diff options
| author | Elio Maldonado <emaldona@redhat.com> | 2013-04-18 15:03:59 -0700 |
|---|---|---|
| committer | Elio Maldonado <emaldona@redhat.com> | 2013-04-18 15:03:59 -0700 |
| commit | 236ba5e8ea60ab4c398d8ac8ebddf3e7c43bec16 (patch) | |
| tree | fe9eb24cbcea1a7fe57b81059417f6054914eba4 /doc | |
| parent | 795e70c972ff4e7c80db18d4ed2b9c98479df8b1 (diff) | |
| download | nss-hg-236ba5e8ea60ab4c398d8ac8ebddf3e7c43bec16.tar.gz | |
Bug 836477 - Complete the initial review of the docbook documentation for NSS command line tools - certutil, r=rrelyea
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/certutil.xml | 206 |
1 files changed, 111 insertions, 95 deletions
diff --git a/doc/certutil.xml b/doc/certutil.xml index de0115f57..010ef31aa 100644 --- a/doc/certutil.xml +++ b/doc/certutil.xml @@ -21,7 +21,7 @@ <refnamediv> <refname>certutil</refname> - <refpurpose>Manage keys and certificate in the the NSS database.</refpurpose> + <refpurpose>Manage keys and certificate in both NSS databases and other NSS tokens</refpurpose> </refnamediv> <refsynopsisdiv> @@ -41,21 +41,20 @@ <refsection id="description"> <title>Description</title> - <para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that manages certs and keys in both NSS databases and other NSS tokens (such as smart cards). It can specifically list, generate, modify, or delete certificates within the database, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para> - <para>The key and certificate management process generally includes certificate issuance once keys and certificates have been created in the key database. This document discusses certificate and key database management. For information security module database management, see the <command>modutil</command> manpage.</para> + <para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para> + <para>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <command>modutil</command> manpage.</para> </refsection> <refsection id="options"> - <title>Options and Arguments</title> - <para>Running <command>certutil</command> always requires one and only one option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <option>-H</option> to see the arguments available for each command option.</para> + <title>Command Options and Arguments</title> + <para>Running <command>certutil</command> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <option>-H</option> will list all the command options and their relevant arguments.</para> <para><command>Command Options</command></para> - <para>Command options are typically upper case. </para> <variablelist> <varlistentry> <term>-A </term> - <listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default. </para></listitem> + <listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</para></listitem> </varlistentry> <varlistentry> @@ -89,12 +88,12 @@ When you delete keys, be sure to also remove any certificates associated with th <varlistentry> <term>-G </term> - <listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem> + <listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem> </varlistentry> <varlistentry> <term>-H </term> - <listitem><para>Display a list of the command options and arguments used by the Certificate Database Tool.</para></listitem> + <listitem><para>Display a list of the command options and arguments.</para></listitem> </varlistentry> <varlistentry> @@ -125,7 +124,7 @@ Use the -h tokenname argument to specify the certificate database on a particula <varlistentry> <term>-R</term> - <listitem><para>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. + <listitem><para>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. Use the -a argument to specify ASCII output.</para></listitem> </varlistentry> @@ -157,7 +156,7 @@ Use the -a argument to specify ASCII output.</para></listitem> <varlistentry> <term>--merge</term> - <listitem><para>Merge a source database into the target database. This is used to merge legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem> + <listitem><para>Merge two databases into one.</para></listitem> </varlistentry> <varlistentry> @@ -194,13 +193,13 @@ If this option is not used, the validity check defaults to the current system ti <term>-d [prefix]directory</term> <listitem> <para>Specify the database directory containing the certificate and key database files.</para> - <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para> + <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para> <para>NSS recognizes the following prefixes:</para> <itemizedlist> - <listitem><para><command>sql: explicitly requests the newer database</command></para></listitem> - <listitem><para><command>dbm: explicitly requests the older database</command></para></listitem> - <listitem><para><command>extern: explicitly reserved for future use</command></para></listitem> + <listitem><para><command>sql: requests the newer database</command></para></listitem> + <listitem><para><command>dbm: requests the legacy database</command></para></listitem> </itemizedlist> + <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para> </listitem> </varlistentry> @@ -224,7 +223,7 @@ If this option is not used, the validity check defaults to the current system ti <varlistentry> <term>-h tokenname</term> - <listitem><para>Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot.</para></listitem> + <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem> </varlistentry> <varlistentry> @@ -233,23 +232,11 @@ If this option is not used, the validity check defaults to the current system ti </varlistentry> <varlistentry> - <term>-k rsa|dsa|ec|all</term> - <listitem><para>Specify the type of a key. The valid options are RSA, DSA, ECC, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</para></listitem> - </varlistentry> - - <varlistentry> <term>-k key-type-or-id</term> <listitem> - <para>Specify the type or specific ID of a key. </para> - <para> - The valid key type options are RSA, DSA, ECC, or all. The default - value is rsa. Specifying the type of key can avoid mistakes caused by - duplicate nicknames. Giving a key type generates a new key pair; - giving the ID of an existing key reuses that key pair (which is - required to renew certificates). - </para> + <para>Specify the type or specific ID of a key.</para> <para> - The valid key type options are RSA, DSA, ECC, or all. The default + The valid key type options are rsa, dsa, ec, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is @@ -265,8 +252,7 @@ If this option is not used, the validity check defaults to the current system ti <varlistentry> <term>-m serial-number</term> - <listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is - provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem> + <listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem> </varlistentry> <varlistentry> @@ -357,7 +343,7 @@ of the attribute codes: </listitem> <listitem> <para> - <command>C</command> - rusted CA for client authentication (ssl server only) + <command>C</command> - trusted CA for client authentication (ssl server only) </para> </listitem> <listitem> @@ -747,28 +733,11 @@ of the attribute codes: <para> For example: </para> -<programlisting>$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer +<programlisting>$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer Generating key. This may take a few moments... - -Certificate request generated by Netscape -Phone: 650-555-0123 -Common Name: John Smith -Email: (not ed) -Organization: Example Corp -State: California -Country: US - ------BEGIN NEW CERTIFICATE REQUEST----- -MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW -MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw -EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ -KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J -CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny -qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB -1hP9Gg== ------END NEW CERTIFICATE REQUEST-----</programlisting> +</programlisting> <para><command>Creating a Certificate</command></para> <para> @@ -776,13 +745,16 @@ qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB </para> <programlisting>$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</programlisting> <para> - The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA. + The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result. </para> <para> For example, this creates a self-signed certificate: </para> <programlisting>$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</programlisting> <para> +The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity. + </para> + <para> From there, new certificates can reference the self-signed certificate: </para> <programlisting>$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</programlisting> @@ -795,18 +767,7 @@ qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB <para> For example: </para> -<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting> - - - <para><command>Generating Key Pairs</command></para> - <para> - Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the <option>-G</option> command option. - </para> -<programlisting>certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</programlisting> - <para> - For example: - </para> -<programlisting>$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</programlisting> +<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting> <para><command>Listing Certificates</command></para> <para> @@ -824,30 +785,87 @@ Certificate Authority - Example Domain CT,C,C</programlist <para> Using additional arguments with <option>-L</option> can return and print the information for a single, specific certificate. For example, the <option>-n</option> argument passes the certificate name, while the <option>-a</option> argument prints the certificate in ASCII format: </para> -<programlisting>$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain" - +<programlisting> +$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert -----BEGIN CERTIFICATE----- -MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt -cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw -MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE -b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf -Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 -RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI -udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 -bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb -3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB -qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ -rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0 -LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk -L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe -lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX -JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76 -bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu -U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a -nI7q5n1USM3eWQlVXw== ------END CERTIFICATE-----</programlisting> +MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh +bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV +BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz +JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x +XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk +0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB +AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B +AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 +XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF +ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== +-----END CERTIFICATE----- +</programlisting> +<pa>For a humam-readable display</para> +<programlisting>$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3650 (0xe42) + Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption + Issuer: "CN=Example CA" + Validity: + Not Before: Wed Mar 13 19:10:29 2013 + Not After : Thu Jun 13 19:10:29 2013 + Subject: "CN=Example CA" + Subject Public Key Info: + Public Key Algorithm: PKCS #1 RSA Encryption + RSA Public Key: + Modulus: + 9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30: + 4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07: + 12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f: + ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49: + 3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30: + 56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7: + d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74: + 11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b + Exponent: 65537 (0x10001) + Signed Extensions: + Name: Certificate Type + Data: none + + Name: Certificate Basic Constraints + Data: Is a CA with no maximum path length. + + Name: Certificate Key Usage + Critical: True + Usages: Certificate Signing + + Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption + Signature: + 3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91: + 1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6: + 79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60: + a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6: + 36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de: + 25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52: + 64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33: + ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e + Fingerprint (MD5): + 86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80 + Fingerprint (SHA1): + 48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7 + + Certificate Trust Flags: + SSL Flags: + Valid CA + Trusted CA + User + Email Flags: + Valid CA + Trusted CA + User + Object Signing Flags: + Valid CA + Trusted CA + User + +</programlisting> <para><command>Listing Keys</command></para> <para> @@ -856,7 +874,7 @@ nI7q5n1USM3eWQlVXw== <para> To list all keys in the database, use the <option>-K</option> command option and the (required) <option>-d</option> argument to give the path to the directory. </para> -<programlisting>$ certutil -K -d sql:/home/my/sharednssdb +<programlisting>$ certutil -K -d sql:$HOME/nssdb certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert @@ -1013,7 +1031,7 @@ some flexibility that allows applications to use their own, independent database requires more flexibility to provide a truly shared security database.</para> <para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than -BerkleyDB. These new databases provide more accessibility and performance:</para> +BerkeleyDB. These new databases provide more accessibility and performance:</para> <itemizedlist> <listitem> <para> @@ -1027,7 +1045,7 @@ BerkleyDB. These new databases provide more accessibility and performance:</para </listitem> <listitem> <para> - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory </para> </listitem> </itemizedlist> @@ -1110,7 +1128,7 @@ Using the SQLite databases must be manually specified by using the <command>sql: <!-- fill in your name first; keep the other names for reference --> <refsection id="authors"> <title>Authors</title> - <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para> + <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> <para> Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. </para> @@ -1119,9 +1137,7 @@ Using the SQLite databases must be manually specified by using the <command>sql: <!-- don't change --> <refsection id="license"> <title>LICENSE</title> - <para>Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. + <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </para> </refsection> |