man7.org > Linux > man-pages

Linux/UNIX system programming training

systemd-keyutil(1) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | COMMANDS | OPTIONS | SEE ALSO | COLOPHON 

SYSTEMD-KEYUTIL(1)           systemd-keyutil           SYSTEMD-KEYUTIL(1)

NAME         top

       systemd-keyutil - Perform various operations on private keys and
       X.509 certificates

SYNOPSIS         top


       systemd-keyutil [OPTIONS...] {COMMAND}

DESCRIPTION         top

       systemd-keyutil can be used to perform various operations on
       private keys and X.509 certificates.

COMMANDS         top

       validate
           Checks that we can load the private key and certificate
           specified with --private-key= and --certificate= respectively.

           As a side effect, if the private key is loaded from a
           PIN-protected hardware token, this command can be used to
           cache the PIN in the kernel keyring. The
           $SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC and
           $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE environment variables can
           be used to control how long and in which kernel keyring the
           PIN is cached.

           Added in version 257.

       public
           This commands prints the public key in PEM format extracted
           from either the certificate given with --certificate= or the
           private key given with --private-key=.

           Added in version 257.

       pkcs7
           This command embeds the PKCS#1 signature (RSA) provided with
           --signature= in a PKCS#7 signature using the certificate given
           with --certificate= and writes it to the file specified with
           --output= in PKCS#7 format (p7s). If --content= is provided it
           is included in the p7s, otherwise a "detached" signature is
           created. The --hash-algorithm= option, which defaults to
           "SHA256", specifies what hash algorithm was used to generate
           the signature.

           Added in version 258.

OPTIONS         top

       The following options are understood:

       --private-key=PATH/URI, --private-key-source=TYPE[:NAME],
       --certificate=PATH, --certificate-source=TYPE[:NAME]
           Set the private key and certificate to use. The --certificate=
           option takes a path to a PEM encoded X.509 certificate or a
           URI that's passed to the OpenSSL provider configured with
           --certificate-source. The --certificate-source takes one of
           "file" or "provider", with the latter being followed by a
           specific provider identifier, separated with a colon, e.g.
           "provider:pkcs11". The --private-key= option can take a path
           or a URI that will be passed to the OpenSSL engine or
           provider, as specified by --private-key-source= as a
           "type:name" tuple, such as "engine:pkcs11".

           Added in version 257.

       --signature=PATH
           Input PKCS#1 signature for the pkcs7 command.

           Added in version 258.

       --content=PATH
           Input data that corresponds to the PKCS#1 signature for the
           pkcs7 command, used for generating inline (i.e.
           non-"detached") PKCS#7 signatures.

           Added in version 258.

       --hash-algorithm=ALGORITHM
           Hash algorithm used to generate the PKCS#1 signature for the
           pkcs7 command. This should be a valid openssl digest
           algorithm; use "openssl list -digest-algorithms" to see a list
           of valid algorithms on your system. Defaults to "SHA256".

           Added in version 258.

       --output=PATH
           Output PKCS#7 signature for the pkcs7 command.

           Added in version 258.

       -h, --help
           Print a short help text and exit.

       --version
           Print a short version string and exit.

SEE ALSO         top

       systemd-sbsign(1), systemd-measure(1)

COLOPHON         top

       This page is part of the systemd (systemd system and service
       manager) project.  Information about the project can be found at
       ⟨http://www.freedesktop.org/wiki/Software/systemd⟩.  If you have a
       bug report for this manual page, see
       ⟨http://www.freedesktop.org/wiki/Software/systemd/#bugreports⟩.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/systemd/systemd.git⟩ on 2025-08-11.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2025-08-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

systemd 258~rc2                                        SYSTEMD-KEYUTIL(1)

Pages that refer to this page: systemd.directives(7)systemd.index(7)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI