Skip to main content
The Cert tool provides certificate utilities for Titanis workflows. Currently it supports generating self-signed certificates that you can use for SSL authentication, Kerberos PKINIT, or associating with Active Directory accounts.

Subcommands

CommandDescription
selfcertCreate a self-signed X.509 certificate
For help on any subcommand, run Cert <subcommand> -h.

selfcert

Creates a self-signed X.509 certificate and writes it to a PFX file. You can optionally export the public certificate separately. 
Cert selfcert [options] -PfxFileName <String> <Subject>
Subject
string
required
Subject name as an X.500 distinguished name string, e.g. CN=ALLENTOWN,DC=LUMON,DC=corp.
-PfxFileName (-P)
string
required
Path of the output .pfx file to write (contains both the private key and the certificate).
-CertFileName
string
Path of an additional public certificate file to write (.pem or .cer format).
-KeySizeBits (-K)
number
default:"2048"
RSA key size in bits.
-HashAlgorithm
string
Signature hash algorithm. Possible values: Md5, Sha1, Sha256, Sha384, Sha512, Sha3_256, Sha3_384, Sha3_512.
-SubjectAltName
string
Subject Alternative Name (SAN) extension value.
-TemplateFile (-T)
string
Path to an existing certificate file to use as a template. The new certificate copies properties from this template.
-ConsoleOutputStyle (-OutputStyle)
string
Output format. Possible values: Freeform, Raw, Table, List, Csv, Tsv, Json.
-Verbose (-V)
boolean
Print verbose messages.
-Diagnostic (-vv)
boolean
Print diagnostic messages.

Examples

1

Create a basic self-signed certificate

Cert selfcert -PfxFileName allentown.pfx "CN=ALLENTOWN"
Creates a 2048-bit RSA certificate with a SHA-256 signature and writes it to allentown.pfx.
2

Create a certificate and export the public key

Cert selfcert -PfxFileName allentown.pfx -CertFileName allentown.cer "CN=ALLENTOWN,DC=LUMON,DC=corp"
Writes the full certificate + key to allentown.pfx and the public certificate alone to allentown.cer.
3

Create a 4096-bit certificate with SHA-512

Cert selfcert -PfxFileName allentown.pfx -KeySizeBits 4096 -HashAlgorithm Sha512 "CN=ALLENTOWN"
4

Associate the certificate with an AD account

After creating the certificate, use Ldap mod to associate the public certificate with an account:
Ldap mod LUMON-DC1 -UserName milchick@LUMON -Password Br3@kr00m! ALLENTOWN$ userCertificate:file+=allentown.cer

Common usage patterns

Generate a certificate and associate it with an Active Directory account, then use it for Kerberos PKINIT authentication in other Titanis tools via -UserCert and -UserKey:
# 1. Create the certificate
Cert selfcert -PfxFileName user.pfx -CertFileName user.cer "CN=targetuser"

# 2. Associate with AD account (requires LDAP write access)
Ldap mod DC1 -UserName admin@CORP -Password P@ssw0rd targetuser userCertificate:file+=user.cer

# 3. Use for Kerberos authentication in subsequent commands
Ldap query DC1 -UserCert user.pfx '(samAccountName=*)'
Use the generated PFX as a client certificate for LDAP over SSL:
Cert selfcert -PfxFileName client.pfx "CN=client"
Ldap query DC1 -Ssl -SslKeyFile client.pfx '(objectClass=*)'

Ldap

Associate the generated certificate with an Active Directory account using Ldap mod.

Ldap adduser

Create an account with an associated certificate at provisioning time.

Build docs developers (and LLMs) love

Get started for freeTalk to us