sscg - Man Page

-?,  --help

Show this help message

--usage

Display brief usage message

Verbosity options

-q,  --quiet

Display no output unless there is an error.

-v,  --verbose

Display progress messages.

-d,  --debug

Enable logging of debug messages. Implies verbose. Warning! This will print private key information to the screen!

Certificate Subject options

--lifetime=1-3650

Certificate lifetime (days). (default: 398)

--country=US, CZ, etc.

Certificate DN: Country (C). (default: "US")

--state=Massachusetts, British Columbia, etc.

Certificate DN: State or Province (ST).

--locality=Westford, Paris, etc.

Certificate DN: Locality (L).

--organization=My Company

Certificate DN: Organization (O). (default: "Unspecified")

--organizational-unit=Engineering, etc.

Certificate DN: Organizational Unit (OU).

--email=myname@example.com

Certificate DN: Email Address (Email).

--hostname=server.example.com

The valid hostname of the certificate. Must be an FQDN. (default: current system FQDN)

--subject-alt-name alt.example.com

Optional additional valid hostnames for the certificate. In addition to hostnames, this option also accepts explicit values supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx May be specified multiple times.

Certificate Key Cryptography Options

--key-type={rsa,ecdsa,mldsa}

Type of key to use for the certificate private keys. (default: rsa)

--key-strength=2048 or larger

Strength of the certificate private keys in bits. This argument is only valid if --key-type is set to rsa. (default: 2048)

--ec-curve={secp224r1,secp256r1,secp384r1,secp521r1}

EC curve to use for the certificate private keys. This argument is only valid if --key-type is set to ecdsa.

--mldsa-nist-level={2,3,5}

NIST level to use for the ML-DSA key. This argument is only valid if --key-type is set to mldsa. (default: 2)

--hash-alg={sha256,sha384,sha512}

Hashing algorithm to use for signing RSA and ECDSA keys. This argument is only valid if --key-type is rsa or ecdsa. (default: "sha256")

--cipher-alg={des-ede3-cbc,aes-256-cbc}

Cipher to use for encrypting key files. (default: "aes-256-cbc")

Certificate Authority File Options

--ca-file=STRING

Path where the public CA certificate will be stored. (default: "./ca.crt")

--ca-mode=0644

File mode of the created CA certificate.

--ca-key-file=STRING

Path where the CA's private key will be stored. If unspecified, the key will be destroyed rather than written to the disk.

--ca-key-mode=0600

File mode of the created CA key.

--ca-key-password=STRING

Provide a password for the CA key file. Note that this will be visible in the process table for all users, so it should be used for testing purposes only. Use --ca-keypassfile or --ca-key-password-prompt for secure password entry.

--ca-key-passfile=STRING

A file containing the password to encrypt the CA key file.

-C,  --ca-key-password-prompt

Prompt to enter a password for the CA key file.

Certificate Revocation List File Options

--crl-file=STRING

Path where an (empty) Certificate Revocation List file will be created, for applications that expect such a file to exist. If unspecified, no such file will be created.

--crl-mode=0644

File mode of the created Certificate Revocation List.

Service Certificate File Options

--cert-file=STRING

Path where the public service certificate will be stored. (default "./service.pem")

--cert-mode=0644

File mode of the created certificate.

--cert-key-file=STRING

Path where the service's private key will be stored. (default "service-key.pem")

--cert-key-mode=0600

File mode of the created certificate key.

-p,  --cert-key-password=STRING

Provide a password for the service key file. Note that this will be visible in the process table for all users, so this flag should be used for testing purposes only. Use --cert-keypassfile or --cert-key-password-prompt for secure password entry.

--cert-key-passfile=STRING

A file containing the password to encrypt the service key file.

-P,  --cert-key-password-prompt

Prompt to enter a password for the service key file.

Client Authentication Certificate File Options

--client-file=STRING

Path where a client authentication certificate will be stored.

--client-mode=0644

File mode of the created certificate.

--client-key-file=STRING

Path where the client's private key will be stored. (default is the client-file)

--client-key-mode=0600

File mode of the created certificate key.

--client-key-password=STRING

Provide a password for the client key file. Note that this will be visible in the process table for all users, so this flag should be used for testing purposes only. Use --client-keypassfile or --client-key-password-prompt for secure password entry.

--client-key-passfile=STRING

A file containing the password to encrypt the client key file.

--client-key-password-prompt

Prompt to enter a password for the client key file.

Diffie-Hellman Parameter File Options

--dhparams-file=STRING

A file to contain a set of Diffie-Hellman parameters. (Default: not created)

--dhparams-named-group=STRING

Output well-known DH parameters. The available named groups are: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096, modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default: "ffdhe4096")

--dhparams-generator={2,3,5}

The generator value for dhparams. (default: 2)