTBHRlc3QxHzAdBgNVBAMT Fm12YW5kZXJwLXBjLnN5YmFzZS5jb20wgDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAKaD6al5MDIGYNGO1ctjAeFl6VSVglg1z1OEMILjyAW51zDMJolKFaZxc PtGs0AlKbJH/1EHUeJ4kp7zGuyV4OipEw9NSxzza6mSKewsulR735CY8X07Z/ agfajNGRiYEC39/SD3+bCN7NkDn250xJ6Yxbfcf/1EUTNAgMBAAGgADANBgkq hkiG9w0BAQQFAAOBgQAvgnKRtSVLEUFIQ/abo959UBf+ZDoZzUCxlvnkUjBrA G/zVDu2A3rqazsrl7ihP0nRWnr+iFj+vK2Lg6jiFAzBxC/3w3fWYYJ6ImvodX coYD3EuoXxWcKfiRq6AAB8SlJcdjntz8HXmWm2tNXVUIcXuEZ0OErANOPXQ== -----END NEW CERTIFICATE REQUEST-----
-c Generate a certificate authority certificate. A certificate authority can be used to sign other certificates. By default, generated certificates cannot be used as certificate authorities.
-q Sign a pre-generated certificate request. You can specify either an elliptic-curve or an RSA certificate to be signed.
-r Generate a root certificate. A root certificate is signed only by itself. The default is to prompt for the name of a file that contains the certificate that is to sign the new, generated certificate.
-s Generate a server identity certificate, used to identify a MobiLink synchronization server, rather than a client. A server identity certificate cannot be a certificate authority, so this option is incompatible with the -c option.
The following example signs a certificate request called certreq.txt.
c:\>gencert -s -q certreq.txt Certificate Generation Tool Serial Number: 01 Certificate valid for how many years: 10 Enter file path of signer's certificate: rsaroot.crt Enter file path of signer's private key: rsaroot.key Enter password for signer's private key: test Enter file path to save certificate: testcert.crt Save entire chain (y/n): y