cw-cert - Clockwork Certificate Generator


cw-cert [options]

cw-cert -i host.identity -f ./certs/newcert


Clockwork is a configuration management system designed to securely and correctly enforce configuration policies on lots of hosts.

It can ensure that files have the right attributes (owner, group, permissions, etc.) and content. It can maintain a specific set of installed packages, and even make sure that system user accounts exist.

cw-cert is a utility for generating Clockwork certificates, which consist of a public / secret keypair and an identity.


-i, --identity host.identity.string

Override the identity of the generated certificate. By default, the fully-qualified domain name of the local host is used. You can set this to any value you like; it is only used to help people keep track of what certificate belongs to whom.

-f, --file /path/to/output/cert

Specify where the output certificate should be written. A combined certificate (see CERTIFICATE FORMATS, later) will be written to the named file, and a public certificate will be written to

Target files must not already exist; cw-cert will refuse to overwrite existing certificates. Created files will have proper permissions, 0600 for the combined certificate (which contains the secret key) and 0644 for the public certificate.

Defaults to ./cwcert, which will create cwcert and in the current directory.


Clockwork certificates come in two formats, combined and public.

Combined certificates contain the identity, and both keys (public, and private). These should never be exposed, since the secret key is supposed to remain, well, secret.

Here's an example combined certificate:

pub fb5cf56fabc8f9e85294f1af3e968bd02d6ebae801a76331124b94a307f57875
sec 19a5ac2825251bb2d2011ecc3c9dffcaf7ab666cc0a3cddde43620e6dff57387

The id, pub and sec labels denote the certificate identity, public key (in hexadecimal encoding) and private key (also in hex).

A public certificate is just a combined certificate without the secret key:

pub fb5cf56fabc8f9e85294f1af3e968bd02d6ebae801a76331124b94a307f57875

These can be shared with anyone, since the public key alone is not enough to break the encryption.


clockwork(7), clockd(1), clockd.conf(5) and cogd.conf(5)


Clockwork was designed and written by James Hunt.

The Clockwork website is licensed under the Creative Commons Attribution-NoDerivs 3.0 United States License