# create a CA certificate
$certtool --generate-privkey --outfile test-ca-key.pem
$certtool --generate-self-signed --load-privkey test-ca-key.pem --outfile test-ca-cert.pem

Common name: Wget
UID:
Organizational unit name: Wget
Organization name: GNU Wget
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6080487640893163573):

Activation/Expiration time.
The certificate will expire in (days): -1

Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:


# generate a server certificate
$ certtool --generate-privkey --outfile server.key --rsa
$ certtool --generate-certificate --load-privkey server.key --outfile server.crt --load-ca-certificate test-ca-cert.pem --load-ca-privkey test-ca-key.pem

Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: WgetTestingServer
UID: 
Organizational unit name: Wget
Organization name: GNU Wget
Locality name: 
State or province name: 
Country name (2 chars): 
Enter the subject's domain component (DC): 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 6552424755099978648): 


Activation/Expiration time.
The certificate will expire in (days): -1


Extensions.
Does the certificate belong to an authority? (y/N): 
Is this a TLS web client certificate? (y/N): 
Will the certificate be used for IPsec IKE operations? (y/N): 
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: 127.0.0.1
Enter a dnsName of the subject of the certificate: ::1
Enter a dnsName of the subject of the certificate: localhost
Enter a dnsName of the subject of the certificate: WgetTestingServer
Enter a dnsName of the subject of the certificate: 
Enter a URI of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Will the certificate be used for signing (DHE ciphersuites)? (Y/n): 
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): 
Will the certificate be used to sign OCSP requests? (y/N): 
Will the certificate be used to sign code? (y/N): 
Will the certificate be used for time stamping? (y/N): 
Will the certificate be used for email protection? (y/N): 


# create a CRL for the server certificate:
$ certtool --generate-crl --load-ca-privkey test-ca-key.pem --load-ca-certificate test-ca-cert.pem --load-certificate server.crt --outfile revokedcrl.pem

Generating a signed CRL...
Update times.
The certificate will expire in (days): -1
CRL Number (default: 6552487324127713992): 

