diff options
Diffstat (limited to 'doc/rst/legacy/index/index.rst')
| -rw-r--r-- | doc/rst/legacy/index/index.rst | 6300 |
1 files changed, 3150 insertions, 3150 deletions
diff --git a/doc/rst/legacy/index/index.rst b/doc/rst/legacy/index/index.rst index 97431db3c..c7a1946a7 100644 --- a/doc/rst/legacy/index/index.rst +++ b/doc/rst/legacy/index/index.rst @@ -1129,7 +1129,7 @@ Index | 16 | :ref:`mozilla_projects_n | **NSS** | | | ss_fips_mode_-_an_explanation` | | +--------------------------------+--------------------------------+--------------------------------+ - | | | NSS has a "FIPS Mode" that can | + | | | NSS has a "FIPS Mode" that can | | | | be enabled when NSS is | | | | compiled in a specific way. | | | | (Note: Mozilla does not | @@ -1138,7 +1138,7 @@ Index | | | attempts to provide an | | | | informal explanation of what | | | | it is, who would use it, and | - | | | why. | + | | | why. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -1876,7 +1876,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.19, which is a minor | - | | | security release. | + | | | security release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -2695,7 +2695,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.44.4 on **19 May | - | | | 2020**. This is a security | + | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -2847,7 +2847,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.51.1 on **3 April | - | | | 2020**. This is a minor | + | | | 2020**. This is a minor | | | | release focusing on functional | | | | bug fixes and low-risk patches | | | | only. | @@ -2869,7 +2869,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.52.1 on **19 May | - | | | 2020**. This is a security | + | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3151,7 +3151,7 @@ Index | | | This is an example program | | | | that demonstrates how to | | | | compute the hash of a file and | - | | | save it to another file. This | + | | | save it to another file. This | | | | program illustrates the use of | | | | NSS message APIs. | +--------------------------------+--------------------------------+--------------------------------+ @@ -3163,7 +3163,7 @@ Index +--------------------------------+--------------------------------+--------------------------------+ | | | This example program | | | | demonstrates how to initialize | - | | | the NSS Database. This | + | | | the NSS Database. This | | | | program illustrates password | | | | handling. | +--------------------------------+--------------------------------+--------------------------------+ @@ -3176,7 +3176,7 @@ Index +--------------------------------+--------------------------------+--------------------------------+ | | | This example program | | | | demonstrates how to encrypt | - | | | and MAC a file. | + | | | and MAC a file. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -3187,7 +3187,7 @@ Index | | | This is an example program | | | | that demonstrates how to do | | | | key generation and transport | - | | | between cooperating servers. | + | | | between cooperating servers. | | | | This program shows the | | | | following: | +--------------------------------+--------------------------------+--------------------------------+ @@ -3238,7 +3238,7 @@ Index | | e_nss_sample_code_utililies_1` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This is a library of utilities | - | | | used by many of the samples. | + | | | used by many of the samples. | | | | This code shows the following: | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3269,7 +3269,7 @@ Index | | le2_-_initialize_nss_database` | Web Development** | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS sample code below | - | | | demonstrates how to initialize | + | | | demonstrates how to initialize | | | | the NSS database. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3300,7 +3300,7 @@ Index | | | adapted from those found in | | | | the sectool library used by | | | | the NSS security tools and | - | | | other NSS test applications. | + | | | other NSS test applications. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -3551,7 +3551,7 @@ Index | | | biometric security devices, | | | | and external certificate | | | | stores. This article covers | - | | | the two methods for installing | + | | | the two methods for installing | | | | PKCS #11 modules into Firefox. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3651,13 +3651,13 @@ Index | | | Each project now lives in its | | | | own separate space, they can | | | | be found at: | - | | | https:/ | + | | | https:/ | | | | /hg.mozilla.org/projects/nspr/ | - | | | https: | + | | | https: | | | | //hg.mozilla.org/projects/nss/ | - | | | https: | + | | | https: | | | | //hg.mozilla.org/projects/jss/ | - | | | | + | | | | | | | https://hg.mo | | | | zilla.org/projects/python-nss/ | +--------------------------------+--------------------------------+--------------------------------+ @@ -4282,13 +4282,13 @@ Index | | | is a platform abstraction | | | | library that provides a | | | | cross-platform API to common | - | | | OS services. NSS uses NSPR | + | | | OS services. NSS uses NSPR | | | | internally as the porting | - | | | layer. However, a small | + | | | layer. However, a small | | | | number of NSPR functions are | | | | required for using the | | | | certificate verification and | - | | | SSL functions in NSS. These | + | | | SSL functions in NSS. These | | | | NSPR functions are listed in | | | | this section. | +--------------------------------+--------------------------------+--------------------------------+ @@ -4397,84 +4397,84 @@ Index | | eference_nss_tools_:_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | certutil — Manage keys and | + | | | certutil — Manage keys and | | | | certificate in both NSS | | | | databases and other NSS tokens | | | | Synopsis | - | | | certutil [options] | + | | | certutil [options] | | | | [[arguments]] | | | | Description | - | | | The Certificate Database | + | | | The Certificate Database | | | | Tool, certutil, is a | | | | command-line utility | - | | | that can create and modify | + | | | that can create and modify | | | | certificate and key databases. | - | | | It can specifically list, | + | | | It can specifically list, | | | | generate, modify, or delete | | | | certificates, create or | - | | | change the password, | + | | | change the password, | | | | generate new public and | | | | private key pairs, | - | | | display the contents of the | + | | | display the contents of the | | | | key database, or delete key | - | | | pairs within the key | + | | | pairs within the key | | | | database. | - | | | Certificate issuance, part | + | | | Certificate issuance, part | | | | of the key and certificate | | | | management process, requires | | | | that | - | | | keys and certificates be | + | | | keys and certificates be | | | | created in the key database. | | | | This document discusses | | | | certificate | - | | | and key database | + | | | and key database | | | | management. For information on | - | | | the security module database | + | | | the security module database | | | | management, | - | | | see the modutil manpage. | + | | | see the modutil manpage. | | | | Options and Arguments | - | | | Running certutil always | + | | | Running certutil always | | | | requires one and only one | | | | command option to | - | | | specify the type of | + | | | specify the type of | | | | certificate operation. Each | | | | option may take arguments, | - | | | anywhere from none to | + | | | anywhere from none to | | | | multiple arguments. The | | | | command option -H will list | - | | | all the command options | + | | | all the command options | | | | available and their relevant | | | | arguments. | - | | | Command Options | - | | | -A | - | | | Add an existing | + | | | Command Options | + | | | -A | + | | | Add an existing | | | | certificate to a certificate | | | | database. | - | | | The certificate | + | | | The certificate | | | | database should already exist; | | | | if one is | - | | | not present, this | + | | | not present, this | | | | command option will initialize | | | | one by default. | - | | | -B | - | | | Run a series of | + | | | -B | + | | | Run a series of | | | | commands from the specified | | | | batch file. | - | | | This requires the -i | + | | | This requires the -i | | | | argument. | - | | | -C | - | | | Create a new binary | + | | | -C | + | | | Create a new binary | | | | certificate file from a binary | - | | | certificate request | + | | | certificate request | | | | file. Use the -i argument to | | | | specify | - | | | the certificate | + | | | the certificate | | | | request file. If this argument | | | | is not | - | | | used, certutil | + | | | used, certutil | | | | prompts for a filename. | - | | | -D | - | | | Delete a certificate | + | | | -D | + | | | Delete a certificate | | | | from the certificate database. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -4560,7 +4560,7 @@ Index +--------------------------------+--------------------------------+--------------------------------+ | | | This page lists release notes | | | | for older versions of NSS. | - | | | See :ref:`mozi | + | | | See :ref:`mozi | | | | lla_projects_nss_nss_releases` | | | | :ref:`mozi | | | | lla_projects_nss_nss_releases` | @@ -4659,7 +4659,7 @@ Index | | | and encrypted communications. | | | | This chapter introduces some | | | | of the basic SSL functions. | - | | | `Chapter 2, "Getting Started | + | | | `Chapter 2, "Getting Started | | | | With | | | | SSL" <gtstd.html#1005439>`__ | | | | illustrates their use in | @@ -4710,974 +4710,974 @@ Index | | a_projects_nss_tools_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | certutil — Manage keys and | + | | | certutil — Manage keys and | | | | certificate in the NSS | | | | database. | | | | Synopsis | - | | | certutil [options] | + | | | certutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The Certificate Database | + | | | The Certificate Database | | | | Tool, certutil, is a | | | | command-line utility that | - | | | can create and modify | + | | | can create and modify | | | | certificate and key database | | | | files. It can also | - | | | list, generate, modify, or | + | | | list, generate, modify, or | | | | delete certificates within the | | | | database, create | - | | | or change the password, | + | | | or change the password, | | | | generate new public and | | | | private key pairs, display | - | | | the contents of the key | + | | | the contents of the key | | | | database, or delete key pairs | | | | within the key | - | | | database. | - | | | The key and certificate | + | | | database. | + | | | The key and certificate | | | | management process generally | | | | begins with creating | - | | | keys in the key database, | + | | | keys in the key database, | | | | then generating and managing | | | | certificates in the | - | | | certificate database. This | + | | | certificate database. This | | | | document discusses certificate | | | | and key database | - | | | management. For information | + | | | management. For information | | | | security module database | | | | management, see the | - | | | modutil manpages. | + | | | modutil manpages. | | | | Options and Arguments | - | | | Running certutil always | + | | | Running certutil always | | | | requires one (and only one) | | | | option to specify the | - | | | type of certificate | + | | | type of certificate | | | | operation. Each option may | | | | take arguments, anywhere | - | | | from none to multiple | + | | | from none to multiple | | | | arguments. Run the command | | | | option and -H to see the | - | | | arguments available for | + | | | arguments available for | | | | each command option. | - | | | Options | - | | | Options specify an action | + | | | Options | + | | | Options specify an action | | | | and are uppercase. | - | | | -A | - | | | Add an existing | + | | | -A | + | | | Add an existing | | | | certificate to a certificate | | | | database. The | - | | | certificate | + | | | certificate | | | | database should already exist; | | | | if one is not present, | - | | | this option will | + | | | this option will | | | | initialize one by default. | - | | | -B | - | | | Run a series of | + | | | -B | + | | | Run a series of | | | | commands from the specified | | | | batch file. This | - | | | requires the -i | + | | | requires the -i | | | | argument. | - | | | -C | - | | | Create a new binary | + | | | -C | + | | | Create a new binary | | | | certificate file from a binary | | | | certificate | - | | | request file. Use | + | | | request file. Use | | | | the -i argument to specify the | | | | certificate | - | | | request file. If | + | | | request file. If | | | | this argument is not used, | | | | certutil prompts for a | - | | | filename. | - | | | -D | - | | | Delete a | + | | | filename. | + | | | -D | + | | | Delete a | | | | certificate from the | | | | certificate database. | - | | | -E | - | | | Add an email | + | | | -E | + | | | Add an email | | | | certificate to the certificate | | | | database. | - | | | -F | - | | | Delete a private | + | | | -F | + | | | Delete a private | | | | key from a key database. | | | | Specify the key to | - | | | delete with the -n | + | | | delete with the -n | | | | argument. Specify the database | | | | from which to | - | | | delete the key with | + | | | delete the key with | | | | the -d argument. Use the -k | | | | argument to | - | | | specify explicitly | + | | | specify explicitly | | | | whether to delete a DSA, RSA, | | | | or ECC key. If | - | | | you don't use the | + | | | you don't use the | | | | -k argument, the option looks | | | | for an RSA key | - | | | matching the | + | | | matching the | | | | specified nickname. | - | | | When you delete | + | | | When you delete | | | | keys, be sure to also remove | | | | any certificates | - | | | associated with | + | | | associated with | | | | those keys from the | | | | certificate database, by using | - | | | -D. Some smart | + | | | -D. Some smart | | | | cards (for example, the | | | | Litronic card) do not let | - | | | you remove a public | + | | | you remove a public | | | | key you have generated. In | | | | such a case, only | - | | | the private key is | + | | | the private key is | | | | deleted from the key pair. You | | | | can display the | - | | | public key with the | + | | | public key with the | | | | command certutil -K -h | | | | tokenname. | - | | | -G | - | | | Generate a new | + | | | -G | + | | | Generate a new | | | | public and private key pair | | | | within a key database. | - | | | The key database | + | | | The key database | | | | should already exist; if one | | | | is not present, this | - | | | option will | + | | | option will | | | | initialize one by default. | | | | Some smart cards (for | - | | | example, the | + | | | example, the | | | | Litronic card) can store only | | | | one key pair. If you | - | | | create a new key | + | | | create a new key | | | | pair for such a card, the | | | | previous pair is | - | | | overwritten. | - | | | -H | - | | | Display a list of | + | | | overwritten. | + | | | -H | + | | | Display a list of | | | | the options and arguments used | | | | by the | - | | | Certificate | + | | | Certificate | | | | Database Tool. | - | | | -K | - | | | List the key ID of | + | | | -K | + | | | List the key ID of | | | | keys in the key database. A | | | | key ID is the | - | | | modulus of the RSA | + | | | modulus of the RSA | | | | key or the publicValue of the | | | | DSA key. IDs are | - | | | displayed in | + | | | displayed in | | | | hexadecimal ("0x" is not | | | | shown). | - | | | -L | - | | | List all the | + | | | -L | + | | | List all the | | | | certificates, or display | | | | information about a named | - | | | certificate, in a | + | | | certificate, in a | | | | certificate database. Use the | | | | -h tokenname | - | | | argument to specify | + | | | argument to specify | | | | the certificate database on a | | | | particular | - | | | hardware or | + | | | hardware or | | | | software token. | - | | | -M | - | | | Modify a | + | | | -M | + | | | Modify a | | | | certificate's trust attributes | | | | using the values of the -t | - | | | argument. | - | | | -N | - | | | Create new | + | | | argument. | + | | | -N | + | | | Create new | | | | certificate and key databases. | - | | | -O | - | | | Print the | + | | | -O | + | | | Print the | | | | certificate chain. | - | | | -R | - | | | Create a | + | | | -R | + | | | Create a | | | | certificate request file that | | | | can be submitted to a | - | | | Certificate | + | | | Certificate | | | | Authority (CA) for processing | | | | into a finished | - | | | certificate. Output | + | | | certificate. Output | | | | defaults to standard out | | | | unless you use -o | - | | | output-file | + | | | output-file | | | | argument. Use the -a argument | | | | to specify ASCII output. | - | | | -S | - | | | Create an | + | | | -S | + | | | Create an | | | | individual certificate and add | | | | it to a certificate | - | | | database. | - | | | -T | - | | | Reset the key | + | | | database. | + | | | -T | + | | | Reset the key | | | | database or token. | - | | | -U | - | | | List all available | + | | | -U | + | | | List all available | | | | modules or print a single | | | | named module. | - | | | -V | - | | | Check the validity | + | | | -V | + | | | Check the validity | | | | of a certificate and its | | | | attributes. | - | | | -W | - | | | Change the password | + | | | -W | + | | | Change the password | | | | to a key database. | - | | | --merge | - | | | Merge a source | + | | | --merge | + | | | Merge a source | | | | database into the target | | | | database. This is used to | - | | | merge legacy NSS | + | | | merge legacy NSS | | | | databases (cert8.db and | | | | key3.db) into the newer | - | | | SQLite databases | + | | | SQLite databases | | | | (cert9.db and key4.db). | - | | | --upgrade-merge | - | | | Upgrade an old | + | | | --upgrade-merge | + | | | Upgrade an old | | | | database and merge it into a | | | | new database. This is | - | | | used to migrate | + | | | used to migrate | | | | legacy NSS databases (cert8.db | | | | and key3.db) into | - | | | the newer SQLite | + | | | the newer SQLite | | | | databases (cert9.db and | | | | key4.db). | - | | | Arguments | - | | | Option arguments modify an | + | | | Arguments | + | | | Option arguments modify an | | | | action and are lowercase. | - | | | -a | - | | | Use ASCII format or | + | | | -a | + | | | Use ASCII format or | | | | allow the use of ASCII format | | | | for input or | - | | | output. This | + | | | output. This | | | | formatting follows RFC 1113. | | | | For certificate | - | | | requests, ASCII | + | | | requests, ASCII | | | | output defaults to standard | | | | output unless | - | | | redirected. | - | | | -b validity-time | - | | | Specify a time at | + | | | redirected. | + | | | -b validity-time | + | | | Specify a time at | | | | which a certificate is | | | | required to be valid. Use | - | | | when checking | + | | | when checking | | | | certificate validity with the | | | | -V option. The format | - | | | of the | + | | | of the | | | | validity-time argument is | | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], | - | | | which allows | + | | | which allows | | | | offsets to be set relative to | | | | the validity end time. | - | | | Specifying seconds | + | | | Specifying seconds | | | | (SS) is optional. When | | | | specifying an explicit | - | | | time, use a Z at | + | | | time, use a Z at | | | | the end of the term, | | | | YYMMDDHHMMSSZ, to close it. | - | | | When specifying an | + | | | When specifying an | | | | offset time, use | | | | YYMMDDHHMMSS+HHMM or | - | | | YYMMDDHHMMSS-HHMM | + | | | YYMMDDHHMMSS-HHMM | | | | for adding or subtracting | | | | time, respectively. | - | | | If this option is | + | | | If this option is | | | | not used, the validity check | | | | defaults to the | - | | | current system | + | | | current system | | | | time. | - | | | -c issuer | - | | | Identify the | + | | | -c issuer | + | | | Identify the | | | | certificate of the CA from | | | | which a new certificate | - | | | will derive its | + | | | will derive its | | | | authenticity. Use the exact | | | | nickname or alias of | - | | | the CA certificate, | + | | | the CA certificate, | | | | or use the CA's email address. | | | | Bracket the | - | | | issuer string with | + | | | issuer string with | | | | quotation marks if it contains | | | | spaces. | - | | | -d [sql:]directory | - | | | Specify the | + | | | -d [sql:]directory | + | | | Specify the | | | | database directory containing | | | | the certificate and key | - | | | database files. | - | | | certutil supports | + | | | database files. | + | | | certutil supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | -e | - | | | Check a | + | | | the old format. | + | | | -e | + | | | Check a | | | | certificate's signature during | | | | the process of validating a | - | | | certificate. | - | | | -f password-file | - | | | Specify a file that | + | | | certificate. | + | | | -f password-file | + | | | Specify a file that | | | | will automatically supply the | | | | password to | - | | | include in a | + | | | include in a | | | | certificate or to access a | | | | certificate database. This | - | | | is a plain-text | + | | | is a plain-text | | | | file containing one password. | | | | Be sure to prevent | - | | | unauthorized access | + | | | unauthorized access | | | | to this file. | - | | | -g keysize | - | | | Set a key size to | + | | | -g keysize | + | | | Set a key size to | | | | use when generating new public | | | | and private key | - | | | pairs. The minimum | + | | | pairs. The minimum | | | | is 512 bits and the maximum is | | | | 8192 bits. The | - | | | default is 1024 | + | | | default is 1024 | | | | bits. Any size between the | | | | minimum and maximum is | - | | | allowed. | - | | | -h tokenname | - | | | Specify the name of | + | | | allowed. | + | | | -h tokenname | + | | | Specify the name of | | | | a token to use or act on. | | | | Unless specified | - | | | otherwise the | + | | | otherwise the | | | | default token is an internal | | | | slot (specifically, | - | | | internal slot 2). | + | | | internal slot 2). | | | | This slot can also be | | | | explicitly named with the | - | | | string "internal". | + | | | string "internal". | | | | An internal slots is a virtual | | | | slot maintained | - | | | in software, rather | + | | | in software, rather | | | | than a hardware device. | | | | Internal slot 2 is | - | | | used by key and | + | | | used by key and | | | | certificate services. Internal | | | | slot 1 is used by | - | | | cryptographic | + | | | cryptographic | | | | services. | - | | | -i input_file | - | | | Pass an input file | + | | | -i input_file | + | | | Pass an input file | | | | to the command. Depending on | | | | the command | - | | | option, an input | + | | | option, an input | | | | file can be a specific | | | | certificate, a certificate | - | | | request file, or a | + | | | request file, or a | | | | batch file of commands. | - | | | -k rsa|dsa|ec|all | - | | | Specify the type of | + | | | -k rsa|dsa|ec|all | + | | | Specify the type of | | | | a key. The valid options are | | | | RSA, DSA, ECC, or | - | | | all. The default | + | | | all. The default | | | | value is rsa. Specifying the | | | | type of key can | - | | | avoid mistakes | + | | | avoid mistakes | | | | caused by duplicate nicknames. | - | | | -k key-type-or-id | - | | | Specify the type or | + | | | -k key-type-or-id | + | | | Specify the type or | | | | specific ID of a key. Giving a | | | | key type | - | | | generates a new key | + | | | generates a new key | | | | pair; giving the ID of an | | | | existing key reuses | - | | | that key pair | + | | | that key pair | | | | (which is required to renew | | | | certificates). | - | | | -l | - | | | Display detailed | + | | | -l | + | | | Display detailed | | | | information when validating a | | | | certificate with | - | | | the -V option. | - | | | -m serial-number | - | | | Assign a unique | + | | | the -V option. | + | | | -m serial-number | + | | | Assign a unique | | | | serial number to a certificate | | | | being created. This | - | | | operation should be | + | | | operation should be | | | | performed by a CA. The default | | | | serial number | - | | | is 0 (zero). Serial | + | | | is 0 (zero). Serial | | | | numbers are limited to | | | | integers. | - | | | -n nickname | - | | | Specify the | + | | | -n nickname | + | | | Specify the | | | | nickname of a certificate or | | | | key to list, create, add | - | | | to a database, | + | | | to a database, | | | | modify, or validate. Bracket | | | | the nickname string | - | | | with quotation | + | | | with quotation | | | | marks if it contains spaces. | - | | | -o output-file | - | | | Specify the output | + | | | -o output-file | + | | | Specify the output | | | | file name for new certificates | | | | or binary | - | | | certificate | + | | | certificate | | | | requests. Bracket the | | | | output-file string with | - | | | quotation marks if | + | | | quotation marks if | | | | it contains spaces. If this | | | | argument is not | - | | | used the output | + | | | used the output | | | | destination defaults to | | | | standard output. | - | | | -P dbPrefix | - | | | Specify the prefix | + | | | -P dbPrefix | + | | | Specify the prefix | | | | used on the certificate and | | | | key database file. | - | | | This option is | + | | | This option is | | | | provided as a special case. | | | | Changing the names of | - | | | the certificate and | + | | | the certificate and | | | | key databases is not | | | | recommended. | - | | | -p phone | - | | | Specify a contact | + | | | -p phone | + | | | Specify a contact | | | | telephone number to include in | | | | new certificates | - | | | or certificate | + | | | or certificate | | | | requests. Bracket this string | | | | with quotation marks | - | | | if it contains | + | | | if it contains | | | | spaces. | - | | | -q pqgfile | - | | | Read an alternate | + | | | -q pqgfile | + | | | Read an alternate | | | | PQG value from the specified | | | | file when | - | | | generating DSA key | + | | | generating DSA key | | | | pairs. If this argument is not | | | | used, certutil | - | | | generates its own | + | | | generates its own | | | | PQG value. PQG files are | | | | created with a separate | - | | | DSA utility. | - | | | -q curve-name | - | | | Set the elliptic | + | | | DSA utility. | + | | | -q curve-name | + | | | Set the elliptic | | | | curve name to use when | | | | generating ECC key pairs. | - | | | A complete list of | + | | | A complete list of | | | | ECC curves is given in the | | | | help (-H). | - | | | -r | - | | | Display a | + | | | -r | + | | | Display a | | | | certificate's binary DER | | | | encoding when listing | - | | | information about | + | | | information about | | | | that certificate with the -L | | | | option. | - | | | -s subject | - | | | Identify a | + | | | -s subject | + | | | Identify a | | | | particular certificate owner | | | | for new certificates or | - | | | certificate | + | | | certificate | | | | requests. Bracket this string | | | | with quotation marks if | - | | | it contains spaces. | + | | | it contains spaces. | | | | The subject identification | | | | format follows RFC | - | | | #1485. | - | | | -t trustargs | - | | | Specify the trust | + | | | #1485. | + | | | -t trustargs | + | | | Specify the trust | | | | attributes to modify in an | | | | existing certificate | - | | | or to apply to a | + | | | or to apply to a | | | | certificate when creating it | | | | or adding it to a | - | | | database. There are | + | | | database. There are | | | | three available trust | | | | categories for each | - | | | certificate, | + | | | certificate, | | | | expressed in the order SSL, | | | | email, object signing for | - | | | each trust setting. | + | | | each trust setting. | | | | In each category position, use | | | | none, any, or | - | | | all of the | + | | | all of the | | | | attribute codes: | - | | | o p - Valid peer | - | | | o P - Trusted | + | | | o p - Valid peer | + | | | o P - Trusted | | | | peer (implies p) | - | | | o c - Valid CA | - | | | o T - Trusted CA | + | | | o c - Valid CA | + | | | o T - Trusted CA | | | | to issue client certificates | | | | (implies c) | - | | | o C - Trusted CA | + | | | o C - Trusted CA | | | | to issue server certificates | | | | (SSL only) | - | | | (implies c) | - | | | o u - | + | | | (implies c) | + | | | o u - | | | | Certificate can be used for | | | | authentication or signing | - | | | o w - Send | + | | | o w - Send | | | | warning (use with other | | | | attributes to include a | - | | | warning when | + | | | warning when | | | | the certificate is used in | | | | that context) | - | | | The attribute codes | + | | | The attribute codes | | | | for the categories are | | | | separated by commas, | - | | | and the entire set | + | | | and the entire set | | | | of attributes enclosed by | | | | quotation marks. For | - | | | example: | - | | | -t "TCu,Cu,Tuw" | - | | | Use the -L option | + | | | example: | + | | | -t "TCu,Cu,Tuw" | + | | | Use the -L option | | | | to see a list of the current | | | | certificates and | - | | | trust attributes in | + | | | trust attributes in | | | | a certificate database. | - | | | -u certusage | - | | | Specify a usage | + | | | -u certusage | + | | | Specify a usage | | | | context to apply when | | | | validating a certificate | - | | | with the -V option. | - | | | The contexts are | + | | | with the -V option. | + | | | The contexts are | | | | the following: | - | | | o C (as an SSL | + | | | o C (as an SSL | | | | client) | - | | | o V (as an SSL | + | | | o V (as an SSL | | | | server) | - | | | o S (as an email | + | | | o S (as an email | | | | signer) | - | | | o R (as an email | + | | | o R (as an email | | | | recipient) | - | | | o O (as an OCSP | + | | | o O (as an OCSP | | | | status responder) | - | | | o J (as an | + | | | o J (as an | | | | object signer) | - | | | -v valid-months | - | | | Set the number of | + | | | -v valid-months | + | | | Set the number of | | | | months a new certificate will | | | | be valid. The | - | | | validity period | + | | | validity period | | | | begins at the current system | | | | time unless an offset | - | | | is added or | + | | | is added or | | | | subtracted with the -w option. | | | | If this argument is not | - | | | used, the default | + | | | used, the default | | | | validity period is three | | | | months. When this | - | | | argument is used, | + | | | argument is used, | | | | the default three-month period | | | | is automatically | - | | | added to any value | + | | | added to any value | | | | given in the valid-month | | | | argument. For example, | - | | | using this option | + | | | using this option | | | | to set a value of 3 would | | | | cause 3 to be added to | - | | | the three-month | + | | | the three-month | | | | default, creating a validity | | | | period of six months. | - | | | You can use | + | | | You can use | | | | negative values to reduce the | | | | default period. For | - | | | example, setting a | + | | | example, setting a | | | | value of -2 would subtract 2 | | | | from the default | - | | | and create a | + | | | and create a | | | | validity period of one month. | - | | | -w offset-months | - | | | Set an offset from | + | | | -w offset-months | + | | | Set an offset from | | | | the current system time, in | | | | months, for the | - | | | beginning of a | + | | | beginning of a | | | | certificate's validity period. | | | | Use when creating | - | | | the certificate or | + | | | the certificate or | | | | adding it to a database. | | | | Express the offset in | - | | | integers, using a | + | | | integers, using a | | | | minus sign (-) to indicate a | | | | negative offset. If | - | | | this argument is | + | | | this argument is | | | | not used, the validity period | | | | begins at the | - | | | current system | + | | | current system | | | | time. The length of the | | | | validity period is set with | - | | | the -v argument. | - | | | -X | - | | | Force the key and | + | | | the -v argument. | + | | | -X | + | | | Force the key and | | | | certificate database to open | | | | in read-write mode. | - | | | This is used with | + | | | This is used with | | | | the -U and -L command options. | - | | | -x | - | | | Use certutil to | + | | | -x | + | | | Use certutil to | | | | generate the signature for a | | | | certificate being | - | | | created or added to | + | | | created or added to | | | | a database, rather than | | | | obtaining a signature | - | | | from a separate CA. | - | | | -y exp | - | | | Set an alternate | + | | | from a separate CA. | + | | | -y exp | + | | | Set an alternate | | | | exponent value to use in | | | | generating a new RSA | - | | | public key for the | + | | | public key for the | | | | database, instead of the | | | | default value of | - | | | 65537. The | + | | | 65537. The | | | | available alternate values are | | | | 3 and 17. | - | | | -z noise-file | - | | | Read a seed value | + | | | -z noise-file | + | | | Read a seed value | | | | from the specified file to | | | | generate a new | - | | | private and public | + | | | private and public | | | | key pair. This argument makes | | | | it possible to | - | | | use | + | | | use | | | | hardware-generated seed values | | | | or manually create a value | | | | from | - | | | the keyboard. The | + | | | the keyboard. The | | | | minimum file size is 20 bytes. | - | | | -0 SSO_password | - | | | Set a site security | + | | | -0 SSO_password | + | | | Set a site security | | | | officer password on a token. | - | | | -1 \| --keyUsage | + | | | -1 \| --keyUsage | | | | keyword,keyword | - | | | Set a Netscape | + | | | Set a Netscape | | | | Certificate Type Extension in | | | | the certificate. | - | | | There are several | + | | | There are several | | | | available keywords: | - | | | o digital | + | | | o digital | | | | signature | - | | | o nonRepudiation | - | | | | - | | | o keyEncipherment | - | | | | - | | | o dataEncipherment | - | | | o keyAgreement | - | | | o certSigning | - | | | o crlSigning | - | | | o critical | - | | | -2 | - | | | Add a basic | + | | | o nonRepudiation | + | | | | + | | | o keyEncipherment | + | | | | + | | | o dataEncipherment | + | | | o keyAgreement | + | | | o certSigning | + | | | o crlSigning | + | | | o critical | + | | | -2 | + | | | Add a basic | | | | constraint extension to a | | | | certificate that is being | - | | | created or added to | + | | | created or added to | | | | a database. This extension | | | | supports the | - | | | certificate chain | + | | | certificate chain | | | | verification process. certutil | | | | prompts for the | - | | | certificate | + | | | certificate | | | | constraint extension to | | | | select. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -3 | - | | | Add an authority | + | | | -3 | + | | | Add an authority | | | | key ID extension to a | | | | certificate that is being | - | | | created or added to | + | | | created or added to | | | | a database. This extension | | | | supports the | - | | | identification of a | + | | | identification of a | | | | particular certificate, from | | | | among multiple | - | | | certificates | + | | | certificates | | | | associated with one subject | | | | name, as the correct | - | | | issuer of a | + | | | issuer of a | | | | certificate. The Certificate | | | | Database Tool will prompt | - | | | you to select the | + | | | you to select the | | | | authority key ID extension. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -4 | - | | | Add a CRL | + | | | -4 | + | | | Add a CRL | | | | distribution point extension | | | | to a certificate that is | - | | | being created or | + | | | being created or | | | | added to a database. This | | | | extension identifies | - | | | the URL of a | + | | | the URL of a | | | | certificate's associated | | | | certificate revocation list | - | | | (CRL). certutil | + | | | (CRL). certutil | | | | prompts for the URL. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -5 \| --nsCertType | + | | | -5 \| --nsCertType | | | | keyword,keyword | - | | | Add a Netscape | + | | | Add a Netscape | | | | certificate type extension to | | | | a certificate that is | - | | | being created or | + | | | being created or | | | | added to the database. There | | | | are several | - | | | available keywords: | - | | | o sslClient | - | | | o sslServer | - | | | o smime | - | | | o objectSigning | - | | | o sslCA | - | | | o smimeCA | - | | | | - | | | o objectSigningCA | - | | | o critical | - | | | X.509 certificate | + | | | available keywords: | + | | | o sslClient | + | | | o sslServer | + | | | o smime | + | | | o objectSigning | + | | | o sslCA | + | | | o smimeCA | + | | | | + | | | o objectSigningCA | + | | | o critical | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -6 \| --extKeyUsage | + | | | -6 \| --extKeyUsage | | | | keyword,keyword | - | | | Add an extended key | + | | | Add an extended key | | | | usage extension to a | | | | certificate that is being | - | | | created or added to | + | | | created or added to | | | | the database. Several keywords | | | | are available: | - | | | o serverAuth | - | | | o clientAuth | - | | | o codeSigning | - | | | | - | | | o emailProtection | - | | | o timeStamp | - | | | o ocspResponder | - | | | o stepUp | - | | | o critical | - | | | X.509 certificate | + | | | o serverAuth | + | | | o clientAuth | + | | | o codeSigning | + | | | | + | | | o emailProtection | + | | | o timeStamp | + | | | o ocspResponder | + | | | o stepUp | + | | | o critical | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -7 emailAddrs | - | | | Add a | + | | | -7 emailAddrs | + | | | Add a | | | | comma-separated list of email | | | | addresses to the subject | - | | | alternative name | + | | | alternative name | | | | extension of a certificate or | | | | certificate request | - | | | that is being | + | | | that is being | | | | created or added to the | | | | database. Subject | - | | | alternative name | + | | | alternative name | | | | extensions are described in | | | | Section 4.2.1.7 of | - | | | RFC 3280. | - | | | -8 dns-names | - | | | Add a | + | | | RFC 3280. | + | | | -8 dns-names | + | | | Add a | | | | comma-separated list of DNS | | | | names to the subject | | | | alternative | - | | | name extension of a | + | | | name extension of a | | | | certificate or certificate | | | | request that is | - | | | being created or | + | | | being created or | | | | added to the database. Subject | | | | alternative name | - | | | extensions are | + | | | extensions are | | | | described in Section 4.2.1.7 | | | | of RFC 3280. | - | | | --extAIA | - | | | Add the Authority | + | | | --extAIA | + | | | Add the Authority | | | | Information Access extension | | | | to the certificate. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extSIA | - | | | Add the Subject | + | | | --extSIA | + | | | Add the Subject | | | | Information Access extension | | | | to the certificate. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extCP | - | | | Add the Certificate | + | | | --extCP | + | | | Add the Certificate | | | | Policies extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extPM | - | | | Add the Policy | + | | | --extPM | + | | | Add the Policy | | | | Mappings extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extPC | - | | | Add the Policy | + | | | --extPC | + | | | Add the Policy | | | | Constraints extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extIA | - | | | Add the Inhibit Any | + | | | --extIA | + | | | Add the Inhibit Any | | | | Policy Access extension to the | | | | certificate. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extSKID | - | | | Add the Subject Key | + | | | --extSKID | + | | | Add the Subject Key | | | | ID extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --source-dir certdir | - | | | Identify the | + | | | --source-dir certdir | + | | | Identify the | | | | certificate database directory | | | | to upgrade. | - | | | --source-prefix certdir | - | | | Give the prefix of | + | | | --source-prefix certdir | + | | | Give the prefix of | | | | the certificate and key | | | | databases to upgrade. | - | | | --upgrade-id uniqueID | - | | | Give the unique ID | + | | | --upgrade-id uniqueID | + | | | Give the unique ID | | | | of the database to upgrade. | - | | | --upgrade-token-name name | - | | | Set the name of the | + | | | --upgrade-token-name name | + | | | Set the name of the | | | | token to use while it is being | | | | upgraded. | - | | | -@ pwfile | - | | | Give the name of a | + | | | -@ pwfile | + | | | Give the name of a | | | | password file to use for the | | | | database being | - | | | upgraded. | + | | | upgraded. | | | | Usage and Examples | - | | | Most of the command options | + | | | Most of the command options | | | | in the examples listed here | | | | have more | - | | | arguments available. The | + | | | arguments available. The | | | | arguments included in these | | | | examples are the most | - | | | common ones or are used to | + | | | common ones or are used to | | | | illustrate a specific | | | | scenario. Use the -H | - | | | option to show the complete | + | | | option to show the complete | | | | list of arguments for each | | | | command option. | - | | | Creating New Security | + | | | Creating New Security | | | | Databases | - | | | Certificates, keys, and | + | | | Certificates, keys, and | | | | security modules related to | | | | managing certificates | - | | | are stored in three related | + | | | are stored in three related | | | | databases: | - | | | o cert8.db or cert9.db | - | | | o key3.db or key4.db | - | | | o secmod.db or pkcs11.txt | - | | | These databases must be | + | | | o cert8.db or cert9.db | + | | | o key3.db or key4.db | + | | | o secmod.db or pkcs11.txt | + | | | These databases must be | | | | created before certificates or | | | | keys can be | - | | | generated. | - | | | certutil -N -d | + | | | generated. | + | | | certutil -N -d | | | | [sql:]directory | - | | | Creating a Certificate | + | | | Creating a Certificate | | | | Request | - | | | A certificate request | + | | | A certificate request | | | | contains most or all of the | | | | information that is used | - | | | to generate the final | + | | | to generate the final | | | | certificate. This request is | | | | submitted separately to | - | | | a certificate authority and | + | | | a certificate authority and | | | | is then approved by some | | | | mechanism | - | | | (automatically or by human | + | | | (automatically or by human | | | | review). Once the request is | | | | approved, then the | - | | | certificate is generated. | - | | | $ certutil -R -k | + | | | certificate is generated. | + | | | $ certutil -R -k | | | | key-type-or-id [-q | | | | pqgfile|curve-name] -g | | | | key-size -s subject [-h | | | | tokenname] -d [sql:]directory | | | | [-p phone] [-o output-file] | | | | [-a] | - | | | The -R command options | + | | | The -R command options | | | | requires four arguments: | - | | | o -k to specify either | + | | | o -k to specify either | | | | the key type to generate or, | | | | when renewing a | - | | | certificate, the | + | | | certificate, the | | | | existing key pair to use | - | | | o -g to set the keysize | + | | | o -g to set the keysize | | | | of the key to generate | - | | | o -s to set the subject | + | | | o -s to set the subject | | | | name of the certificate | - | | | o -d to give the security | + | | | o -d to give the security | | | | database directory | - | | | The new certificate request | + | | | The new certificate request | | | | can be output in ASCII format | | | | (-a) or can be | - | | | written to a specified file | + | | | written to a specified file | | | | (-o). | - | | | For example: | - | | | $ certutil -R -k ec -q | + | | | For example: | + | | | $ certutil -R -k ec -q | | | | nistb409 -g 512 -s "CN=John | | | | Smith,O=Example | | | | Corp,L=Mountain | | | | View,ST=California,C=US" -d | | | | sql:/home/my/sharednssdb -p | | | | 650-555-0123 -a -o cert.cer | - | | | Generating key. This may | + | | | Generating key. This may | | | | take a few moments... | - | | | Certificate request generated | + | | | Certificate request generated | | | | by Netscape | - | | | Phone: 650-555-0123 | - | | | Common Name: John Smith | - | | | Email: (not ed) | - | | | Organization: Example Corp | - | | | State: California | - | | | Country: US | - | | | -----BEGIN NEW CERTIFICATE | + | | | Phone: 650-555-0123 | + | | | Common Name: John Smith | + | | | Email: (not ed) | + | | | Organization: Example Corp | + | | | State: California | + | | | Country: US | + | | | -----BEGIN NEW CERTIFICATE | | | | REQUEST----- | - | | | MIIB | + | | | MIIB | | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz | | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW | - | | | MBQG | + | | | MBQG | | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB | | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw | - | | | EQYD | + | | | EQYD | | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo | | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ | - | | | KmHn | + | | | KmHn | | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio | | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J | - | | | CzdU | + | | | CzdU | | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI | | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny | - | | | qmty | + | | | qmty | | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u | | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | - | | | 1hP9Gg== | - | | | -----END NEW CERTIFICATE | + | | | 1hP9Gg== | + | | | -----END NEW CERTIFICATE | | | | REQUEST----- | - | | | Creating a Certificate | - | | | A valid certificate must be | + | | | Creating a Certificate | + | | | A valid certificate must be | | | | issued by a trusted CA. This | | | | can be done by | - | | | specifying a CA certificate | + | | | specifying a CA certificate | | | | (-c) that is stored in the | | | | certificate | - | | | database. If a CA key pair | + | | | database. If a CA key pair | | | | is not available, you can | | | | create a self-signed | - | | | certificate using the -x | + | | | certificate using the -x | | | | argument with the -S command | | | | option. | - | | | $ certutil -S -k rsa|dsa|ec | + | | | $ certutil -S -k rsa|dsa|ec | | | | -n certname -s subject [-c | | | | issuer \|-x] -t trustargs -d | | | | [sql:]directory [-m | @@ -5690,40 +5690,40 @@ Index | | | [--extSIA] [--extCP] [--extPM] | | | | [--extPC] [--extIA] | | | | [--extSKID] | - | | | The series of numbers and | + | | | The series of numbers and | | | | --ext\* options set | | | | certificate extensions that | - | | | can be added to the | + | | | can be added to the | | | | certificate when it is | | | | generated by the CA. | - | | | For example, this creates a | + | | | For example, this creates a | | | | self-signed certificate: | - | | | $ certutil -S -s "CN=Example | + | | | $ certutil -S -s "CN=Example | | | | CA" -n my-ca-cert -x -t | | | | "C,C,C" -1 -2 -5 -m 3650 | - | | | From there, new | + | | | From there, new | | | | certificates can reference the | | | | self-signed certificate: | - | | | $ certutil -S -s "CN=My | + | | | $ certutil -S -s "CN=My | | | | Server Cert" -n my-server-cert | | | | -c "my-ca-cert" -t "u,u,u" -1 | | | | -5 -6 -8 -m 730 | - | | | Generating a Certificate | + | | | Generating a Certificate | | | | from a Certificate Request | - | | | When a certificate request | + | | | When a certificate request | | | | is created, a certificate can | | | | be generated by | - | | | using the request and then | + | | | using the request and then | | | | referencing a certificate | | | | authority signing | - | | | certificate (the issuer | + | | | certificate (the issuer | | | | specified in the -c argument). | | | | The issuing | - | | | certificate must be in the | + | | | certificate must be in the | | | | certificate database in the | | | | specified | - | | | directory. | - | | | certutil -C -c issuer -i | + | | | directory. | + | | | certutil -C -c issuer -i | | | | cert-request-file -o | | | | output-file [-m serial-number] | | | | [-v valid-months] [-w | @@ -5732,8 +5732,8 @@ Index | | | [-4] [-5 keyword] [-6 keyword] | | | | [-7 emailAddress] [-8 | | | | dns-names] | - | | | For example: | - | | | $ certutil -C -c "my-ca-cert" | + | | | For example: | + | | | $ certutil -C -c "my-ca-cert" | | | | -i /home/certs/cert.req -o | | | | cert.cer -m 010 -v 12 -w 1 -d | | | | sql:/home/my/sharednssdb -1 | @@ -5741,330 +5741,330 @@ Index | | | onRepudiation,dataEncipherment | | | | -5 sslClient -6 clientAuth -7 | | | | jsmith@example.com | - | | | Generating Key Pairs | - | | | Key pairs are generated | + | | | Generating Key Pairs | + | | | Key pairs are generated | | | | automatically with a | | | | certificate request or | - | | | certificate, but they can | + | | | certificate, but they can | | | | also be generated | | | | independently using the -G | - | | | command option. | - | | | certutil -G -d | + | | | command option. | + | | | certutil -G -d | | | | [sql:]directory \| -h | | | | tokenname -k key-type -g | | | | key-size [-y exponent-value] | | | | -q pqgfile|curve-name | - | | | For example: | - | | | $ certutil -G -h lunasa -k ec | + | | | For example: | + | | | $ certutil -G -h lunasa -k ec | | | | -g 256 -q sect193r2 | - | | | Listing Certificates | - | | | The -L command option lists | + | | | Listing Certificates | + | | | The -L command option lists | | | | all of the certificates listed | | | | in the | - | | | certificate database. The | + | | | certificate database. The | | | | path to the directory (-d) is | | | | required. | - | | | $ certutil -L -d | + | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb | - | | | Certificate | - | | | Nickname | - | | | | + | | | Certificate | + | | | Nickname | + | | | | | | | Trust Attributes | - | | | | - | | | | - | | | | + | | | | + | | | | + | | | | | | | SSL,S/MIME,JAR/XPI | - | | | CA Administrator of Instance | + | | | CA Administrator of Instance | | | | pki-ca1's Example Domain | - | | | ID u,u,u | - | | | TPS Administrator's Example | + | | | ID u,u,u | + | | | TPS Administrator's Example | | | | Domain | - | | | ID | + | | | ID | | | | u,u,u | - | | | Google Internet | - | | | Authority | - | | | | + | | | Google Internet | + | | | Authority | + | | | | | | | ,, | - | | | Certificate Authority - | + | | | Certificate Authority - | | | | Example | - | | | Domain | + | | | Domain | | | | CT,C,C | - | | | Using additional arguments | + | | | Using additional arguments | | | | with -L can return and print | | | | the information | - | | | for a single, specific | + | | | for a single, specific | | | | certificate. For example, the | | | | -n argument passes | - | | | the certificate name, while | + | | | the certificate name, while | | | | the -a argument prints the | | | | certificate in | - | | | ASCII format: | - | | | $ certutil -L -d | + | | | ASCII format: | + | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb -a -n | | | | "Certificate Authority - | | | | Example Domain" | - | | | -----BEGIN CERTIFICATE----- | - | | | MIID | + | | | -----BEGIN CERTIFICATE----- | + | | | MIID | | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w | | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | - | | | cGxl | + | | | cGxl | | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG | | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw | - | | | MDQy | + | | | MDQy | | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF | | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE | - | | | b21h | + | | | b21h | | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX | | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI | - | | | hvcN | + | | | hvcN | | | | AQEBBQADggEPADCCAQoCggEBAO/bqU | | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf | - | | | Tmri | + | | | Tmri | | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ | | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 | - | | | Rnel | + | | | Rnel | | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW | | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI | - | | | udeW | + | | | udeW | | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C | | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 | - | | | bP4i | + | | | bP4i | | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM | | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb | - | | | 3V0A | + | | | 3V0A | | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg | | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB | - | | | qDAf | + | | | qDAf | | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd | | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD | - | | | AQH/ | + | | | AQH/ | | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ | | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ | - | | | rRcw | + | | | rRcw | | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ | | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 | - | | | Lmxv | + | | | Lmxv | | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD | | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk | - | | | L3XO | + | | | L3XO | | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 | | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe | - | | | lRxd | + | | | lRxd | | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm | | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX | - | | | JBDx | + | | | JBDx | | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ | | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 | - | | | bfu/ | + | | | bfu/ | | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 | | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu | - | | | U0uj | + | | | U0uj | | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ | | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a | - | | | nI7q5n1USM3eWQlVXw== | - | | | -----END CERTIFICATE----- | - | | | Listing Keys | - | | | Keys are the original | + | | | nI7q5n1USM3eWQlVXw== | + | | | -----END CERTIFICATE----- | + | | | Listing Keys | + | | | Keys are the original | | | | material used to encrypt | | | | certificate data. The keys | - | | | generated for certificates | + | | | generated for certificates | | | | are stored separately, in the | | | | key database. | - | | | To list all keys in the | + | | | To list all keys in the | | | | database, use the -K command | | | | option and the | - | | | (required) -d argument to | + | | | (required) -d argument to | | | | give the path to the | | | | directory. | - | | | $ certutil -K -d | + | | | $ certutil -K -d | | | | sql:/home/my/sharednssdb | - | | | certutil: Checking token "NSS | + | | | certutil: Checking token "NSS | | | | Certificate DB" in slot "NSS | | | | User Private Key and | | | | Certificate | - | | | Services " | - | | | < 0> rsa | + | | | Services " | + | | | < 0> rsa | | | | 455a6673bde9 | - | | | 375c2887ec8bf8016b3f9f35861d | + | | | 375c2887ec8bf8016b3f9f35861d | | | | Thawte Freemail Member's | | | | Thawte Consulting (Pty) Ltd. | | | | ID | - | | | < 1> rsa | + | | | < 1> rsa | | | | 40defeeb522a | - | | | de11090eacebaaf1196a172127df | + | | | de11090eacebaaf1196a172127df | | | | Example Domain Administrator | | | | Cert | - | | | < 2> rsa | + | | | < 2> rsa | | | | 1d0b06f44f6c | - | | | 03842f7d4f4a1dc78b3bcd1b85a5 | + | | | 03842f7d4f4a1dc78b3bcd1b85a5 | | | | John Smith user cert | - | | | There are ways to narrow | + | | | There are ways to narrow | | | | the keys listed in the search | | | | results: | - | | | o To return a specific | + | | | o To return a specific | | | | key, use the -n name argument | | | | with the name of | - | | | the key. | - | | | o If there are multiple | + | | | the key. | + | | | o If there are multiple | | | | security devices loaded, then | | | | the -h tokenname | - | | | argument can search a | + | | | argument can search a | | | | specific token or all tokens. | - | | | o If there are multiple | + | | | o If there are multiple | | | | key types available, then the | | | | -k key-type | - | | | argument can search a | + | | | argument can search a | | | | specific type of key, like | | | | RSA, DSA, or ECC. | - | | | Listing Security Modules | - | | | The devices that can be | + | | | Listing Security Modules | + | | | The devices that can be | | | | used to store certificates -- | | | | both internal | - | | | databases and external | + | | | databases and external | | | | devices like smart cards -- | | | | are recognized and used | - | | | by loading security | + | | | by loading security | | | | modules. The -U command option | | | | lists all of the | - | | | security modules listed in | + | | | security modules listed in | | | | the secmod.db database. The | | | | path to the | - | | | directory (-d) is required. | - | | | $ certutil -U -d | + | | | directory (-d) is required. | + | | | $ certutil -U -d | | | | sql:/home/my/sharednssdb | - | | | slot: NSS User Private | + | | | slot: NSS User Private | | | | Key and Certificate Services | - | | | token: NSS Certificate DB | - | | | slot: NSS Internal | + | | | token: NSS Certificate DB | + | | | slot: NSS Internal | | | | Cryptographic Services | - | | | token: NSS Generic Crypto | + | | | token: NSS Generic Crypto | | | | Services | - | | | Adding Certificates to the | + | | | Adding Certificates to the | | | | Database | - | | | Existing certificates or | + | | | Existing certificates or | | | | certificate requests can be | | | | added manually to the | - | | | certificate database, even | + | | | certificate database, even | | | | if they were generated | | | | elsewhere. This uses the | - | | | -A command option. | - | | | certutil -A -n certname -t | + | | | -A command option. | + | | | certutil -A -n certname -t | | | | trustargs -d [sql:]directory | | | | [-a] [-i input-file] | - | | | For example: | - | | | $ certutil -A -n "CN=My SSL | + | | | For example: | + | | | $ certutil -A -n "CN=My SSL | | | | Certificate" -t "u,u,u" -d | | | | sql:/home/my/sharednssdb -i | | | | /home/example-certs/cert.cer | - | | | A related command option, | + | | | A related command option, | | | | -E, is used specifically to | | | | add email | - | | | certificates to the | + | | | certificates to the | | | | certificate database. The -E | | | | command has the same | - | | | arguments as the -A | + | | | arguments as the -A | | | | command. The trust arguments | | | | for certificates have the | - | | | format | + | | | format | | | | SSL,S/MIME,Code-signing, so | | | | the middle trust settings | | | | relate most | - | | | to email certificates | + | | | to email certificates | | | | (though the others can be | | | | set). For example: | - | | | $ certutil -E -n "CN=John | + | | | $ certutil -E -n "CN=John | | | | Smith Email Cert" -t ",Pu," -d | | | | sql:/home/my/sharednssdb -i | | | | /home/example-certs/email.cer | - | | | Deleting Certificates to | + | | | Deleting Certificates to | | | | the Database | - | | | Certificates can be deleted | + | | | Certificates can be deleted | | | | from a database using the -D | | | | option. The only | - | | | required options are to | + | | | required options are to | | | | give the security database | | | | directory and to | - | | | identify the certificate | + | | | identify the certificate | | | | nickname. | - | | | certutil -D -d | + | | | certutil -D -d | | | | [sql:]directory -n "nickname" | - | | | For example: | - | | | $ certutil -D -d | + | | | For example: | + | | | $ certutil -D -d | | | | sql:/home/my/sharednssdb -n | | | | "my-ssl-cert" | - | | | Validating Certificates | - | | | A certificate contains an | + | | | Validating Certificates | + | | | A certificate contains an | | | | expiration date in itself, and | | | | expired | - | | | certificates are easily | + | | | certificates are easily | | | | rejected. However, | | | | certificates can also be | - | | | revoked before they hit | + | | | revoked before they hit | | | | their expiration date. | | | | Checking whether a | - | | | certificate has been | + | | | certificate has been | | | | revoked requires validating | | | | the certificate. | - | | | Validation can also be used | + | | | Validation can also be used | | | | to ensure that the certificate | | | | is only used | - | | | for the purposes it was | + | | | for the purposes it was | | | | initially issued for. | | | | Validation is carried out by | - | | | the -V command option. | - | | | certutil -V -n | + | | | the -V command option. | + | | | certutil -V -n | | | | certificate-name [-b time] | | | | [-e] [-u cert-usage] -d | | | | [sql:]directory | - | | | For example, to validate an | + | | | For example, to validate an | | | | email certificate: | - | | | $ certutil -V -n "John | + | | | $ certutil -V -n "John | | | | Smith's Email Cert" -e -u S,R | | | | -d sql:/home/my/sharednssdb | - | | | Modifying Certificate Trust | + | | | Modifying Certificate Trust | | | | Settings | - | | | The trust settings (which | + | | | The trust settings (which | | | | relate to the operations that | | | | a certificate is | - | | | allowed to be used for) can | + | | | allowed to be used for) can | | | | be changed after a certificate | | | | is created or | - | | | added to the database. This | + | | | added to the database. This | | | | is especially useful for CA | | | | certificates, but | - | | | it can be performed for any | + | | | it can be performed for any | | | | type of certificate. | - | | | certutil -M -n | + | | | certutil -M -n | | | | certificate-name -t trust-args | | | | -d [sql:]directory | - | | | For example: | - | | | $ certutil -M -n "My CA | + | | | For example: | + | | | $ certutil -M -n "My CA | | | | Certificate" -d | | | | sql:/home/my/sharednssdb -t | | | | "CTu,CTu,CTu" | - | | | Printing the Certificate | + | | | Printing the Certificate | | | | Chain | - | | | Certificates can be issued | + | | | Certificates can be issued | | | | in chains because every | | | | certificate authority | - | | | itself has a certificate; | + | | | itself has a certificate; | | | | when a CA issues a | | | | certificate, it essentially | - | | | stamps that certificate | + | | | stamps that certificate | | | | with its own fingerprint. The | | | | -O prints the full | - | | | chain of a certificate, | + | | | chain of a certificate, | | | | going from the initial CA (the | | | | root CA) through | - | | | ever intermediary CA to the | + | | | ever intermediary CA to the | | | | actual certificate. For | | | | example, for an email | - | | | certificate with two CAs in | + | | | certificate with two CAs in | | | | the chain: | - | | | $ certutil -d | + | | | $ certutil -d | | | | sql:/home/my/sharednssdb -O -n | | | | "jsmith@example.com" | - | | | "Builtin Object Token:Thawte | + | | | "Builtin Object Token:Thawte | | | | Personal Freemail CA" | | | | [E=personal | | | | -freemail@thawte.com,CN=Thawte | @@ -6073,280 +6073,280 @@ Index | | | Division,O=Thawte | | | | Consulting,L=Cape | | | | Town,ST=Western Cape,C=ZA] | - | | | "Thawte Personal Freemail | + | | | "Thawte Personal Freemail | | | | Issuing CA - Thawte | | | | Consulting" [CN=Thawte | | | | Personal Freemail Issuing | | | | CA,O=Thawte Consulting (Pty) | | | | Ltd.,C=ZA] | - | | | "(null)" | + | | | "(null)" | | | | [ | | | | E=jsmith@example.com,CN=Thawte | | | | Freemail Member] | - | | | Resetting a Token | - | | | The device which stores | + | | | Resetting a Token | + | | | The device which stores | | | | certificates -- both external | | | | hardware devices and | - | | | internal software databases | + | | | internal software databases | | | | -- can be blanked and reused. | | | | This operation | - | | | is performed on the device | + | | | is performed on the device | | | | which stores the data, not | | | | directly on the | - | | | security databases, so the | + | | | security databases, so the | | | | location must be referenced | | | | through the token | - | | | name (-h) as well as any | + | | | name (-h) as well as any | | | | directory path. If there is no | | | | external token | - | | | used, the default value is | + | | | used, the default value is | | | | internal. | - | | | certutil -T -d | + | | | certutil -T -d | | | | [sql:]directory -h token-name | | | | -0 security-officer-password | - | | | Many networks have | + | | | Many networks have | | | | dedicated personnel who handle | | | | changes to security | - | | | tokens (the security | + | | | tokens (the security | | | | officer). This person must | | | | supply the password to | - | | | access the specified token. | + | | | access the specified token. | | | | For example: | - | | | $ certutil -T -d | + | | | $ certutil -T -d | | | | sql:/home/my/sharednssdb -h | | | | nethsm -0 secret | - | | | Upgrading or Merging the | + | | | Upgrading or Merging the | | | | Security Databases | - | | | Many networks or | + | | | Many networks or | | | | applications may be using | | | | older BerkeleyDB versions of | - | | | the certificate database | + | | | the certificate database | | | | (cert8.db). Databases can be | | | | upgraded to the new | - | | | SQLite version of the | + | | | SQLite version of the | | | | database (cert9.db) using the | | | | --upgrade-merge | - | | | command option or existing | + | | | command option or existing | | | | databases can be merged with | | | | the new cert9.db | - | | | databases using the | + | | | databases using the | | | | ---merge command. | - | | | The --upgrade-merge command | + | | | The --upgrade-merge command | | | | must give information about | | | | the original | - | | | database and then use the | + | | | database and then use the | | | | standard arguments (like -d) | | | | to give the | - | | | information about the new | + | | | information about the new | | | | databases. The command also | | | | requires information | - | | | that the tool uses for the | + | | | that the tool uses for the | | | | process to upgrade and write | | | | over the original | - | | | database. | - | | | certutil --upgrade-merge -d | + | | | database. | + | | | certutil --upgrade-merge -d | | | | [sql:]directory [-P dbprefix] | | | | --source-dir directory | | | | --source-prefix dbprefix | | | | --upgrade-id id | | | | --upgrade-token-name name [-@ | | | | password-file] | - | | | For example: | - | | | $ certutil --upgrade-merge -d | + | | | For example: | + | | | $ certutil --upgrade-merge -d | | | | sql:/home/my/sharednssdb | | | | --source-dir | | | | /opt/my-app/alias/ | | | | --source-prefix serverapp- | | | | --upgrade-id 1 | | | | --upgrade-token-name internal | - | | | The --merge command only | + | | | The --merge command only | | | | requires information about the | | | | location of the | - | | | original database; since it | + | | | original database; since it | | | | doesn't change the format of | | | | the database, it | - | | | can write over information | + | | | can write over information | | | | without performing interim | | | | step. | - | | | certutil --merge -d | + | | | certutil --merge -d | | | | [sql:]directory [-P dbprefix] | | | | --source-dir directory | | | | --source-prefix dbprefix [-@ | | | | password-file] | - | | | For example: | - | | | $ certutil --merge -d | + | | | For example: | + | | | $ certutil --merge -d | | | | sql:/home/my/sharednssdb | | | | --source-dir | | | | /opt/my-app/alias/ | | | | --source-prefix serverapp- | - | | | Running certutil Commands | + | | | Running certutil Commands | | | | from a Batch File | - | | | A series of commands can be | + | | | A series of commands can be | | | | run sequentially from a text | | | | file with the -B | - | | | command option. The only | + | | | command option. The only | | | | argument for this specifies | | | | the input file. | - | | | $ certutil -B -i | + | | | $ certutil -B -i | | | | /path/to/batch-file | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | $ certutil -L -d | + | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | pk12util (1) | - | | | modutil (1) | - | | | certutil has arguments or | + | | | pk12util (1) | + | | | modutil (1) | + | | | certutil has arguments or | | | | operations that use features | | | | defined in several | - | | | IETF RFCs. | - | | | | - | | | o `http://tools.ietf.org/htm | + | | | IETF RFCs. | + | | | | + | | | o `http://tools.ietf.org/htm | | | | l/rfc5280 <https://datatracker | | | | .ietf.org/doc/html/rfc5280>`__ | - | | | | - | | | o `http://tools.ietf.org/htm | + | | | | + | | | o `http://tools.ietf.org/htm | | | | l/rfc1113 <https://datatracker | | | | .ietf.org/doc/html/rfc1113>`__ | - | | | | - | | | o `http://tools.ietf.org/htm | + | | | | + | | | o `http://tools.ietf.org/htm | | | | l/rfc1485 <https://datatracker | | | | .ietf.org/doc/html/rfc1485>`__ | - | | | The NSS wiki has | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -6358,204 +6358,204 @@ Index | | la_projects_nss_tools_cmsutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | cmsutil — Performs basic | + | | | cmsutil — Performs basic | | | | cryptograpic operations, such | | | | as encryption and | - | | | decryption, on | + | | | decryption, on | | | | Cryptographic Message Syntax | | | | (CMS) messages. | | | | Synopsis | - | | | cmsutil [options] | + | | | cmsutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The cmsutil command-line | + | | | The cmsutil command-line | | | | uses the S/MIME Toolkit to | | | | perform basic | - | | | operations, such as | + | | | operations, such as | | | | encryption and decryption, on | | | | Cryptographic Message | - | | | Syntax (CMS) messages. | - | | | To run cmsutil, type the | + | | | Syntax (CMS) messages. | + | | | To run cmsutil, type the | | | | command cmsutil option | | | | [arguments] where option | - | | | and arguments are | + | | | and arguments are | | | | combinations of the options | | | | and arguments listed in the | - | | | following section. Each | + | | | following section. Each | | | | command takes one option. Each | | | | option may take | - | | | zero or more arguments. To | + | | | zero or more arguments. To | | | | see a usage string, issue the | | | | command without | - | | | options. | + | | | options. | | | | Options and Arguments | - | | | Options | - | | | Options specify an action. | + | | | Options | + | | | Options specify an action. | | | | Option arguments modify an | | | | action. The options | - | | | and arguments for the | + | | | and arguments for the | | | | cmsutil command are defined as | | | | follows: | - | | | -D | - | | | Decode a message. | - | | | -C | - | | | Encrypt a message. | - | | | -E | - | | | Envelope a message. | - | | | -O | - | | | Create a | + | | | -D | + | | | Decode a message. | + | | | -C | + | | | Encrypt a message. | + | | | -E | + | | | Envelope a message. | + | | | -O | + | | | Create a | | | | certificates-only message. | - | | | -S | - | | | Sign a message. | - | | | Arguments | - | | | Option arguments modify an | + | | | -S | + | | | Sign a message. | + | | | Arguments | + | | | Option arguments modify an | | | | action and are lowercase. | - | | | -c content | - | | | Use this detached | + | | | -c content | + | | | Use this detached | | | | content (decode only). | - | | | -d dbdir | - | | | Specify the | + | | | -d dbdir | + | | | Specify the | | | | key/certificate database | | | | directory (default is ".") | - | | | -e envfile | - | | | Specify a file | + | | | -e envfile | + | | | Specify a file | | | | containing an enveloped | | | | message for a set of | - | | | recipients to which | + | | | recipients to which | | | | you would like to send an | | | | encrypted message. | - | | | If this is the | + | | | If this is the | | | | first encrypted message for | | | | that set of recipients, | - | | | a new enveloped | + | | | a new enveloped | | | | message will be created that | | | | you can then use for | - | | | future messages | + | | | future messages | | | | (encrypt only). | - | | | -G | - | | | Include a signing | + | | | -G | + | | | Include a signing | | | | time attribute (sign only). | - | | | -h num | - | | | Generate email | + | | | -h num | + | | | Generate email | | | | headers with info about CMS | | | | message (decode only). | - | | | -i infile | - | | | Use infile as a | + | | | -i infile | + | | | Use infile as a | | | | source of data (default is | | | | stdin). | - | | | -N nickname | - | | | Specify nickname of | + | | | -N nickname | + | | | Specify nickname of | | | | certificate to sign with (sign | | | | only). | - | | | -n | - | | | Suppress output of | + | | | -n | + | | | Suppress output of | | | | contents (decode only). | - | | | -o outfile | - | | | Use outfile as a | + | | | -o outfile | + | | | Use outfile as a | | | | destination of data (default | | | | is stdout). | - | | | -P | - | | | Include an S/MIME | + | | | -P | + | | | Include an S/MIME | | | | capabilities attribute. | - | | | -p password | - | | | Use password as key | + | | | -p password | + | | | Use password as key | | | | database password. | - | | | -r recipient1,recipient2, | + | | | -r recipient1,recipient2, | | | | ... | - | | | Specify list of | + | | | Specify list of | | | | recipients (email addresses) | | | | for an encrypted or | - | | | enveloped message. | + | | | enveloped message. | | | | For certificates-only message, | | | | list of | - | | | certificates to | + | | | certificates to | | | | send. | - | | | -T | - | | | Suppress content in | + | | | -T | + | | | Suppress content in | | | | CMS message (sign only). | - | | | -u certusage | - | | | Set type of cert | + | | | -u certusage | + | | | Set type of cert | | | | usage (default is | | | | certUsageEmailSigner). | - | | | -Y ekprefnick | - | | | Specify an | + | | | -Y ekprefnick | + | | | Specify an | | | | encryption key preference by | | | | nickname. | | | | Usage | - | | | Encrypt Example | - | | | cmsutil -C [-i infile] [-o | + | | | Encrypt Example | + | | | cmsutil -C [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r | | | | "recipient1,recipient2, . . ." | | | | -e envfile | - | | | Decode Example | - | | | cmsutil -D [-i infile] [-o | + | | | Decode Example | + | | | cmsutil -D [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] [-c content] [-n] | | | | [-h num] | - | | | Envelope Example | - | | | cmsutil -E [-i infile] [-o | + | | | Envelope Example | + | | | cmsutil -E [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r | | | | "recipient1,recipient2, ..." | - | | | Certificate-only Example | - | | | cmsutil -O [-i infile] [-o | + | | | Certificate-only Example | + | | | cmsutil -O [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r "cert1,cert2, . . | | | | ." | - | | | Sign Message Example | - | | | cmsutil -S [-i infile] [-o | + | | | Sign Message Example | + | | | cmsutil -S [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -N nickname[-TGP] | | | | [-Y ekprefnick] | | | | See also | - | | | certutil(1) | + | | | certutil(1) | | | | See Also | | | | Additional Resources | - | | | NSS is maintained in | + | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | - | | | through Mozilla dn Fedora. | + | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | - | | | with a project wiki at | + | | | with a project wiki at | | | | [1]\ http: | | | | //pki.fedoraproject.org/wiki/. | - | | | For information | + | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | - | | | | + | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | - | | | now with Red Hat. | - | | | Authors: Elio Maldonado | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | - | | | 2. | + | | | 2. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -6567,493 +6567,493 @@ Index | | la_projects_nss_tools_crlutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | crlutil — List, generate, | + | | | crlutil — List, generate, | | | | modify, or delete CRLs within | | | | the NSS security | - | | | database file(s) and list, | + | | | database file(s) and list, | | | | create, modify or delete | | | | certificates entries | - | | | in a particular CRL. | + | | | in a particular CRL. | | | | Synopsis | - | | | crlutil [options] | + | | | crlutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The Certificate Revocation | + | | | The Certificate Revocation | | | | List (CRL) Management Tool, | | | | crlutil, is a | - | | | command-line utility that | + | | | command-line utility that | | | | can list, generate, modify, or | | | | delete CRLs | - | | | within the NSS security | + | | | within the NSS security | | | | database file(s) and list, | | | | create, modify or | - | | | delete certificates entries | + | | | delete certificates entries | | | | in a particular CRL. | - | | | The key and certificate | + | | | The key and certificate | | | | management process generally | | | | begins with creating | - | | | keys in the key database, | + | | | keys in the key database, | | | | then generating and managing | | | | certificates in the | - | | | certificate database(see | + | | | certificate database(see | | | | certutil tool) and continues | | | | with certificates | - | | | expiration or revocation. | - | | | This document discusses | + | | | expiration or revocation. | + | | | This document discusses | | | | certificate revocation list | | | | management. For | - | | | information on security | + | | | information on security | | | | module database management, | | | | see Using the Security | - | | | Module Database Tool. For | + | | | Module Database Tool. For | | | | information on certificate and | | | | key database | - | | | management, see Using the | + | | | management, see Using the | | | | Certificate Database Tool. | - | | | To run the Certificate | + | | | To run the Certificate | | | | Revocation List Management | | | | Tool, type the command | - | | | crlutil option [arguments] | - | | | where options and arguments | + | | | crlutil option [arguments] | + | | | where options and arguments | | | | are combinations of the | | | | options and arguments | - | | | listed in the following | + | | | listed in the following | | | | section. Each command takes | | | | one option. Each | - | | | option may take zero or | + | | | option may take zero or | | | | more arguments. To see a usage | | | | string, issue the | - | | | command without options, or | + | | | command without options, or | | | | with the -H option. | | | | Options and Arguments | - | | | Options | - | | | Options specify an action. | + | | | Options | + | | | Options specify an action. | | | | Option arguments modify an | | | | action. The options | - | | | and arguments for the | + | | | and arguments for the | | | | crlutil command are defined as | | | | follows: | - | | | -G | - | | | Create new | + | | | -G | + | | | Create new | | | | Certificate Revocation | | | | List(CRL). | - | | | -D | - | | | Delete Certificate | + | | | -D | + | | | Delete Certificate | | | | Revocation List from cert | | | | database. | - | | | -I | - | | | Import a CRL to the | + | | | -I | + | | | Import a CRL to the | | | | cert database | - | | | -E | - | | | Erase all CRLs of | + | | | -E | + | | | Erase all CRLs of | | | | specified type from the cert | | | | database | - | | | -L | - | | | List existing CRL | + | | | -L | + | | | List existing CRL | | | | located in cert database file. | - | | | -M | - | | | Modify existing CRL | + | | | -M | + | | | Modify existing CRL | | | | which can be located in cert | | | | db or in | - | | | arbitrary file. If | + | | | arbitrary file. If | | | | located in file it should be | | | | encoded in ASN.1 | - | | | encode format. | - | | | -G | - | | | Arguments | - | | | Option arguments modify an | + | | | encode format. | + | | | -G | + | | | Arguments | + | | | Option arguments modify an | | | | action and are lowercase. | - | | | -B | - | | | Bypass CA signature | + | | | -B | + | | | Bypass CA signature | | | | checks. | - | | | -P dbprefix | - | | | Specify the prefix | + | | | -P dbprefix | + | | | Specify the prefix | | | | used on the NSS security | | | | database files (for | - | | | example, | + | | | example, | | | | my_cert8.db and my_key3.db). | | | | This option is provided as a | - | | | special case. | + | | | special case. | | | | Changing the names of the | | | | certificate and key | - | | | databases is not | + | | | databases is not | | | | recommended. | - | | | -a | - | | | Use ASCII format or | + | | | -a | + | | | Use ASCII format or | | | | allow the use of ASCII format | | | | for input and | - | | | output. This | + | | | output. This | | | | formatting follows RFC #1113. | - | | | -c crl-gen-file | - | | | Specify script file | + | | | -c crl-gen-file | + | | | Specify script file | | | | that will be used to control | | | | crl | - | | | | + | | | | | | | generation/modification. See | | | | crl-cript-file format below. | | | | If | - | | | options -M|-G is | + | | | options -M|-G is | | | | used and -c crl-script-file is | | | | not specified, | - | | | crlutil will read | + | | | crlutil will read | | | | script data from standard | | | | input. | - | | | -d directory | - | | | Specify the | + | | | -d directory | + | | | Specify the | | | | database directory containing | | | | the certificate and key | - | | | database files. On | + | | | database files. On | | | | Unix the Certificate Database | | | | Tool defaults to | - | | | $HOME/.netscape | + | | | $HOME/.netscape | | | | (that is, ~/.netscape). On | | | | Windows NT the default | - | | | is the current | + | | | is the current | | | | directory. | - | | | The NSS database | + | | | The NSS database | | | | files must reside in the same | | | | directory. | - | | | -i crl-import-file | - | | | Specify the file | + | | | -i crl-import-file | + | | | Specify the file | | | | which contains the CRL to | | | | import | - | | | -f password-file | - | | | Specify a file that | + | | | -f password-file | + | | | Specify a file that | | | | will automatically supply the | | | | password to | - | | | include in a | + | | | include in a | | | | certificate or to access a | | | | certificate database. This | - | | | is a plain-text | + | | | is a plain-text | | | | file containing one password. | | | | Be sure to prevent | - | | | unauthorized access | + | | | unauthorized access | | | | to this file. | - | | | -l algorithm-name | - | | | Specify a specific | + | | | -l algorithm-name | + | | | Specify a specific | | | | signature algorithm. List of | | | | possible | - | | | algorithms: MD2 \| | + | | | algorithms: MD2 \| | | | | MD4 \| MD5 \| SHA1 \| SHA256 | | | | \| SHA384 \| SHA512 | - | | | -n nickname | - | | | Specify the | + | | | -n nickname | + | | | Specify the | | | | nickname of a certificate or | | | | key to list, create, add | - | | | to a database, | + | | | to a database, | | | | modify, or validate. Bracket | | | | the nickname string | - | | | with quotation | + | | | with quotation | | | | marks if it contains spaces. | - | | | -o output-file | - | | | Specify the output | + | | | -o output-file | + | | | Specify the output | | | | file name for new CRL. Bracket | | | | the output-file | - | | | string with | + | | | string with | | | | quotation marks if it contains | | | | spaces. If this | - | | | argument is not | + | | | argument is not | | | | used the output destination | | | | defaults to standard | - | | | output. | - | | | -t crl-type | - | | | Specify type of | + | | | output. | + | | | -t crl-type | + | | | Specify type of | | | | CRL. possible types are: 0 - | | | | SEC_KRL_TYPE, 1 - | - | | | SEC_CRL_TYPE. This | + | | | SEC_CRL_TYPE. This | | | | option is obsolete | - | | | -u url | - | | | Specify the url. | + | | | -u url | + | | | Specify the url. | | | | CRL Generation script syntax | - | | | CRL generation script file | + | | | CRL generation script file | | | | has the following syntax: | - | | | \* Line with comments | + | | | \* Line with comments | | | | should have # as a first | | | | symbol of a line | - | | | \* Set "this update" or | + | | | \* Set "this update" or | | | | "next update" CRL fields: | - | | | update=YYYYMMDDhhmmssZ | + | | | update=YYYYMMDDhhmmssZ | | | | nextupdate=YYYYMMDDhhmmssZ | - | | | Field "next update" is | + | | | Field "next update" is | | | | optional. Time should be in | | | | GeneralizedTime format | - | | | (YYYYMMDDhhmmssZ). For | + | | | (YYYYMMDDhhmmssZ). For | | | | example: 20050204153000Z | - | | | \* Add an extension to a | + | | | \* Add an extension to a | | | | CRL or a crl certificate | | | | entry: | - | | | addext extension-name | + | | | addext extension-name | | | | critical/non-critical | | | | [arg1[arg2 ...]] | - | | | Where: | - | | | extension-name: string | + | | | Where: | + | | | extension-name: string | | | | value of a name of known | | | | extensions. | - | | | critical/non-critical: is 1 | + | | | critical/non-critical: is 1 | | | | when extension is critical and | | | | 0 otherwise. | - | | | arg1, arg2: specific to | + | | | arg1, arg2: specific to | | | | extension type extension | | | | parameters | - | | | addext uses the range that | + | | | addext uses the range that | | | | was set earlier by addcert and | | | | will install an | - | | | extension to every cert | + | | | extension to every cert | | | | entries within the range. | - | | | \* Add certificate | + | | | \* Add certificate | | | | entries(s) to CRL: | - | | | addcert range date | - | | | range: two integer values | + | | | addcert range date | + | | | range: two integer values | | | | separated by dash: range of | | | | certificates that | - | | | will be added by this | + | | | will be added by this | | | | command. dash is used as a | | | | delimiter. Only one cert | - | | | will be added if there is | + | | | will be added if there is | | | | no delimiter. date: revocation | | | | date of a cert. | - | | | Date should be represented | + | | | Date should be represented | | | | in GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). | - | | | \* Remove certificate | + | | | \* Remove certificate | | | | entry(s) from CRL | - | | | rmcert range | - | | | Where: | - | | | range: two integer values | + | | | rmcert range | + | | | Where: | + | | | range: two integer values | | | | separated by dash: range of | | | | certificates that | - | | | will be added by this | + | | | will be added by this | | | | command. dash is used as a | | | | delimiter. Only one cert | - | | | will be added if there is | + | | | will be added if there is | | | | no delimiter. | - | | | \* Change range of | + | | | \* Change range of | | | | certificate entry(s) in CRL | - | | | range new-range | - | | | Where: | - | | | new-range: two integer | + | | | range new-range | + | | | Where: | + | | | new-range: two integer | | | | values separated by dash: | | | | range of certificates | - | | | that will be added by this | + | | | that will be added by this | | | | command. dash is used as a | | | | delimiter. Only one | - | | | cert will be added if there | + | | | cert will be added if there | | | | is no delimiter. | - | | | Implemented Extensions | - | | | The extensions defined for | + | | | Implemented Extensions | + | | | The extensions defined for | | | | CRL provide methods for | | | | associating additional | - | | | attributes with CRLs of | + | | | attributes with CRLs of | | | | theirs entries. For more | | | | information see RFC #3280 | - | | | \* Add The Authority Key | + | | | \* Add The Authority Key | | | | Identifier extension: | - | | | The authority key | + | | | The authority key | | | | identifier extension provides | | | | a means of identifying the | - | | | public key corresponding to | + | | | public key corresponding to | | | | the private key used to sign a | | | | CRL. | - | | | authKeyId critical [key-id | + | | | authKeyId critical [key-id | | | | \| dn cert-serial] | - | | | Where: | - | | | authKeyIdent: identifies | + | | | Where: | + | | | authKeyIdent: identifies | | | | the name of an extension | | | | critical: value of 1 of | - | | | 0. Should be set to 1 if | + | | | 0. Should be set to 1 if | | | | this extension is critical or | | | | 0 otherwise. | - | | | key-id: key identifier | + | | | key-id: key identifier | | | | represented in octet string. | | | | dn:: is a CA | - | | | distinguished name | + | | | distinguished name | | | | cert-serial: authority | | | | certificate serial number. | - | | | \* Add Issuer Alternative | + | | | \* Add Issuer Alternative | | | | Name extension: | - | | | The issuer alternative | + | | | The issuer alternative | | | | names extension allows | | | | additional identities to be | - | | | associated with the issuer | + | | | associated with the issuer | | | | of the CRL. Defined options | | | | include an rfc822 | - | | | name (electronic mail | + | | | name (electronic mail | | | | address), a DNS name, an IP | | | | address, and a URI. | - | | | issuerAltNames non-critical | + | | | issuerAltNames non-critical | | | | name-list | - | | | Where: | - | | | subjAltNames: identifies | + | | | Where: | + | | | subjAltNames: identifies | | | | the name of an extension | | | | should be set to 0 since | - | | | this is non-critical | + | | | this is non-critical | | | | extension name-list: comma | | | | separated list of names | - | | | \* Add CRL Number | + | | | \* Add CRL Number | | | | extension: | - | | | The CRL number is a | + | | | The CRL number is a | | | | non-critical CRL extension | | | | which conveys a | - | | | monotonically increasing | + | | | monotonically increasing | | | | sequence number for a given | | | | CRL scope and CRL | - | | | issuer. This extension | + | | | issuer. This extension | | | | allows users to easily | | | | determine when a particular | - | | | CRL supersedes another CRL | - | | | crlNumber non-critical | + | | | CRL supersedes another CRL | + | | | crlNumber non-critical | | | | number | - | | | Where: | - | | | crlNumber: identifies the | + | | | Where: | + | | | crlNumber: identifies the | | | | name of an extension critical: | | | | should be set to | - | | | 0 since this is | + | | | 0 since this is | | | | non-critical extension number: | | | | value of long which | - | | | identifies the sequential | + | | | identifies the sequential | | | | number of a CRL. | - | | | \* Add Revocation Reason | + | | | \* Add Revocation Reason | | | | Code extension: | - | | | The reasonCode is a | + | | | The reasonCode is a | | | | non-critical CRL entry | | | | extension that identifies the | - | | | reason for the certificate | + | | | reason for the certificate | | | | revocation. | - | | | reasonCode non-critical | + | | | reasonCode non-critical | | | | code | - | | | Where: | - | | | reasonCode: identifies the | + | | | Where: | + | | | reasonCode: identifies the | | | | name of an extension | | | | non-critical: should be | - | | | set to 0 since this is | + | | | set to 0 since this is | | | | non-critical extension code: | | | | the following codes | - | | | are available: | - | | | unspecified (0), | + | | | are available: | + | | | unspecified (0), | | | | keyCompromise (1), | | | | cACompromise (2), | | | | affiliationChanged | - | | | (3), superseded (4), | + | | | (3), superseded (4), | | | | cessationOfOperation (5), | | | | certificateHold (6), | - | | | removeFromCRL (8), | + | | | removeFromCRL (8), | | | | privilegeWithdrawn (9), | | | | aACompromise (10) | - | | | \* Add Invalidity Date | + | | | \* Add Invalidity Date | | | | extension: | - | | | The invalidity date is a | + | | | The invalidity date is a | | | | non-critical CRL entry | | | | extension that provides | - | | | the date on which it is | + | | | the date on which it is | | | | known or suspected that the | | | | private key was | - | | | compromised or that the | + | | | compromised or that the | | | | certificate otherwise became | | | | invalid. | - | | | invalidityDate non-critical | + | | | invalidityDate non-critical | | | | date | - | | | Where: | - | | | crlNumber: identifies the | + | | | Where: | + | | | crlNumber: identifies the | | | | name of an extension | | | | non-critical: should be set | - | | | to 0 since this is | + | | | to 0 since this is | | | | non-critical extension date: | | | | invalidity date of a cert. | - | | | Date should be represented | + | | | Date should be represented | | | | in GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). | | | | Usage | - | | | The Certificate Revocation | + | | | The Certificate Revocation | | | | List Management Tool's | | | | capabilities are grouped | - | | | as follows, using these | + | | | as follows, using these | | | | combinations of options and | | | | arguments. Options and | - | | | arguments in square | + | | | arguments in square | | | | brackets are optional, those | | | | without square brackets | - | | | are required. | - | | | See "Implemented | + | | | are required. | + | | | See "Implemented | | | | extensions" for more | | | | information regarding | | | | extensions and | - | | | their parameters. | - | | | \* Creating or modifying a | + | | | their parameters. | + | | | \* Creating or modifying a | | | | CRL: | - | | | crlutil -G|-M -c crl-gen-file | + | | | crlutil -G|-M -c crl-gen-file | | | | -n nickname [-i crl] [-u url] | | | | [-d keydir] [-P dbprefix] [-l | | | | alg] [-a] [-B] | - | | | \* Listing all CRls or a | + | | | \* Listing all CRls or a | | | | named CRL: | - | | | crlutil -L [-n | + | | | crlutil -L [-n | | | | crl-name] [-d krydir] | - | | | \* Deleting CRL from db: | - | | | crlutil -D -n | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | | | | nickname [-d keydir] [-P | | | | dbprefix] | - | | | \* Erasing CRLs from db: | - | | | crlutil -E [-d | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | | | | keydir] [-P dbprefix] | - | | | \* Deleting CRL from db: | - | | | crlutil -D -n | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | | | | nickname [-d keydir] [-P | | | | dbprefix] | - | | | \* Erasing CRLs from db: | - | | | crlutil -E [-d | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | | | | keydir] [-P dbprefix] | - | | | \* Import CRL from file: | - | | | crlutil -I -i crl | + | | | \* Import CRL from file: | + | | | crlutil -I -i crl | | | | [-t crlType] [-u url] [-d | | | | keydir] [-P dbprefix] [-B] | | | | See also | - | | | certutil(1) | + | | | certutil(1) | | | | See Also | | | | Additional Resources | - | | | NSS is maintained in | + | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | - | | | through Mozilla dn Fedora. | + | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | - | | | with a project wiki at | + | | | with a project wiki at | | | | [1]\ http: | | | | //pki.fedoraproject.org/wiki/. | - | | | For information | + | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | - | | | | + | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | - | | | now with Red Hat. | - | | | Authors: Elio Maldonado | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | - | | | 2. | + | | | 2. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -7065,670 +7065,670 @@ Index | | la_projects_nss_tools_modutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | modutil — Manage PKCS #11 | + | | | modutil — Manage PKCS #11 | | | | module information within the | | | | security module | - | | | database. | + | | | database. | | | | Synopsis | - | | | modutil [options] | + | | | modutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The Security Module | + | | | The Security Module | | | | Database Tool, modutil, is a | | | | command-line utility for | - | | | managing PKCS #11 module | + | | | managing PKCS #11 module | | | | information both within | | | | secmod.db files and | - | | | within hardware tokens. | + | | | within hardware tokens. | | | | modutil can add and delete | | | | PKCS #11 modules, | - | | | change passwords on | + | | | change passwords on | | | | security databases, set | | | | defaults, list module | - | | | contents, enable or disable | + | | | contents, enable or disable | | | | slots, enable or disable FIPS | | | | 140-2 | - | | | compliance, and assign | + | | | compliance, and assign | | | | default providers for | | | | cryptographic operations. | - | | | This tool can also create | + | | | This tool can also create | | | | certificate, key, and module | | | | security database | - | | | files. | - | | | The tasks associated with | + | | | files. | + | | | The tasks associated with | | | | security module database | | | | management are part of | - | | | a process that typically | + | | | a process that typically | | | | also involves managing key | | | | databases and | - | | | certificate databases. | + | | | certificate databases. | | | | Options | - | | | Running modutil always | + | | | Running modutil always | | | | requires one (and only one) | | | | option to specify the | - | | | type of module operation. | + | | | type of module operation. | | | | Each option may take | | | | arguments, anywhere from | - | | | none to multiple arguments. | - | | | Options | - | | | -add modulename | - | | | Add the named PKCS | + | | | none to multiple arguments. | + | | | Options | + | | | -add modulename | + | | | Add the named PKCS | | | | #11 module to the database. | | | | Use this option | - | | | with the -libfile, | + | | | with the -libfile, | | | | -ciphers, and -mechanisms | | | | arguments. | - | | | -changepw tokenname | - | | | Change the password | + | | | -changepw tokenname | + | | | Change the password | | | | on the named token. If the | | | | token has not been | - | | | initialized, this | + | | | initialized, this | | | | option initializes the | | | | password. Use this option | - | | | with the -pwfile | + | | | with the -pwfile | | | | and -newpwfile arguments. A | | | | password is | - | | | equivalent to a | + | | | equivalent to a | | | | personal identification number | | | | (PIN). | - | | | -chkfips | - | | | Verify whether the | + | | | -chkfips | + | | | Verify whether the | | | | module is in the given FIPS | | | | mode. true means to | - | | | verify that the | + | | | verify that the | | | | module is in FIPS mode, while | | | | false means to | - | | | verify that the | + | | | verify that the | | | | module is not in FIPS mode. | - | | | -create | - | | | Create new | + | | | -create | + | | | Create new | | | | certificate, key, and module | | | | databases. Use the -dbdir | - | | | directory argument | + | | | directory argument | | | | to specify a directory. If any | | | | of these | - | | | databases already | + | | | databases already | | | | exist in a specified | | | | directory, modutil returns | - | | | an error message. | - | | | -default modulename | - | | | Specify the | + | | | an error message. | + | | | -default modulename | + | | | Specify the | | | | security mechanisms for which | | | | the named module will be | - | | | a default provider. | + | | | a default provider. | | | | The security mechanisms are | | | | specified with the | - | | | -mechanisms | + | | | -mechanisms | | | | argument. | - | | | -delete modulename | - | | | Delete the named | + | | | -delete modulename | + | | | Delete the named | | | | module. The default NSS PKCS | | | | #11 module cannot be | - | | | deleted. | - | | | -disable modulename | - | | | Disable all slots | + | | | deleted. | + | | | -disable modulename | + | | | Disable all slots | | | | on the named module. Use the | | | | -slot argument to | - | | | disable a specific | + | | | disable a specific | | | | slot. | - | | | -enable modulename | - | | | Enable all slots on | + | | | -enable modulename | + | | | Enable all slots on | | | | the named module. Use the | | | | -slot argument to | - | | | enable a specific | + | | | enable a specific | | | | slot. | - | | | -fips [true \| false] | - | | | Enable (true) or | + | | | -fips [true \| false] | + | | | Enable (true) or | | | | disable (false) FIPS 140-2 | | | | compliance for the | - | | | default NSS module. | - | | | -force | - | | | Disable modutil's | + | | | default NSS module. | + | | | -force | + | | | Disable modutil's | | | | interactive prompts so it can | | | | be run from a | - | | | script. Use this | + | | | script. Use this | | | | option only after manually | | | | testing each planned | - | | | operation to check | + | | | operation to check | | | | for warnings and to ensure | | | | that bypassing the | - | | | prompts will cause | + | | | prompts will cause | | | | no security lapses or loss of | | | | database | - | | | integrity. | - | | | -jar JAR-file | - | | | Add a new PKCS #11 | + | | | integrity. | + | | | -jar JAR-file | + | | | Add a new PKCS #11 | | | | module to the database using | | | | the named JAR | - | | | file. Use this | + | | | file. Use this | | | | command with the -installdir | | | | and -tempdir | - | | | arguments. The JAR | + | | | arguments. The JAR | | | | file uses the NSS PKCS #11 JAR | | | | format to | - | | | identify all the | + | | | identify all the | | | | files to be installed, the | | | | module's name, the | - | | | mechanism flags, | + | | | mechanism flags, | | | | and the cipher flags, as well | | | | as any files to be | - | | | installed on the | + | | | installed on the | | | | target machine, including the | | | | PKCS #11 module | - | | | library file and | + | | | library file and | | | | other files such as | | | | documentation. This is | - | | | covered in the JAR | + | | | covered in the JAR | | | | installation file section in | | | | the man page, | - | | | which details the | + | | | which details the | | | | special script needed to | | | | perform an installation | - | | | through a server or | + | | | through a server or | | | | with modutil. | - | | | -list [modulename] | - | | | Display basic | + | | | -list [modulename] | + | | | Display basic | | | | information about the contents | | | | of the secmod.db | - | | | file. Specifying a | + | | | file. Specifying a | | | | modulename displays detailed | | | | information about | - | | | a particular module | + | | | a particular module | | | | and its slots and tokens. | - | | | -rawadd | - | | | Add the module spec | + | | | -rawadd | + | | | Add the module spec | | | | string to the secmod.db | | | | database. | - | | | -rawlist | - | | | Display the module | + | | | -rawlist | + | | | Display the module | | | | specs for a specified module | | | | or for all | - | | | loadable modules. | - | | | -undefault modulename | - | | | Specify the | + | | | loadable modules. | + | | | -undefault modulename | + | | | Specify the | | | | security mechanisms for which | | | | the named module will | - | | | not be a default | + | | | not be a default | | | | provider. The security | | | | mechanisms are specified | - | | | with the | + | | | with the | | | | -mechanisms argument. | - | | | Arguments | - | | | MODULE | - | | | Give the security | + | | | Arguments | + | | | MODULE | + | | | Give the security | | | | module to access. | - | | | MODULESPEC | - | | | Give the security | + | | | MODULESPEC | + | | | Give the security | | | | module spec to load into the | | | | security database. | - | | | -ciphers cipher-enable-list | - | | | Enable specific | + | | | -ciphers cipher-enable-list | + | | | Enable specific | | | | ciphers in a module that is | | | | being added to the | - | | | database. The | + | | | database. The | | | | cipher-enable-list is a | | | | colon-delimited list of | - | | | cipher names. | + | | | cipher names. | | | | Enclose this list in quotation | | | | marks if it contains | - | | | spaces. | - | | | -dbdir [sql:]directory | - | | | Specify the | + | | | spaces. | + | | | -dbdir [sql:]directory | + | | | Specify the | | | | database directory in which to | | | | access or create | - | | | security module | + | | | security module | | | | database files. | - | | | modutil supports | + | | | modutil supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | --dbprefix prefix | - | | | Specify the prefix | + | | | the old format. | + | | | --dbprefix prefix | + | | | Specify the prefix | | | | used on the database files, | | | | such as my\_ for | - | | | my_cert8.db. This | + | | | my_cert8.db. This | | | | option is provided as a | | | | special case. Changing | - | | | the names of the | + | | | the names of the | | | | certificate and key databases | | | | is not recommended. | - | | | -installdir | + | | | -installdir | | | | root-installation-directory | - | | | Specify the root | + | | | Specify the root | | | | installation directory | | | | relative to which files | - | | | will be installed | + | | | will be installed | | | | by the -jar option. This | | | | directory should be one | - | | | below which it is | + | | | below which it is | | | | appropriate to store dynamic | | | | library files, such | - | | | as a server's root | + | | | as a server's root | | | | directory. | - | | | -libfile library-file | - | | | Specify a path to a | + | | | -libfile library-file | + | | | Specify a path to a | | | | library file containing the | | | | implementation of | - | | | the PKCS #11 | + | | | the PKCS #11 | | | | interface module that is being | | | | added to the database. | - | | | -mechanisms mechanism-list | - | | | Specify the | + | | | -mechanisms mechanism-list | + | | | Specify the | | | | security mechanisms for which | | | | a particular module will | - | | | be flagged as a | + | | | be flagged as a | | | | default provider. The | | | | mechanism-list is a | - | | | colon-delimited | + | | | colon-delimited | | | | list of mechanism names. | | | | Enclose this list in | - | | | quotation marks if | + | | | quotation marks if | | | | it contains spaces. | - | | | The module becomes | + | | | The module becomes | | | | a default provider for the | | | | listed mechanisms | - | | | when those | + | | | when those | | | | mechanisms are enabled. If | | | | more than one module claims | - | | | to be a particular | + | | | to be a particular | | | | mechanism's default provider, | | | | that mechanism's | - | | | default provider is | + | | | default provider is | | | | undefined. | - | | | modutil supports | + | | | modutil supports | | | | several mechanisms: RSA, DSA, | | | | RC2, RC4, RC5, AES, | - | | | DES, DH, SHA1, | + | | | DES, DH, SHA1, | | | | SHA256, SHA512, SSL, TLS, MD5, | | | | MD2, RANDOM (for | - | | | random number | + | | | random number | | | | generation), and FRIENDLY | | | | (meaning certificates are | - | | | publicly readable). | - | | | -newpwfile | + | | | publicly readable). | + | | | -newpwfile | | | | new-password-file | - | | | Specify a text file | + | | | Specify a text file | | | | containing a token's new or | | | | replacement | - | | | password so that a | + | | | password so that a | | | | password can be entered | | | | automatically with the | - | | | -changepw option. | - | | | -nocertdb | - | | | Do not open the | + | | | -changepw option. | + | | | -nocertdb | + | | | Do not open the | | | | certificate or key databases. | | | | This has several | - | | | effects: | - | | | o With the | + | | | effects: | + | | | o With the | | | | -create command, only a module | | | | security file is | - | | | created; | + | | | created; | | | | certificate and key databases | | | | are not created. | - | | | o With the -jar | + | | | o With the -jar | | | | command, signatures on the JAR | | | | file are not | - | | | checked. | - | | | o With the | + | | | checked. | + | | | o With the | | | | -changepw command, the | | | | password on the NSS internal | - | | | module cannot | + | | | module cannot | | | | be set or changed, since this | | | | password is | - | | | stored in the | + | | | stored in the | | | | key database. | - | | | -pwfile old-password-file | - | | | Specify a text file | + | | | -pwfile old-password-file | + | | | Specify a text file | | | | containing a token's existing | | | | password so that | - | | | a password can be | + | | | a password can be | | | | entered automatically when the | | | | -changepw option | - | | | is used to change | + | | | is used to change | | | | passwords. | - | | | -secmod secmodname | - | | | Give the name of | + | | | -secmod secmodname | + | | | Give the name of | | | | the security module database | | | | (like secmod.db) to | - | | | load. | - | | | -slot slotname | - | | | Specify a | + | | | load. | + | | | -slot slotname | + | | | Specify a | | | | particular slot to be enabled | | | | or disabled with the | - | | | -enable or -disable | + | | | -enable or -disable | | | | options. | - | | | -string CONFIG_STRING | - | | | Pass a | + | | | -string CONFIG_STRING | + | | | Pass a | | | | configuration string for the | | | | module being added to the | - | | | database. | - | | | -tempdir | + | | | database. | + | | | -tempdir | | | | temporary-directory | - | | | Give a directory | + | | | Give a directory | | | | location where temporary files | | | | are created during | - | | | the installation by | + | | | the installation by | | | | the -jar option. If no | | | | temporary directory is | - | | | specified, the | + | | | specified, the | | | | current directory is used. | | | | Usage and Examples | - | | | Creating Database Files | - | | | Before any operations can | + | | | Creating Database Files | + | | | Before any operations can | | | | be performed, there must be a | | | | set of security | - | | | databases available. | + | | | databases available. | | | | modutil can be used to create | | | | these files. The only | - | | | required argument is the | + | | | required argument is the | | | | database that where the | | | | databases will be | - | | | located. | - | | | modutil -create -dbdir | + | | | located. | + | | | modutil -create -dbdir | | | | [sql:]directory | - | | | Adding a Cryptographic | + | | | Adding a Cryptographic | | | | Module | - | | | Adding a PKCS #11 module | + | | | Adding a PKCS #11 module | | | | means submitting a supporting | | | | library file, | - | | | enabling its ciphers, and | + | | | enabling its ciphers, and | | | | setting default provider | | | | status for various | - | | | security mechanisms. This | + | | | security mechanisms. This | | | | can be done by supplying all | | | | of the information | - | | | through modutil directly or | + | | | through modutil directly or | | | | by running a JAR file and | | | | install script. For | - | | | the most basic case, simply | + | | | the most basic case, simply | | | | upload the library: | - | | | modutil -add modulename | + | | | modutil -add modulename | | | | -libfile library-file | | | | [-ciphers cipher-enable-list] | | | | [-mechanisms mechanism-list] | - | | | For example: | - | | | modutil -dbdir | + | | | For example: | + | | | modutil -dbdir | | | | sql:/home/my/sharednssdb -add | | | | "Example PKCS #11 Module" | | | | -libfile "/tmp/crypto.so" | | | | -mechanisms RSA:DSA:RC2:RANDOM | - | | | Using database directory ... | - | | | Module "Example PKCS #11 | + | | | Using database directory ... | + | | | Module "Example PKCS #11 | | | | Module" added to database. | - | | | Installing a Cryptographic | + | | | Installing a Cryptographic | | | | Module from a JAR File | - | | | PKCS #11 modules can also | + | | | PKCS #11 modules can also | | | | be loaded using a JAR file, | | | | which contains all | - | | | of the required libraries | + | | | of the required libraries | | | | and an installation script | | | | that describes how to | - | | | install the module. The JAR | + | | | install the module. The JAR | | | | install script is described in | | | | more detail in | - | | | [1]the section called “JAR | + | | | [1]the section called “JAR | | | | Installation File Format”. | - | | | The JAR installation script | + | | | The JAR installation script | | | | defines the setup information | | | | for each | - | | | platform that the module | + | | | platform that the module | | | | can be installed on. For | | | | example: | - | | | Platforms { | - | | | Linux:5.4.08:x86 { | - | | | ModuleName { "Example | + | | | Platforms { | + | | | Linux:5.4.08:x86 { | + | | | ModuleName { "Example | | | | PKCS #11 Module" } | - | | | ModuleFile { crypto.so | + | | | ModuleFile { crypto.so | | | | } | - | | | | + | | | | | | | DefaultMechanismFlags{0x0000} | - | | | | + | | | | | | | CipherEnableFlags{0x0000} | - | | | Files { | - | | | crypto.so { | - | | | Path{ | + | | | Files { | + | | | crypto.so { | + | | | Path{ | | | | /tmp/crypto.so } | - | | | } | - | | | setup.sh { | - | | | Executable | - | | | Path{ | + | | | } | + | | | setup.sh { | + | | | Executable | + | | | Path{ | | | | /tmp/setup.sh } | - | | | } | - | | | } | - | | | } | - | | | Linux:6.0.0:x86 { | - | | | EquivalentPlatform { | + | | | } | + | | | } | + | | | } | + | | | Linux:6.0.0:x86 { | + | | | EquivalentPlatform { | | | | Linux:5.4.08:x86 } | - | | | } | - | | | } | - | | | Both the install script and | + | | | } | + | | | } | + | | | Both the install script and | | | | the required libraries must be | | | | bundled in a | - | | | JAR file, which is | + | | | JAR file, which is | | | | specified with the -jar | | | | argument. | - | | | modutil -dbdir | + | | | modutil -dbdir | | | | sql:/home/mt | | | | "jar-install-filey/sharednssdb | | | | -jar install.jar -installdir | | | | sql:/home/my/sharednssdb | - | | | This installation JAR file | + | | | This installation JAR file | | | | was signed by: | - | | | ---------------- | + | | | ---------------- | | | | ------------------------------ | - | | | **SUBJECT NAME*\* | - | | | C=US, ST=California, | + | | | **SUBJECT NAME*\* | + | | | C=US, ST=California, | | | | L=Mountain View, | | | | CN=Cryptorific Inc., | | | | OU=Digital ID | - | | | Class 3 - Netscape Object | + | | | Class 3 - Netscape Object | | | | Signing, | | | | OU="w | | | | ww.verisign.com/repository/CPS | - | | | Incorp. by Ref.,LIAB.LTD(c)9 | + | | | Incorp. by Ref.,LIAB.LTD(c)9 | | | | 6", OU=www.verisign.com/CPS | | | | Incorp.by Ref | - | | | . LIABILITY LTD.(c)97 | + | | | . LIABILITY LTD.(c)97 | | | | VeriSign, OU=VeriSign Object | | | | Signing CA - Class 3 | - | | | Organization, OU="VeriSign, | + | | | Organization, OU="VeriSign, | | | | Inc.", O=VeriSign Trust | | | | Network \**ISSUER | - | | | NAME**, | + | | | NAME**, | | | | OU=www.verisign.com/CPS | | | | Incorp.by Ref. LIABILITY | | | | LTD.(c)97 | - | | | VeriSign, OU=VeriSign Object | + | | | VeriSign, OU=VeriSign Object | | | | Signing CA - Class 3 | | | | Organization, | - | | | OU="VeriSign, Inc.", | + | | | OU="VeriSign, Inc.", | | | | O=VeriSign Trust Network | - | | | ---------------- | + | | | ---------------- | | | | ------------------------------ | - | | | Do you wish to continue this | + | | | Do you wish to continue this | | | | installation? (y/n) y | - | | | Using installer script | + | | | Using installer script | | | | "installer_script" | - | | | Successfully parsed | + | | | Successfully parsed | | | | installation script | - | | | Current platform is | + | | | Current platform is | | | | Linux:5.4.08:x86 | - | | | Using installation parameters | + | | | Using installation parameters | | | | for platform Linux:5.4.08:x86 | - | | | Installed file crypto.so to | + | | | Installed file crypto.so to | | | | /tmp/crypto.so | - | | | Installed file setup.sh to | + | | | Installed file setup.sh to | | | | ./pk11inst.dir/setup.sh | - | | | Executing | + | | | Executing | | | | "./pk11inst.dir/setup.sh"... | - | | | "./pk11inst.dir/setup.sh" | + | | | "./pk11inst.dir/setup.sh" | | | | executed successfully | - | | | Installed module "Example | + | | | Installed module "Example | | | | PKCS #11 Module" into module | | | | database | - | | | Installation completed | + | | | Installation completed | | | | successfully | - | | | Adding Module Spec | - | | | Each module has information | + | | | Adding Module Spec | + | | | Each module has information | | | | stored in the security | | | | database about its | - | | | configuration and | + | | | configuration and | | | | parameters. These can be added | | | | or edited using the | - | | | -rawadd command. For the | + | | | -rawadd command. For the | | | | current settings or to see the | | | | format of the | - | | | module spec in the | + | | | module spec in the | | | | database, use the -rawlist | | | | option. | - | | | modutil -rawadd modulespec | - | | | Deleting a Module | - | | | A specific PKCS #11 module | + | | | modutil -rawadd modulespec | + | | | Deleting a Module | + | | | A specific PKCS #11 module | | | | can be deleted from the | | | | secmod.db database: | - | | | modutil -delete modulename | + | | | modutil -delete modulename | | | | -dbdir [sql:]directory | - | | | Displaying Module | + | | | Displaying Module | | | | Information | - | | | The secmod.db database | + | | | The secmod.db database | | | | contains information about the | | | | PKCS #11 modules | - | | | that are available to an | + | | | that are available to an | | | | application or server to use. | | | | The list of all | - | | | modules, information about | + | | | modules, information about | | | | specific modules, and database | | | | configuration | - | | | specs for modules can all | + | | | specs for modules can all | | | | be viewed. | - | | | To simply get a list of | + | | | To simply get a list of | | | | modules in the database, use | | | | the -list command. | - | | | modutil -list [modulename] | + | | | modutil -list [modulename] | | | | -dbdir [sql:]directory | - | | | Listing the modules shows | + | | | Listing the modules shows | | | | the module name, their status, | | | | and other | - | | | associated security | + | | | associated security | | | | databases for certificates and | | | | keys. For example: | - | | | modutil -list -dbdir | + | | | modutil -list -dbdir | | | | sql:/home/my/sharednssdb | - | | | Listing of PKCS #11 Modules | - | | | ----------------------------- | + | | | Listing of PKCS #11 Modules | + | | | ----------------------------- | | | | ------------------------------ | - | | | 1. NSS Internal PKCS #11 | + | | | 1. NSS Internal PKCS #11 | | | | Module | - | | | slots: 2 slots | + | | | slots: 2 slots | | | | attached | - | | | status: loaded | - | | | slot: NSS Internal | + | | | status: loaded | + | | | slot: NSS Internal | | | | Cryptographic Services | - | | | token: NSS Generic | + | | | token: NSS Generic | | | | Crypto Services | - | | | slot: NSS User | + | | | slot: NSS User | | | | Private Key and Certificate | | | | Services | - | | | token: NSS | + | | | token: NSS | | | | Certificate DB | - | | | ----------------------------- | + | | | ----------------------------- | | | | ------------------------------ | - | | | Passing a specific module | + | | | Passing a specific module | | | | name with the -list returns | | | | details information | - | | | about the module itself, | + | | | about the module itself, | | | | like supported cipher | | | | mechanisms, version | - | | | numbers, serial numbers, | + | | | numbers, serial numbers, | | | | and other information about | | | | the module and the | - | | | token it is loaded on. For | + | | | token it is loaded on. For | | | | example: | - | | | modutil -list "NSS Internal | + | | | modutil -list "NSS Internal | | | | PKCS #11 Module" -dbdir | | | | sql:/home/my/sharednssdb | - | | | ----------------------------- | + | | | ----------------------------- | | | | ------------------------------ | - | | | Name: NSS Internal PKCS #11 | + | | | Name: NSS Internal PKCS #11 | | | | Module | - | | | Library file: \**Internal | + | | | Library file: \**Internal | | | | ONLY module*\* | - | | | Manufacturer: Mozilla | + | | | Manufacturer: Mozilla | | | | Foundation | - | | | Description: NSS Internal | + | | | Description: NSS Internal | | | | Crypto Services | - | | | PKCS #11 Version 2.20 | - | | | Library Version: 3.11 | - | | | Cipher Enable Flags: None | - | | | Default Mechanism Flags: | + | | | PKCS #11 Version 2.20 | + | | | Library Version: 3.11 | + | | | Cipher Enable Flags: None | + | | | Default Mechanism Flags: | | | | RSA:RC2:RC4:D | | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | - | | | Slot: NSS Internal | + | | | Slot: NSS Internal | | | | Cryptographic Services | - | | | Slot Mechanism Flags: | + | | | Slot Mechanism Flags: | | | | RSA:RC2:RC4:D | | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | - | | | Manufacturer: Mozilla | + | | | Manufacturer: Mozilla | | | | Foundation | - | | | Type: Software | - | | | Version Number: 3.11 | - | | | Firmware Version: 0.0 | - | | | Status: Enabled | - | | | Token Name: NSS Generic | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Generic | | | | Crypto Services | - | | | Token Manufacturer: Mozilla | + | | | Token Manufacturer: Mozilla | | | | Foundation | - | | | Token Model: NSS 3 | - | | | Token Serial Number: | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | | | | 0000000000000000 | - | | | Token Version: 4.0 | - | | | Token Firmware Version: 0.0 | - | | | Access: Write Protected | - | | | Login Type: Public (no | + | | | Token Version: 4.0 | + | | | Token Firmware Version: 0.0 | + | | | Access: Write Protected | + | | | Login Type: Public (no | | | | login required) | - | | | User Pin: NOT Initialized | - | | | Slot: NSS User Private Key | + | | | User Pin: NOT Initialized | + | | | Slot: NSS User Private Key | | | | and Certificate Services | - | | | Slot Mechanism Flags: None | - | | | Manufacturer: Mozilla | + | | | Slot Mechanism Flags: None | + | | | Manufacturer: Mozilla | | | | Foundation | - | | | Type: Software | - | | | Version Number: 3.11 | - | | | Firmware Version: 0.0 | - | | | Status: Enabled | - | | | Token Name: NSS Certificate | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Certificate | | | | DB | - | | | Token Manufacturer: Mozilla | + | | | Token Manufacturer: Mozilla | | | | Foundation | - | | | Token Model: NSS 3 | - | | | Token Serial Number: | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | | | | 0000000000000000 | - | | | Token Version: 8.3 | - | | | Token Firmware Version: 0.0 | - | | | Access: NOT Write Protected | - | | | Login Type: Login required | - | | | User Pin: Initialized | - | | | A related command, -rawlist | + | | | Token Version: 8.3 | + | | | Token Firmware Version: 0.0 | + | | | Access: NOT Write Protected | + | | | Login Type: Login required | + | | | User Pin: Initialized | + | | | A related command, -rawlist | | | | returns information about the | | | | database | - | | | configuration for the | + | | | configuration for the | | | | modules. (This information can | | | | be edited by loading | - | | | new specs using the -rawadd | + | | | new specs using the -rawadd | | | | command.) | - | | | modutil -rawlist -dbdir | + | | | modutil -rawlist -dbdir | | | | sql:/home/my/sharednssdb | - | | | name="NSS Internal PKCS #11 | + | | | name="NSS Internal PKCS #11 | | | | Module" | | | | parameters="configdir=. | | | | certPrefix= keyPrefix= | @@ -7739,675 +7739,675 @@ Index | | | slotParams={0x00000001=[ | | | | slotFlags=RSA,RC4,RC2,DES,DH,S | | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM | - | | | askpw=any timeout=30 ] } | + | | | askpw=any timeout=30 ] } | | | | Flags=internal,critical" | - | | | Setting a Default Provider | + | | | Setting a Default Provider | | | | for Security Mechanisms | - | | | Multiple security modules | + | | | Multiple security modules | | | | may provide support for the | | | | same security | - | | | mechanisms. It is possible | + | | | mechanisms. It is possible | | | | to set a specific security | | | | module as the | - | | | default provider for a | + | | | default provider for a | | | | specific security mechanism | | | | (or, conversely, to | - | | | prohibit a provider from | + | | | prohibit a provider from | | | | supplying those mechanisms). | - | | | modutil -default modulename | + | | | modutil -default modulename | | | | -mechanisms mechanism-list | - | | | To set a module as the | + | | | To set a module as the | | | | default provider for | | | | mechanisms, use the -default | - | | | command with a | + | | | command with a | | | | colon-separated list of | | | | mechanisms. The available | - | | | mechanisms depend on the | + | | | mechanisms depend on the | | | | module; NSS supplies almost | | | | all common | - | | | mechanisms. For example: | - | | | modutil -default "NSS | + | | | mechanisms. For example: | + | | | modutil -default "NSS | | | | Internal PKCS #11 Module" | | | | -dbdir -mechanisms RSA:DSA:RC2 | - | | | Using database directory | + | | | Using database directory | | | | c:\databases... | - | | | Successfully changed | + | | | Successfully changed | | | | defaults. | - | | | Clearing the default | + | | | Clearing the default | | | | provider has the same format: | - | | | modutil -undefault "NSS | + | | | modutil -undefault "NSS | | | | Internal PKCS #11 Module" | | | | -dbdir -mechanisms MD2:MD5 | - | | | Enabling and Disabling | + | | | Enabling and Disabling | | | | Modules and Slots | - | | | Modules, and specific slots | + | | | Modules, and specific slots | | | | on modules, can be selectively | | | | enabled or | - | | | disabled using modutil. | + | | | disabled using modutil. | | | | Both commands have the same | | | | format: | - | | | modutil -enable|-disable | + | | | modutil -enable|-disable | | | | modulename [-slot slotname] | - | | | For example: | - | | | modutil -enable "NSS Internal | + | | | For example: | + | | | modutil -enable "NSS Internal | | | | PKCS #11 Module" -slot "NSS | | | | Internal Cryptographic | | | | Servi | - | | | ces | + | | | ces | | | | " -dbdir . | - | | | Slot "NSS Internal | + | | | Slot "NSS Internal | | | | Cryptographic | | | | Servi | - | | | ces | + | | | ces | | | | " enabled. | - | | | Be sure that the | + | | | Be sure that the | | | | appropriate amount of trailing | | | | whitespace is after the | - | | | slot name. Some slot names | + | | | slot name. Some slot names | | | | have a significant amount of | | | | whitespace that | - | | | must be included, or the | + | | | must be included, or the | | | | operation will fail. | - | | | Enabling and Verifying FIPS | + | | | Enabling and Verifying FIPS | | | | Compliance | - | | | The NSS modules can have | + | | | The NSS modules can have | | | | FIPS 140-2 compliance enabled | | | | or disabled using | - | | | modutil with the -fips | + | | | modutil with the -fips | | | | option. For example: | - | | | modutil -fips true -dbdir | + | | | modutil -fips true -dbdir | | | | sql:/home/my/sharednssdb/ | - | | | FIPS mode enabled. | - | | | To verify that status of | + | | | FIPS mode enabled. | + | | | To verify that status of | | | | FIPS mode, run the -chkfips | | | | command with either a | - | | | true or false flag (it | + | | | true or false flag (it | | | | doesn't matter which). The | | | | tool returns the current | - | | | FIPS setting. | - | | | modutil -chkfips false -dbdir | + | | | FIPS setting. | + | | | modutil -chkfips false -dbdir | | | | sql:/home/my/sharednssdb/ | - | | | FIPS mode enabled. | - | | | Changing the Password on a | + | | | FIPS mode enabled. | + | | | Changing the Password on a | | | | Token | - | | | Initializing or changing a | + | | | Initializing or changing a | | | | token's password: | - | | | modutil -changepw tokenname | + | | | modutil -changepw tokenname | | | | [-pwfile old-password-file] | | | | [-newpwfile new-password-file] | - | | | modutil -dbdir | + | | | modutil -dbdir | | | | sql:/home/my/sharednssdb | | | | -changepw "NSS Certificate DB" | - | | | Enter old password: | - | | | Incorrect password, try | + | | | Enter old password: | + | | | Incorrect password, try | | | | again... | - | | | Enter old password: | - | | | Enter new password: | - | | | Re-enter new password: | - | | | Token "Communicator | + | | | Enter old password: | + | | | Enter new password: | + | | | Re-enter new password: | + | | | Token "Communicator | | | | Certificate DB" password | | | | changed successfully. | | | | JAR Installation File Format | - | | | When a JAR file is run by a | + | | | When a JAR file is run by a | | | | server, by modutil, or by any | | | | program that | - | | | does not interpret | + | | | does not interpret | | | | JavaScript, a special | | | | information file must be | | | | included | - | | | to install the libraries. | + | | | to install the libraries. | | | | There are several things to | | | | keep in mind with | - | | | this file: | - | | | o It must be declared in | + | | | this file: | + | | | o It must be declared in | | | | the JAR archive's manifest | | | | file. | - | | | o The script can have any | + | | | o The script can have any | | | | name. | - | | | o The metainfo tag for | + | | | o The metainfo tag for | | | | this is Pkcs11_install_script. | | | | To declare | - | | | meta-information in the | + | | | meta-information in the | | | | manifest file, put it in a | | | | file that is passed | - | | | to signtool. | - | | | Sample Script | - | | | For example, the PKCS #11 | + | | | to signtool. | + | | | Sample Script | + | | | For example, the PKCS #11 | | | | installer script could be in | | | | the file | - | | | pk11install. If so, the | + | | | pk11install. If so, the | | | | metainfo file for signtool | | | | includes a line such as | - | | | this: | - | | | + Pkcs11_install_script: | + | | | this: | + | | | + Pkcs11_install_script: | | | | pk11install | - | | | The script must define the | + | | | The script must define the | | | | platform and version number, | | | | the module name | - | | | and file, and any optional | + | | | and file, and any optional | | | | information like supported | | | | ciphers and | - | | | mechanisms. Multiple | + | | | mechanisms. Multiple | | | | platforms can be defined in a | | | | single install file. | - | | | ForwardCompatible { | + | | | ForwardCompatible { | | | | IRIX:6.2:mips | | | | SUNOS:5.5.1:sparc } | - | | | Platforms { | - | | | WINNT::x86 { | - | | | ModuleName { "Example | + | | | Platforms { | + | | | WINNT::x86 { | + | | | ModuleName { "Example | | | | Module" } | - | | | ModuleFile { | + | | | ModuleFile { | | | | win32/fort32.dll } | - | | | | + | | | | | | | DefaultMechanismFlags{0x0001} | - | | | | + | | | | | | | DefaultCipherFlags{0x0001} | - | | | Files { | - | | | win32/setup.exe { | - | | | Executable | - | | | RelativePath { | + | | | Files { | + | | | win32/setup.exe { | + | | | Executable | + | | | RelativePath { | | | | %temp%/setup.exe } | - | | | } | - | | | win32/setup.hlp { | - | | | RelativePath { | + | | | } | + | | | win32/setup.hlp { | + | | | RelativePath { | | | | %temp%/setup.hlp } | - | | | } | - | | | win32/setup.cab { | - | | | RelativePath { | + | | | } | + | | | win32/setup.cab { | + | | | RelativePath { | | | | %temp%/setup.cab } | - | | | } | - | | | } | - | | | } | - | | | WIN95::x86 { | - | | | EquivalentPlatform | + | | | } | + | | | } | + | | | } | + | | | WIN95::x86 { | + | | | EquivalentPlatform | | | | {WINNT::x86} | - | | | } | - | | | SUNOS:5.5.1:sparc { | - | | | ModuleName { "Example | + | | | } | + | | | SUNOS:5.5.1:sparc { | + | | | ModuleName { "Example | | | | UNIX Module" } | - | | | ModuleFile { | + | | | ModuleFile { | | | | unix/fort.so } | - | | | | + | | | | | | | DefaultMechanismFlags{0x0001} | - | | | | + | | | | | | | CipherEnableFlags{0x0001} | - | | | Files { | - | | | unix/fort.so { | - | | | | + | | | Files { | + | | | unix/fort.so { | + | | | | | | | Re | | | | lativePath{%root%/lib/fort.so} | - | | | | + | | | | | | | AbsolutePath{/u | | | | sr/local/netscape/lib/fort.so} | - | | | | + | | | | | | | FilePermissions{555} | - | | | } | - | | | xplat/instr.html { | - | | | | + | | | } | + | | | xplat/instr.html { | + | | | | | | | Relat | | | | ivePath{%root%/docs/inst.html} | - | | | | + | | | | | | | AbsolutePath{/usr/ | | | | local/netscape/docs/inst.html} | - | | | | + | | | | | | | FilePermissions{555} | - | | | } | - | | | } | - | | | } | - | | | IRIX:6.2:mips { | - | | | EquivalentPlatform { | + | | | } | + | | | } | + | | | } | + | | | IRIX:6.2:mips { | + | | | EquivalentPlatform { | | | | SUNOS:5.5.1:sparc } | - | | | } | - | | | } | - | | | Script Grammar | - | | | The script is basic Java, | + | | | } | + | | | } | + | | | Script Grammar | + | | | The script is basic Java, | | | | allowing lists, key-value | | | | pairs, strings, and | - | | | combinations of all of | + | | | combinations of all of | | | | them. | - | | | --> valuelist | - | | | valuelist --> value valuelist | - | | | <null> | - | | | value ---> key_value_pair | - | | | string | - | | | key_value_pair --> key { | + | | | --> valuelist | + | | | valuelist --> value valuelist | + | | | <null> | + | | | value ---> key_value_pair | + | | | string | + | | | key_value_pair --> key { | | | | valuelist } | - | | | key --> string | - | | | string --> simple_string | - | | | "complex_string" | - | | | simple_string --> [^ | + | | | key --> string | + | | | string --> simple_string | + | | | "complex_string" | + | | | simple_string --> [^ | | | | \\t\n\""{""}"]+ | - | | | complex_string --> | + | | | complex_string --> | | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ | - | | | Quotes and backslashes must | + | | | Quotes and backslashes must | | | | be escaped with a backslash. A | | | | complex string | - | | | must not include newlines | + | | | must not include newlines | | | | or carriage returns.Outside of | | | | complex strings, | - | | | all white space (for | + | | | all white space (for | | | | example, spaces, tabs, and | | | | carriage returns) is | - | | | considered equal and is | + | | | considered equal and is | | | | used only to delimit tokens. | - | | | Keys | - | | | The Java install file uses | + | | | Keys | + | | | The Java install file uses | | | | keys to define the platform | | | | and module | - | | | information. | - | | | ForwardCompatible gives a | + | | | information. | + | | | ForwardCompatible gives a | | | | list of platforms that are | | | | forward compatible. | - | | | If the current platform | + | | | If the current platform | | | | cannot be found in the list of | | | | supported | - | | | platforms, then the | + | | | platforms, then the | | | | ForwardCompatible list is | | | | checked for any platforms | - | | | that have the same OS and | + | | | that have the same OS and | | | | architecture in an earlier | | | | version. If one is | - | | | found, its attributes are | + | | | found, its attributes are | | | | used for the current platform. | - | | | Platforms (required) Gives | + | | | Platforms (required) Gives | | | | a list of platforms. Each | | | | entry in the list is | - | | | itself a key-value pair: | + | | | itself a key-value pair: | | | | the key is the name of the | | | | platform and the value | - | | | list contains various | + | | | list contains various | | | | attributes of the platform. | | | | The platform string is | - | | | in the format system | + | | | in the format system | | | | name:OS release:architecture. | | | | The installer obtains | - | | | these values from NSPR. OS | + | | | these values from NSPR. OS | | | | release is an empty string on | | | | non-Unix | - | | | operating systems. NSPR | + | | | operating systems. NSPR | | | | supports these platforms: | - | | | o AIX (rs6000) | - | | | o BSDI (x86) | - | | | o FREEBSD (x86) | - | | | o HPUX (hppa1.1) | - | | | o IRIX (mips) | - | | | o LINUX (ppc, alpha, x86) | - | | | o MacOS (PowerPC) | - | | | o NCR (x86) | - | | | o NEC (mips) | - | | | o OS2 (x86) | - | | | o OSF (alpha) | - | | | o ReliantUNIX (mips) | - | | | o SCO (x86) | - | | | o SOLARIS (sparc) | - | | | o SONY (mips) | - | | | o SUNOS (sparc) | - | | | o UnixWare (x86) | - | | | o WIN16 (x86) | - | | | o WIN95 (x86) | - | | | o WINNT (x86) | - | | | For example: | - | | | IRIX:6.2:mips | - | | | SUNOS:5.5.1:sparc | - | | | Linux:2.0.32:x86 | - | | | WIN95::x86 | - | | | The module information is | + | | | o AIX (rs6000) | + | | | o BSDI (x86) | + | | | o FREEBSD (x86) | + | | | o HPUX (hppa1.1) | + | | | o IRIX (mips) | + | | | o LINUX (ppc, alpha, x86) | + | | | o MacOS (PowerPC) | + | | | o NCR (x86) | + | | | o NEC (mips) | + | | | o OS2 (x86) | + | | | o OSF (alpha) | + | | | o ReliantUNIX (mips) | + | | | o SCO (x86) | + | | | o SOLARIS (sparc) | + | | | o SONY (mips) | + | | | o SUNOS (sparc) | + | | | o UnixWare (x86) | + | | | o WIN16 (x86) | + | | | o WIN95 (x86) | + | | | o WINNT (x86) | + | | | For example: | + | | | IRIX:6.2:mips | + | | | SUNOS:5.5.1:sparc | + | | | Linux:2.0.32:x86 | + | | | WIN95::x86 | + | | | The module information is | | | | defined independently for each | | | | platform in the | - | | | ModuleName, ModuleFile, and | + | | | ModuleName, ModuleFile, and | | | | Files attributes. These | | | | attributes must be | - | | | given unless an | + | | | given unless an | | | | EquivalentPlatform attribute | | | | is specified. | - | | | Per-Platform Keys | - | | | Per-platform keys have | + | | | Per-Platform Keys | + | | | Per-platform keys have | | | | meaning only within the value | | | | list of an entry in | - | | | the Platforms list. | - | | | ModuleName (required) gives | + | | | the Platforms list. | + | | | ModuleName (required) gives | | | | the common name for the | | | | module. This name is | - | | | used to reference the | + | | | used to reference the | | | | module by servers and by the | | | | modutil tool. | - | | | ModuleFile (required) names | + | | | ModuleFile (required) names | | | | the PKCS #11 module file for | | | | this platform. | - | | | The name is given as the | + | | | The name is given as the | | | | relative path of the file | | | | within the JAR archive. | - | | | Files (required) lists the | + | | | Files (required) lists the | | | | files that need to be | | | | installed for this | - | | | module. Each entry in the | + | | | module. Each entry in the | | | | file list is a key-value pair. | | | | The key is the | - | | | path of the file in the JAR | + | | | path of the file in the JAR | | | | archive, and the value list | | | | contains | - | | | attributes of the file. At | + | | | attributes of the file. At | | | | least RelativePath or | | | | AbsolutePath must be | - | | | specified for each file. | - | | | DefaultMechanismFlags | + | | | specified for each file. | + | | | DefaultMechanismFlags | | | | specifies mechanisms for which | | | | this module is the | - | | | default provider; this is | + | | | default provider; this is | | | | equivalent to the -mechanism | | | | option with the | - | | | -add command. This | + | | | -add command. This | | | | key-value pair is a bitstring | | | | specified in hexadecimal | - | | | (0x) format. It is | + | | | (0x) format. It is | | | | constructed as a bitwise OR. | | | | If the | - | | | DefaultMechanismFlags entry | + | | | DefaultMechanismFlags entry | | | | is omitted, the value defaults | | | | to 0x0. | - | | | RSA: | + | | | RSA: | | | | 0x00000001 | - | | | DSA: | + | | | DSA: | | | | 0x00000002 | - | | | RC2: | + | | | RC2: | | | | 0x00000004 | - | | | RC4: | + | | | RC4: | | | | 0x00000008 | - | | | DES: | + | | | DES: | | | | 0x00000010 | - | | | DH: | + | | | DH: | | | | 0x00000020 | - | | | FORTEZZA: | + | | | FORTEZZA: | | | | 0x00000040 | - | | | RC5: | + | | | RC5: | | | | 0x00000080 | - | | | SHA1: | + | | | SHA1: | | | | 0x00000100 | - | | | MD5: | + | | | MD5: | | | | 0x00000200 | - | | | MD2: | + | | | MD2: | | | | 0x00000400 | - | | | RANDOM: | + | | | RANDOM: | | | | 0x08000000 | - | | | FRIENDLY: | + | | | FRIENDLY: | | | | 0x10000000 | - | | | OWN_PW_DEFAULTS: | + | | | OWN_PW_DEFAULTS: | | | | 0x20000000 | - | | | DISABLE: | + | | | DISABLE: | | | | 0x40000000 | - | | | CipherEnableFlags specifies | + | | | CipherEnableFlags specifies | | | | ciphers that this module | | | | provides that NSS | - | | | does not provide (so that | + | | | does not provide (so that | | | | the module enables those | | | | ciphers for NSS). This | - | | | is equivalent to the | + | | | is equivalent to the | | | | -cipher argument with the -add | | | | command. This key is a | - | | | bitstring specified in | + | | | bitstring specified in | | | | hexadecimal (0x) format. It is | | | | constructed as a | - | | | bitwise OR. If the | + | | | bitwise OR. If the | | | | CipherEnableFlags entry is | | | | omitted, the value defaults | - | | | to 0x0. | - | | | EquivalentPlatform | + | | | to 0x0. | + | | | EquivalentPlatform | | | | specifies that the attributes | | | | of the named platform | - | | | should also be used for the | + | | | should also be used for the | | | | current platform. This makes | | | | it easier when | - | | | more than one platform uses | + | | | more than one platform uses | | | | the same settings. | - | | | Per-File Keys | - | | | Some keys have meaning only | + | | | Per-File Keys | + | | | Some keys have meaning only | | | | within the value list of an | | | | entry in a Files | - | | | list. | - | | | Each file requires a path | + | | | list. | + | | | Each file requires a path | | | | key the identifies where the | | | | file is. Either | - | | | RelativePath or | + | | | RelativePath or | | | | AbsolutePath must be | | | | specified. If both are | | | | specified, the | - | | | relative path is tried | + | | | relative path is tried | | | | first, and the absolute path | | | | is used only if no | - | | | relative root directory is | + | | | relative root directory is | | | | provided by the installer | | | | program. | - | | | RelativePath specifies the | + | | | RelativePath specifies the | | | | destination directory of the | | | | file, relative to | - | | | some directory decided at | + | | | some directory decided at | | | | install time. Two variables | | | | can be used in the | - | | | relative path: %root% and | + | | | relative path: %root% and | | | | %temp%. %root% is replaced at | | | | run time with the | - | | | directory relative to which | + | | | directory relative to which | | | | files should be installed; for | | | | example, it may | - | | | be the server's root | + | | | be the server's root | | | | directory. The %temp% | | | | directory is created at the | - | | | beginning of the | + | | | beginning of the | | | | installation and destroyed at | | | | the end. The purpose of | - | | | %temp% is to hold | + | | | %temp% is to hold | | | | executable files (such as | | | | setup programs) or files that | - | | | are used by these programs. | + | | | are used by these programs. | | | | Files destined for the | | | | temporary directory are | - | | | guaranteed to be in place | + | | | guaranteed to be in place | | | | before any executable file is | | | | run; they are not | - | | | deleted until all | + | | | deleted until all | | | | executable files have | | | | finished. | - | | | AbsolutePath specifies the | + | | | AbsolutePath specifies the | | | | destination directory of the | | | | file as an | - | | | absolute path. | - | | | Executable specifies that | + | | | absolute path. | + | | | Executable specifies that | | | | the file is to be executed | | | | during the course of | - | | | the installation. | + | | | the installation. | | | | Typically, this string is used | | | | for a setup program | - | | | provided by a module | + | | | provided by a module | | | | vendor, such as a | | | | self-extracting setup | | | | executable. | - | | | More than one file can be | + | | | More than one file can be | | | | specified as executable, in | | | | which case the files | - | | | are run in the order in | + | | | are run in the order in | | | | which they are specified in | | | | the script file. | - | | | FilePermissions sets | + | | | FilePermissions sets | | | | permissions on any referenced | | | | files in a string of | - | | | octal digits, according to | + | | | octal digits, according to | | | | the standard Unix format. This | | | | string is a | - | | | bitwise OR. | - | | | user read: | + | | | bitwise OR. | + | | | user read: | | | | 0400 | - | | | user write: | + | | | user write: | | | | 0200 | - | | | user execute: | + | | | user execute: | | | | 0100 | - | | | group read: | + | | | group read: | | | | 0040 | - | | | group write: | + | | | group write: | | | | 0020 | - | | | group execute: | + | | | group execute: | | | | 0010 | - | | | other read: | + | | | other read: | | | | 0004 | - | | | other write: | + | | | other write: | | | | 0002 | - | | | other execute: 0001 | - | | | Some platforms may not | + | | | other execute: 0001 | + | | | Some platforms may not | | | | understand these permissions. | | | | They are applied only | - | | | insofar as they make sense | + | | | insofar as they make sense | | | | for the current platform. If | | | | this attribute is | - | | | omitted, a default of 777 | + | | | omitted, a default of 777 | | | | is assumed. | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | modutil -create -dbdir | + | | | modutil -create -dbdir | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | certutil (1) | - | | | pk12util (1) | - | | | signtool (1) | - | | | The NSS wiki has | + | | | certutil (1) | + | | | pk12util (1) | + | | | signtool (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. JAR Installation File | + | | | Visible links | + | | | 1. JAR Installation File | | | | Format | - | | | | + | | | | | | | ``file:///tmp/xmlto.6gGxS0/ | | | | modutil.pro...r-install-file`` | - | | | 2. | + | | | 2. | | | | https://www.mozilla. | | | | org/projects/security/pki/nss/ | +--------------------------------+--------------------------------+--------------------------------+ @@ -8453,7 +8453,7 @@ Index | | | perform basic operations, such | | | | as encryption and decryption, | | | | on `Cryptographic Message | - | | | Syntax (CMS) <http://ww | + | | | Syntax (CMS) <http://ww | | | | w.ietf.org/rfc/rfc2630.txt>`__ | | | | messages. | +--------------------------------+--------------------------------+--------------------------------+ @@ -8576,242 +8576,242 @@ Index | | a_projects_nss_tools_pk12util` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | pk12util — Export and | + | | | pk12util — Export and | | | | import keys and certificate to | | | | or from a PKCS #12 | - | | | file and the NSS database | + | | | file and the NSS database | | | | Synopsis | - | | | pk12util [-i p12File [-h | + | | | pk12util [-i p12File [-h | | | | tokenname] [-v] | | | | [common-options] ] [ -l | | | | p12File | - | | | [-h tokenname] [-r] | + | | | [-h tokenname] [-r] | | | | [common-options] ] [ -o | | | | p12File -n certname [-c | - | | | keyCipher] [-C certCipher] | + | | | keyCipher] [-C certCipher] | | | | [-m|--key_len keyLen] | | | | [-n|--cert_key_len | - | | | certKeyLen] | + | | | certKeyLen] | | | | [common-options] ] [ | | | | common-options are: [-d | | | | [sql:]directory] | - | | | [-P dbprefix] [-k | + | | | [-P dbprefix] [-k | | | | slotPasswordFile|-K | | | | slotPassword] [-w | - | | | p12filePasswordFile|-W | + | | | p12filePasswordFile|-W | | | | p12filePassword] ] | | | | Description | - | | | The PKCS #12 utility, | + | | | The PKCS #12 utility, | | | | pk12util, enables sharing | | | | certificates among any | - | | | server that supports | + | | | server that supports | | | | PKCS#12. The tool can import | | | | certificates and keys | - | | | from PKCS#12 files into | + | | | from PKCS#12 files into | | | | security databases, export | | | | certificates, and list | - | | | certificates and keys. | + | | | certificates and keys. | | | | Options and Arguments | - | | | Options | - | | | -i p12file | - | | | Import keys and | + | | | Options | + | | | -i p12file | + | | | Import keys and | | | | certificates from a PKCS#12 | | | | file into a security | - | | | database. | - | | | -l p12file | - | | | List the keys and | + | | | database. | + | | | -l p12file | + | | | List the keys and | | | | certificates in PKCS#12 file. | - | | | -o p12file | - | | | Export keys and | + | | | -o p12file | + | | | Export keys and | | | | certificates from the security | | | | database to a | - | | | PKCS#12 file. | - | | | Arguments | - | | | -n certname | - | | | Specify the | + | | | PKCS#12 file. | + | | | Arguments | + | | | -n certname | + | | | Specify the | | | | nickname of the cert and | | | | private key to export. | - | | | -d [sql:]directory | - | | | Specify the | + | | | -d [sql:]directory | + | | | Specify the | | | | database directory into which | | | | to import to or export | - | | | from certificates | + | | | from certificates | | | | and keys. | - | | | pk12util supports | + | | | pk12util supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | -P prefix | - | | | Specify the prefix | + | | | the old format. | + | | | -P prefix | + | | | Specify the prefix | | | | used on the certificate and | | | | key databases. This | - | | | option is provided | + | | | option is provided | | | | as a special case. Changing | | | | the names of the | - | | | certificate and key | + | | | certificate and key | | | | databases is not recommended. | - | | | -h tokenname | - | | | Specify the name of | + | | | -h tokenname | + | | | Specify the name of | | | | the token to import into or | | | | export from. | - | | | -v | - | | | Enable debug | + | | | -v | + | | | Enable debug | | | | logging when importing. | - | | | -k slotPasswordFile | - | | | Specify the text | + | | | -k slotPasswordFile | + | | | Specify the text | | | | file containing the slot's | | | | password. | - | | | -K slotPassword | - | | | Specify the slot's | + | | | -K slotPassword | + | | | Specify the slot's | | | | password. | - | | | -w p12filePasswordFile | - | | | Specify the text | + | | | -w p12filePasswordFile | + | | | Specify the text | | | | file containing the pkcs #12 | | | | file password. | - | | | -W p12filePassword | - | | | Specify the pkcs | + | | | -W p12filePassword | + | | | Specify the pkcs | | | | #12 file password. | - | | | -c keyCipher | - | | | Specify the key | + | | | -c keyCipher | + | | | Specify the key | | | | encryption algorithm. | - | | | -C certCipher | - | | | Specify the key | + | | | -C certCipher | + | | | Specify the key | | | | cert (overall package) | | | | encryption algorithm. | - | | | -m \| --key-len keyLength | - | | | Specify the desired | + | | | -m \| --key-len keyLength | + | | | Specify the desired | | | | length of the symmetric key to | | | | be used to | - | | | encrypt the private | + | | | encrypt the private | | | | key. | - | | | -n \| --cert-key-len | + | | | -n \| --cert-key-len | | | | certKeyLength | - | | | Specify the desired | + | | | Specify the desired | | | | length of the symmetric key to | | | | be used to | - | | | encrypt the | + | | | encrypt the | | | | certificates and other | | | | meta-data. | - | | | -r | - | | | Dumps all of the | + | | | -r | + | | | Dumps all of the | | | | data in raw (binary) form. | | | | This must be saved as | - | | | a DER file. The | + | | | a DER file. The | | | | default is to return | | | | information in a pretty-print | - | | | ASCII format, which | + | | | ASCII format, which | | | | displays the information about | | | | the | - | | | certificates and | + | | | certificates and | | | | public keys in the p12 file. | | | | Return Codes | - | | | o 0 - No error | - | | | o 1 - User Cancelled | - | | | o 2 - Usage error | - | | | o 6 - NLS init error | - | | | o 8 - Certificate DB open | + | | | o 0 - No error | + | | | o 1 - User Cancelled | + | | | o 2 - Usage error | + | | | o 6 - NLS init error | + | | | o 8 - Certificate DB open | | | | error | - | | | o 9 - Key DB open error | - | | | o 10 - File | + | | | o 9 - Key DB open error | + | | | o 10 - File | | | | initialization error | - | | | o 11 - Unicode conversion | + | | | o 11 - Unicode conversion | | | | error | - | | | o 12 - Temporary file | + | | | o 12 - Temporary file | | | | creation error | - | | | o 13 - PKCS11 get slot | + | | | o 13 - PKCS11 get slot | | | | error | - | | | o 14 - PKCS12 decoder | + | | | o 14 - PKCS12 decoder | | | | start error | - | | | o 15 - error read from | + | | | o 15 - error read from | | | | import file | - | | | o 16 - pkcs12 decode | + | | | o 16 - pkcs12 decode | | | | error | - | | | o 17 - pkcs12 decoder | + | | | o 17 - pkcs12 decoder | | | | verify error | - | | | o 18 - pkcs12 decoder | + | | | o 18 - pkcs12 decoder | | | | validate bags error | - | | | o 19 - pkcs12 decoder | + | | | o 19 - pkcs12 decoder | | | | import bags error | - | | | o 20 - key db conversion | + | | | o 20 - key db conversion | | | | version 3 to version 2 error | - | | | o 21 - cert db conversion | + | | | o 21 - cert db conversion | | | | version 7 to version 5 error | - | | | o 22 - cert and key dbs | + | | | o 22 - cert and key dbs | | | | patch error | - | | | o 23 - get default cert | + | | | o 23 - get default cert | | | | db error | - | | | o 24 - find cert by | + | | | o 24 - find cert by | | | | nickname error | - | | | o 25 - create export | + | | | o 25 - create export | | | | context error | - | | | o 26 - PKCS12 add | + | | | o 26 - PKCS12 add | | | | password itegrity error | - | | | o 27 - cert and key Safes | + | | | o 27 - cert and key Safes | | | | creation error | - | | | o 28 - PKCS12 add cert | + | | | o 28 - PKCS12 add cert | | | | and key error | - | | | o 29 - PKCS12 encode | + | | | o 29 - PKCS12 encode | | | | error | | | | Examples | - | | | Importing Keys and | + | | | Importing Keys and | | | | Certificates | - | | | The most basic usage of | + | | | The most basic usage of | | | | pk12util for importing a | | | | certificate or key is the | - | | | PKCS#12 input file (-i) and | + | | | PKCS#12 input file (-i) and | | | | some way to specify the | | | | security database | - | | | being accessed (either -d | + | | | being accessed (either -d | | | | for a directory or -h for a | | | | token). | - | | | pk12util -i p12File [-h | + | | | pk12util -i p12File [-h | | | | tokenname] [-v] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | - | | | For example: | - | | | # pk12util -i | + | | | For example: | + | | | # pk12util -i | | | | /tmp/cert-files/users.p12 -d | | | | sql:/home/my/sharednssdb | - | | | Enter a password which will | + | | | Enter a password which will | | | | be used to encrypt your keys. | - | | | The password should be at | + | | | The password should be at | | | | least 8 characters long, | - | | | and should contain at least | + | | | and should contain at least | | | | one non-alphabetic character. | - | | | Enter new password: | - | | | Re-enter password: | - | | | Enter password for PKCS12 | + | | | Enter new password: | + | | | Re-enter password: | + | | | Enter password for PKCS12 | | | | file: | - | | | pk12util: PKCS12 IMPORT | + | | | pk12util: PKCS12 IMPORT | | | | SUCCESSFUL | - | | | Exporting Keys and | + | | | Exporting Keys and | | | | Certificates | - | | | Using the pk12util command | + | | | Using the pk12util command | | | | to export certificates and | | | | keys requires both | - | | | the name of the certificate | + | | | the name of the certificate | | | | to extract from the database | | | | (-n) and the | - | | | PKCS#12-formatted output | + | | | PKCS#12-formatted output | | | | file to write to. There are | | | | optional parameters | - | | | that can be used to encrypt | + | | | that can be used to encrypt | | | | the file to protect the | | | | certificate material. | - | | | pk12util -o p12File -n | + | | | pk12util -o p12File -n | | | | certname [-c keyCipher] [-C | | | | certCipher] [-m|--key_len | | | | keyLen] [-n|--cert_key_len | @@ -8821,352 +8821,352 @@ Index | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | - | | | For example: | - | | | # pk12util -o certs.p12 -n | + | | | For example: | + | | | # pk12util -o certs.p12 -n | | | | Server-Cert -d | | | | sql:/home/my/sharednssdb | - | | | Enter password for PKCS12 | + | | | Enter password for PKCS12 | | | | file: | - | | | Re-enter password: | - | | | Listing Keys and | + | | | Re-enter password: | + | | | Listing Keys and | | | | Certificates | - | | | The information in a .p12 | + | | | The information in a .p12 | | | | file are not human-readable. | | | | The certificates | - | | | and keys in the file can be | + | | | and keys in the file can be | | | | printed (listed) in a | | | | human-readable | - | | | pretty-print format that | + | | | pretty-print format that | | | | shows information for every | | | | certificate and any | - | | | public keys in the .p12 | + | | | public keys in the .p12 | | | | file. | - | | | pk12util -l p12File [-h | + | | | pk12util -l p12File [-h | | | | tokenname] [-r] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | - | | | For example, this prints | + | | | For example, this prints | | | | the default ASCII output: | - | | | # pk12util -l certs.p12 | - | | | Enter password for PKCS12 | + | | | # pk12util -l certs.p12 | + | | | Enter password for PKCS12 | | | | file: | - | | | Key(shrouded): | - | | | Friendly Name: Thawte | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | | | | Freemail Member's Thawte | | | | Consulting (Pty) Ltd. ID | - | | | Encryption algorithm: | + | | | Encryption algorithm: | | | | PKCS #12 V2 PBE With SHA-1 And | | | | 3KEY Triple DES-CBC | - | | | Parameters: | - | | | Salt: | - | | | | + | | | Parameters: | + | | | Salt: | + | | | | | | | 45:2e:6a:a0:03:4d | | | | :7b:a1:63:3c:15:ea:67:37:62:1f | - | | | Iteration Count: | + | | | Iteration Count: | | | | 1 (0x1) | - | | | Certificate: | - | | | Data: | - | | | Version: 3 (0x2) | - | | | Serial Number: 13 | + | | | Certificate: | + | | | Data: | + | | | Version: 3 (0x2) | + | | | Serial Number: 13 | | | | (0xd) | - | | | Signature Algorithm: | + | | | Signature Algorithm: | | | | PKCS #1 SHA-1 With RSA | | | | Encryption | - | | | Issuer: | + | | | Issuer: | | | | "E=personal | | | | -freemail@thawte.com,CN=Thawte | | | | Personal Freemail C | - | | | | + | | | | | | | A,OU=Certification Services | | | | Division,O=Thawte | | | | Consulting,L=Cape T | - | | | own,ST=Western | + | | | own,ST=Western | | | | Cape,C=ZA" | - | | | .... | - | | | Alternatively, the -r | + | | | .... | + | | | Alternatively, the -r | | | | prints the certificates and | | | | then exports them into | - | | | separate DER binary files. | + | | | separate DER binary files. | | | | This allows the certificates | | | | to be fed to | - | | | another application that | + | | | another application that | | | | supports .p12 files. Each | | | | certificate is written | - | | | to a sequentially-number | + | | | to a sequentially-number | | | | file, beginning with | | | | file0001.der and continuing | - | | | through file000N.der, | + | | | through file000N.der, | | | | incrementing the number for | | | | every certificate: | - | | | # pk12util -l test.p12 -r | - | | | Enter password for PKCS12 | + | | | # pk12util -l test.p12 -r | + | | | Enter password for PKCS12 | | | | file: | - | | | Key(shrouded): | - | | | Friendly Name: Thawte | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | | | | Freemail Member's Thawte | | | | Consulting (Pty) Ltd. ID | - | | | Encryption algorithm: | + | | | Encryption algorithm: | | | | PKCS #12 V2 PBE With SHA-1 And | | | | 3KEY Triple DES-CBC | - | | | Parameters: | - | | | Salt: | - | | | | + | | | Parameters: | + | | | Salt: | + | | | | | | | 45:2e:6a:a0:03:4d | | | | :7b:a1:63:3c:15:ea:67:37:62:1f | - | | | Iteration Count: | + | | | Iteration Count: | | | | 1 (0x1) | - | | | Certificate Friendly Name: | + | | | Certificate Friendly Name: | | | | Thawte Personal Freemail | | | | Issuing CA - Thawte Consulting | - | | | Certificate Friendly Name: | + | | | Certificate Friendly Name: | | | | Thawte Freemail Member's | | | | Thawte Consulting (Pty) Ltd. | | | | ID | | | | Password Encryption | - | | | PKCS#12 provides for not | + | | | PKCS#12 provides for not | | | | only the protection of the | | | | private keys but also | - | | | the certificate and | + | | | the certificate and | | | | meta-data associated with the | | | | keys. Password-based | - | | | encryption is used to | + | | | encryption is used to | | | | protect private keys on export | | | | to a PKCS#12 file | - | | | and, optionally, the entire | + | | | and, optionally, the entire | | | | package. If no algorithm is | | | | specified, the | - | | | tool defaults to using | + | | | tool defaults to using | | | | PKCS12 V2 PBE with SHA1 and | | | | 3KEY Triple DES-cbc for | - | | | private key encryption. | + | | | private key encryption. | | | | PKCS12 V2 PBE with SHA1 and 40 | | | | Bit RC4 is the | - | | | default for the overall | + | | | default for the overall | | | | package encryption when not in | | | | FIPS mode. When in | - | | | FIPS mode, there is no | + | | | FIPS mode, there is no | | | | package encryption. | - | | | The private key is always | + | | | The private key is always | | | | protected with strong | | | | encryption by default. | - | | | Several types of ciphers | + | | | Several types of ciphers | | | | are supported. | - | | | Symmetric CBC ciphers for | + | | | Symmetric CBC ciphers for | | | | PKCS#5 V2 | - | | | DES_CBC | - | | | o RC2-CBC | - | | | o RC5-CBCPad | - | | | o DES-EDE3-CBC | + | | | DES_CBC | + | | | o RC2-CBC | + | | | o RC5-CBCPad | + | | | o DES-EDE3-CBC | | | | (the default for key | | | | encryption) | - | | | o AES-128-CBC | - | | | o AES-192-CBC | - | | | o AES-256-CBC | - | | | | - | | | o CAMELLIA-128-CBC | - | | | | - | | | o CAMELLIA-192-CBC | - | | | | - | | | o CAMELLIA-256-CBC | - | | | PKCS#12 PBE ciphers | - | | | PKCS #12 PBE with | + | | | o AES-128-CBC | + | | | o AES-192-CBC | + | | | o AES-256-CBC | + | | | | + | | | o CAMELLIA-128-CBC | + | | | | + | | | o CAMELLIA-192-CBC | + | | | | + | | | o CAMELLIA-256-CBC | + | | | PKCS#12 PBE ciphers | + | | | PKCS #12 PBE with | | | | Sha1 and 128 Bit RC4 | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and 40 Bit RC4 | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and Triple DES CBC | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and 128 Bit RC2 CBC | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and 40 Bit RC2 CBC | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 128 Bit RC4 | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 40 Bit RC4 (the | | | | default for | - | | | non-FIPS mode) | - | | | o PKCS12 V2 PBE | + | | | non-FIPS mode) | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 3KEY Triple | | | | DES-cbc | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 2KEY Triple | | | | DES-cbc | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 128 Bit RC2 CBC | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 40 Bit RC2 CBC | - | | | PKCS#5 PBE ciphers | - | | | PKCS #5 Password | + | | | PKCS#5 PBE ciphers | + | | | PKCS #5 Password | | | | Based Encryption with MD2 and | | | | DES CBC | - | | | o PKCS #5 | + | | | o PKCS #5 | | | | Password Based Encryption with | | | | MD5 and DES CBC | - | | | o PKCS #5 | + | | | o PKCS #5 | | | | Password Based Encryption with | | | | SHA1 and DES CBC | - | | | With PKCS#12, the crypto | + | | | With PKCS#12, the crypto | | | | provider may be the soft token | | | | module or an | - | | | external hardware module. | + | | | external hardware module. | | | | If the cryptographic module | | | | does not support the | - | | | requested algorithm, then | + | | | requested algorithm, then | | | | the next best fit will be | | | | selected (usually the | - | | | default). If no suitable | + | | | default). If no suitable | | | | replacement for the desired | | | | algorithm can be | - | | | found, the tool returns the | + | | | found, the tool returns the | | | | error no security module can | | | | perform the | - | | | requested operation. | + | | | requested operation. | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | # pk12util -i | + | | | # pk12util -i | | | | /tmp/cert-files/users.p12 -d | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | certutil (1) | - | | | modutil (1) | - | | | The NSS wiki has | + | | | certutil (1) | + | | | modutil (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -9178,1239 +9178,1239 @@ Index | | a_projects_nss_tools_signtool` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | signtool — Digitally sign | + | | | signtool — Digitally sign | | | | objects and files. | | | | Synopsis | - | | | signtool [-k keyName] | + | | | signtool [-k keyName] | | | | `-h <-h>`__ `-H <-H>`__ | | | | `-l <-l>`__ `-L <-L>`__ | | | | `-M <-M>`__ `-v <-v>`__ | | | | `-w <-w>`__ | - | | | `-G | + | | | `-G | | | | nickname <-G_nickname>`__ `-s | | | | size <--keysize>`__ `-b | | | | basename <-b_basename>`__ [[-c | | | | Compression | - | | | Level] ] [[-d cert-dir] ] | + | | | Level] ] [[-d cert-dir] ] | | | | [[-i installer script] ] [[-m | | | | metafile] ] [[-x | - | | | name] ] [[-f filename] ] | + | | | name] ] [[-f filename] ] | | | | [[-t|--token tokenname] ] [[-e | | | | extension] ] [[-o] | - | | | ] [[-z] ] [[-X] ] | + | | | ] [[-z] ] [[-X] ] | | | | [[--outfile] ] [[--verbose | | | | value] ] [[--norecurse] ] | - | | | [[--leavearc] ] [[-j | + | | | [[--leavearc] ] [[-j | | | | directory] ] [[-Z jarfile] ] | | | | [[-O] ] [[-p password] ] | - | | | [directory-tree] [archive] | + | | | [directory-tree] [archive] | | | | Description | - | | | The Signing Tool, signtool, | + | | | The Signing Tool, signtool, | | | | creates digital signatures and | | | | uses a Java | - | | | Archive (JAR) file to | + | | | Archive (JAR) file to | | | | associate the signatures with | | | | files in a directory. | - | | | Electronic software | + | | | Electronic software | | | | distribution over any network | | | | involves potential | - | | | security problems. To help | + | | | security problems. To help | | | | address some of these | | | | problems, you can | - | | | associate digital | + | | | associate digital | | | | signatures with the files in a | | | | JAR archive. Digital | - | | | signatures allow | + | | | signatures allow | | | | SSL-enabled clients to perform | | | | two important operations: | - | | | \* Confirm the identity of | + | | | \* Confirm the identity of | | | | the individual, company, or | | | | other entity whose | - | | | digital signature is | + | | | digital signature is | | | | associated with the files | - | | | \* Check whether the files | + | | | \* Check whether the files | | | | have been tampered with since | | | | being signed | - | | | If you have a signing | + | | | If you have a signing | | | | certificate, you can use | | | | Netscape Signing Tool to | - | | | digitally sign files and | + | | | digitally sign files and | | | | package them as a JAR file. An | | | | object-signing | - | | | certificate is a special | + | | | certificate is a special | | | | kind of certificate that | | | | allows you to associate | - | | | your digital signature with | + | | | your digital signature with | | | | one or more files. | - | | | An individual file can | + | | | An individual file can | | | | potentially be signed with | | | | multiple digital | - | | | signatures. For example, a | + | | | signatures. For example, a | | | | commercial software developer | | | | might sign the | - | | | files that constitute a | + | | | files that constitute a | | | | software product to prove that | | | | the files are | - | | | indeed from a particular | + | | | indeed from a particular | | | | company. A network | | | | administrator manager might | - | | | sign the same files with an | + | | | sign the same files with an | | | | additional digital signature | | | | based on a | - | | | company-generated | + | | | company-generated | | | | certificate to indicate that | | | | the product is approved for | - | | | use within the company. | - | | | The significance of a | + | | | use within the company. | + | | | The significance of a | | | | digital signature is | | | | comparable to the significance | - | | | of a handwritten signature. | + | | | of a handwritten signature. | | | | Once you have signed a file, | | | | it is difficult | - | | | to claim later that you | + | | | to claim later that you | | | | didn't sign it. In some | | | | situations, a digital | - | | | signature may be considered | + | | | signature may be considered | | | | as legally binding as a | | | | handwritten signature. | - | | | Therefore, you should take | + | | | Therefore, you should take | | | | great care to ensure that you | | | | can stand behind | - | | | any file you sign and | + | | | any file you sign and | | | | distribute. | - | | | For example, if you are a | + | | | For example, if you are a | | | | software developer, you should | | | | test your code to | - | | | make sure it is virus-free | + | | | make sure it is virus-free | | | | before signing it. Similarly, | | | | if you are a | - | | | network administrator, you | + | | | network administrator, you | | | | should make sure, before | | | | signing any code, that | - | | | it comes from a reliable | + | | | it comes from a reliable | | | | source and will run correctly | | | | with the software | - | | | installed on the machines | + | | | installed on the machines | | | | to which you are distributing | | | | it. | - | | | Before you can use Netscape | + | | | Before you can use Netscape | | | | Signing Tool to sign files, | | | | you must have an | - | | | object-signing certificate, | + | | | object-signing certificate, | | | | which is a special certificate | | | | whose | - | | | associated private key is | + | | | associated private key is | | | | used to create digital | | | | signatures. For testing | - | | | purposes only, you can | + | | | purposes only, you can | | | | create an object-signing | | | | certificate with Netscape | - | | | Signing Tool 1.3. When | + | | | Signing Tool 1.3. When | | | | testing is finished and you | | | | are ready to | - | | | disitribute your software, | + | | | disitribute your software, | | | | you should obtain an | | | | object-signing certificate | - | | | from one of two kinds of | + | | | from one of two kinds of | | | | sources: | - | | | \* An independent | + | | | \* An independent | | | | certificate authority (CA) | | | | that authenticates your | - | | | identity and charges you a | + | | | identity and charges you a | | | | fee. You typically get a | | | | certificate from an | - | | | independent CA if you want | + | | | independent CA if you want | | | | to sign software that will be | | | | distributed over | - | | | the Internet. | - | | | \* CA server software | + | | | the Internet. | + | | | \* CA server software | | | | running on your corporate | | | | intranet or extranet. | - | | | Netscape Certificate | + | | | Netscape Certificate | | | | Management System provides a | | | | complete management | - | | | solution for creating, | + | | | solution for creating, | | | | deploying, and managing | | | | certificates, including CAs | - | | | that issue object-signing | + | | | that issue object-signing | | | | certificates. | - | | | You must also have a | + | | | You must also have a | | | | certificate for the CA that | | | | issues your signing | - | | | certificate before you can | + | | | certificate before you can | | | | sign files. If the certificate | | | | authority's | - | | | certificate isn't already | + | | | certificate isn't already | | | | installed in your copy of | | | | Communicator, you | - | | | typically install it by | + | | | typically install it by | | | | clicking the appropriate link | | | | on the certificate | - | | | authority's web site, for | + | | | authority's web site, for | | | | example on the page from which | | | | you initiated | - | | | enrollment for your signing | + | | | enrollment for your signing | | | | certificate. This is the case | | | | for some test | - | | | certificates, as well as | + | | | certificates, as well as | | | | certificates issued by | | | | Netscape Certificate | - | | | Management System: you must | + | | | Management System: you must | | | | download the CA certificate in | | | | addition to | - | | | obtaining your own signing | + | | | obtaining your own signing | | | | certificate. CA certificates | | | | for several | - | | | certificate authorities are | + | | | certificate authorities are | | | | preinstalled in the | | | | Communicator certificate | - | | | database. | - | | | When you receive an | + | | | database. | + | | | When you receive an | | | | object-signing certificate for | | | | your own use, it is | - | | | automatically installed in | + | | | automatically installed in | | | | your copy of the Communicator | | | | client software. | - | | | Communicator supports the | + | | | Communicator supports the | | | | public-key cryptography | | | | standard known as PKCS | - | | | #12, which governs key | + | | | #12, which governs key | | | | portability. You can, for | | | | example, move an | - | | | object-signing certificate | + | | | object-signing certificate | | | | and its associated private key | | | | from one | - | | | computer to another on a | + | | | computer to another on a | | | | credit-card-sized device | | | | called a smart card. | | | | Options | - | | | -b basename | - | | | Specifies the base | + | | | -b basename | + | | | Specifies the base | | | | filename for the .rsa and .sf | | | | files in the | - | | | META-INF directory | + | | | META-INF directory | | | | to conform with the JAR | | | | format. For example, -b | - | | | signatures causes | + | | | signatures causes | | | | the files to be named | | | | signatures.rsa and | - | | | signatures.sf. The | + | | | signatures.sf. The | | | | default is signtool. | - | | | -c# | - | | | Specifies the | + | | | -c# | + | | | Specifies the | | | | compression level for the -J | | | | or -Z option. The | - | | | symbol # represents | + | | | symbol # represents | | | | a number from 0 to 9, where 0 | | | | means no | - | | | compression and 9 | + | | | compression and 9 | | | | means maximum compression. The | | | | higher the level | - | | | of compression, the | + | | | of compression, the | | | | smaller the output but the | | | | longer the | - | | | operation takes. If | + | | | operation takes. If | | | | the -c# option is not used | | | | with either the -J | - | | | or the -Z option, | + | | | or the -Z option, | | | | the default compression value | | | | used by both the | - | | | -J and -Z options | + | | | -J and -Z options | | | | is 6. | - | | | -d certdir | - | | | Specifies your | + | | | -d certdir | + | | | Specifies your | | | | certificate database | | | | directory; that is, the | - | | | directory in which | + | | | directory in which | | | | you placed your key3.db and | | | | cert7.db files. To | - | | | specify the current | + | | | specify the current | | | | directory, use "-d." | | | | (including the period). | - | | | The Unix version of | + | | | The Unix version of | | | | signtool assumes ~/.netscape | | | | unless told | - | | | otherwise. The NT | + | | | otherwise. The NT | | | | version of signtool always | | | | requires the use of | - | | | the -d option to | + | | | the -d option to | | | | specify where the database | | | | files are located. | - | | | -e extension | - | | | Tells signtool to | + | | | -e extension | + | | | Tells signtool to | | | | sign only files with the given | | | | extension; for | - | | | example, use | + | | | example, use | | | | -e".class" to sign only Java | | | | class files. Note that | - | | | with Netscape | + | | | with Netscape | | | | Signing Tool version 1.1 and | | | | later this option can | - | | | appear multiple | + | | | appear multiple | | | | times on one command line, | | | | making it possible to | - | | | specify multiple | + | | | specify multiple | | | | file types or classes to | | | | include. | - | | | -f commandfile | - | | | Specifies a text | + | | | -f commandfile | + | | | Specifies a text | | | | file containing Netscape | | | | Signing Tool options and | - | | | arguments in | + | | | arguments in | | | | keyword=value format. All | | | | options and arguments can | - | | | be expressed | + | | | be expressed | | | | through this file. For more | | | | information about the | - | | | syntax used with | + | | | syntax used with | | | | this file, see "Tips and | | | | Techniques". | - | | | -i scriptname | - | | | Specifies the name | + | | | -i scriptname | + | | | Specifies the name | | | | of an installer script for | | | | SmartUpdate. This | - | | | script installs | + | | | script installs | | | | files from the JAR archive in | | | | the local system | - | | | after SmartUpdate | + | | | after SmartUpdate | | | | has validated the digital | | | | signature. For more | - | | | details, see the | + | | | details, see the | | | | description of -m that | | | | follows. The -i option | - | | | provides a | + | | | provides a | | | | straightforward way to provide | | | | this information if you | - | | | don't need to | + | | | don't need to | | | | specify any metadata other | | | | than an installer script. | - | | | -j directory | - | | | Specifies a special | + | | | -j directory | + | | | Specifies a special | | | | JavaScript directory. This | | | | option causes the | - | | | specified directory | + | | | specified directory | | | | to be signed and tags its | | | | entries as inline | - | | | JavaScript. This | + | | | JavaScript. This | | | | special type of entry does not | | | | have to appear in | - | | | the JAR file | + | | | the JAR file | | | | itself. Instead, it is located | | | | in the HTML page | - | | | containing the | + | | | containing the | | | | inline scripts. When you use | | | | signtool -v, these | - | | | entries are | + | | | entries are | | | | displayed with the string NOT | | | | PRESENT. | - | | | -k key ... directory | - | | | Specifies the | + | | | -k key ... directory | + | | | Specifies the | | | | nickname (key) of the | | | | certificate you want to sign | - | | | with and signs the | + | | | with and signs the | | | | files in the specified | | | | directory. The directory | - | | | to sign is always | + | | | to sign is always | | | | specified as the last | | | | command-line argument. | - | | | Thus, it is | + | | | Thus, it is | | | | possible to write signtool -k | | | | MyCert -d . signdir You | - | | | may have trouble if | + | | | may have trouble if | | | | the nickname contains a single | | | | quotation mark. | - | | | To avoid problems, | + | | | To avoid problems, | | | | escape the quotation mark | | | | using the escape | - | | | conventions for | + | | | conventions for | | | | your platform. It's also | | | | possible to use the -k | - | | | option without | + | | | option without | | | | signing any files or | | | | specifying a directory. For | - | | | example, you can | + | | | example, you can | | | | use it with the -l option to | | | | get detailed | - | | | information about a | + | | | information about a | | | | particular signing | | | | certificate. | - | | | -G nickname | - | | | Generates a new | + | | | -G nickname | + | | | Generates a new | | | | private-public key pair and | | | | corresponding | - | | | object-signing | + | | | object-signing | | | | certificate with the given | | | | nickname. The newly | - | | | generated keys and | + | | | generated keys and | | | | certificate are installed into | | | | the key and | - | | | certificate | + | | | certificate | | | | databases in the directory | | | | specified by the -d option. | - | | | With the NT version | + | | | With the NT version | | | | of Netscape Signing Tool, you | | | | must use the -d | - | | | option with the -G | + | | | option with the -G | | | | option. With the Unix version | | | | of Netscape | - | | | Signing Tool, | + | | | Signing Tool, | | | | omitting the -d option causes | | | | the tool to install | - | | | the keys and | + | | | the keys and | | | | certificate in the | | | | Communicator key and | | | | certificate | - | | | databases. If you | + | | | databases. If you | | | | are installing the keys and | | | | certificate in the | - | | | Communicator | + | | | Communicator | | | | databases, you must exit | | | | Communicator before using | - | | | this option; | + | | | this option; | | | | otherwise, you risk corrupting | | | | the databases. In all | - | | | cases, the | + | | | cases, the | | | | certificate is also output to | | | | a file named x509.cacert, | - | | | which has the | + | | | which has the | | | | MIME-type | | | | application/x-x509-ca-cert. | | | | Unlike | - | | | certificates | + | | | certificates | | | | normally used to sign finished | | | | code to be distributed | - | | | over a network, a | + | | | over a network, a | | | | test certificate created with | | | | -G is not signed | - | | | by a recognized | + | | | by a recognized | | | | certificate authority. | | | | Instead, it is self-signed. | - | | | In addition, a | + | | | In addition, a | | | | single test signing | | | | certificate functions as both | - | | | an object-signing | + | | | an object-signing | | | | certificate and a CA. When you | | | | are using it to | - | | | sign objects, it | + | | | sign objects, it | | | | behaves like an object-signing | | | | certificate. When | - | | | it is imported into | + | | | it is imported into | | | | browser software such as | | | | Communicator, it | - | | | behaves like an | + | | | behaves like an | | | | object-signing CA and cannot | | | | be used to sign | - | | | objects. The -G | + | | | objects. The -G | | | | option is available in | | | | Netscape Signing Tool 1.0 | - | | | and later versions | + | | | and later versions | | | | only. By default, it produces | | | | only RSA | - | | | certificates with | + | | | certificates with | | | | 1024-byte keys in the internal | | | | token. However, | - | | | you can use the -s | + | | | you can use the -s | | | | option specify the required | | | | key size and the -t | - | | | option to specify | + | | | option to specify | | | | the token. For more | | | | information about the use of | - | | | the -G option, see | + | | | the -G option, see | | | | "Generating Test | | | | Object-Signing | - | | | | + | | | | | | | Certificates""Generating Test | | | | Object-Signing Certificates" | | | | on page | - | | | 1241. | - | | | -l | - | | | Lists signing | + | | | 1241. | + | | | -l | + | | | Lists signing | | | | certificates, including | | | | issuing CAs. If any of your | - | | | certificates are | + | | | certificates are | | | | expired or invalid, the list | | | | will so specify. | - | | | This option can be | + | | | This option can be | | | | used with the -k option to | | | | list detailed | - | | | information about a | + | | | information about a | | | | particular signing | | | | certificate. The -l option | - | | | is available in | + | | | is available in | | | | Netscape Signing Tool 1.0 and | | | | later versions only. | - | | | -J | - | | | Signs a directory | + | | | -J | + | | | Signs a directory | | | | of HTML files containing | | | | JavaScript and creates | - | | | as many archive | + | | | as many archive | | | | files as are specified in the | | | | HTML tags. Even if | - | | | signtool creates | + | | | signtool creates | | | | more than one archive file, | | | | you need to supply | - | | | the key database | + | | | the key database | | | | password only once. The -J | | | | option is available | - | | | only in Netscape | + | | | only in Netscape | | | | Signing Tool 1.0 and later | | | | versions. The -J | - | | | option cannot be | + | | | option cannot be | | | | used at the same time as the | | | | -Z option. If the | - | | | -c# option is not | + | | | -c# option is not | | | | used with the -J option, the | | | | default compression | - | | | value is 6. Note | + | | | value is 6. Note | | | | that versions 1.1 and later of | | | | Netscape Signing | - | | | Tool correctly | + | | | Tool correctly | | | | recognizes the CODEBASE | | | | attribute, allows paths to | - | | | be expressed for | + | | | be expressed for | | | | the CLASS and SRC attributes | | | | instead of filenames | - | | | only, processes | + | | | only, processes | | | | LINK tags and parses HTML | | | | correctly, and offers | - | | | clearer error | + | | | clearer error | | | | messages. | - | | | -L | - | | | Lists the | + | | | -L | + | | | Lists the | | | | certificates in your database. | | | | An asterisk appears to | - | | | the left of the | + | | | the left of the | | | | nickname for any certificate | | | | that can be used to | - | | | sign objects with | + | | | sign objects with | | | | signtool. | - | | | --leavearc | - | | | Retains the | + | | | --leavearc | + | | | Retains the | | | | temporary .arc (archive) | | | | directories that the -J | - | | | option creates. | + | | | option creates. | | | | These directories are | | | | automatically erased by | - | | | default. Retaining | + | | | default. Retaining | | | | the temporary directories can | | | | be an aid to | - | | | debugging. | - | | | -m metafile | - | | | Specifies the name | + | | | debugging. | + | | | -m metafile | + | | | Specifies the name | | | | of a metadata control file. | | | | Metadata is signed | - | | | information | + | | | information | | | | attached either to the JAR | | | | archive itself or to files | - | | | within the archive. | + | | | within the archive. | | | | This metadata can be any ASCII | | | | string, but is | - | | | used mainly for | + | | | used mainly for | | | | specifying an installer | | | | script. The metadata file | - | | | contains one entry | + | | | contains one entry | | | | per line, each with three | | | | fields: field #1: | - | | | file specification, | + | | | file specification, | | | | or + if you want to specify | | | | global metadata | - | | | (that is, metadata | + | | | (that is, metadata | | | | about the JAR archive itself | | | | or all entries in | - | | | the archive) field | + | | | the archive) field | | | | #2: the name of the data you | | | | are specifying; | - | | | for example: | + | | | for example: | | | | Install-Script field #3: data | | | | corresponding to the | - | | | name in field #2 | + | | | name in field #2 | | | | For example, the -i option | | | | uses the equivalent of | - | | | this line: + | + | | | this line: + | | | | Install-Script: script.js This | | | | example associates a | - | | | MIME type with a | + | | | MIME type with a | | | | file: movie.qt MIME-Type: | | | | video/quicktime For | - | | | information about | + | | | information about | | | | the way installer script | | | | information appears in | - | | | the manifest file | + | | | the manifest file | | | | for a JAR archive, see The JAR | | | | Format on | - | | | Netscape DevEdge. | - | | | -M | - | | | Lists the PKCS #11 | + | | | Netscape DevEdge. | + | | | -M | + | | | Lists the PKCS #11 | | | | modules available to signtool, | | | | including smart | - | | | cards. The -M | + | | | cards. The -M | | | | option is available in | | | | Netscape Signing Tool 1.0 and | - | | | later versions | + | | | later versions | | | | only. For information on using | | | | Netscape Signing | - | | | Tool with smart | + | | | Tool with smart | | | | cards, see "Using Netscape | | | | Signing Tool with Smart | - | | | Cards". For | + | | | Cards". For | | | | information on using the -M | | | | option to verify | - | | | FIPS-140-1 | + | | | FIPS-140-1 | | | | validated mode, see "Netscape | | | | Signing Tool and | - | | | FIPS-140-1". | - | | | --norecurse | - | | | Blocks recursion | + | | | FIPS-140-1". | + | | | --norecurse | + | | | Blocks recursion | | | | into subdirectories when | | | | signing a directory's | - | | | contents or when | + | | | contents or when | | | | parsing HTML. | - | | | -o | - | | | Optimizes the | + | | | -o | + | | | Optimizes the | | | | archive for size. Use this | | | | only if you are signing | - | | | very large archives | + | | | very large archives | | | | containing hundreds of files. | | | | This option | - | | | makes the manifest | + | | | makes the manifest | | | | files (required by the JAR | | | | format) considerably | - | | | smaller, but they | + | | | smaller, but they | | | | contain slightly less | | | | information. | - | | | --outfile outputfile | - | | | Specifies a file to | + | | | --outfile outputfile | + | | | Specifies a file to | | | | receive redirected output from | | | | Netscape | - | | | Signing Tool. | - | | | -p password | - | | | Specifies a | + | | | Signing Tool. | + | | | -p password | + | | | Specifies a | | | | password for the private-key | | | | database. Note that the | - | | | password entered on | + | | | password entered on | | | | the command line is displayed | | | | as plain text. | - | | | -s keysize | - | | | Specifies the size | + | | | -s keysize | + | | | Specifies the size | | | | of the key for generated | | | | certificate. Use the | - | | | -M option to find | + | | | -M option to find | | | | out what tokens are available. | | | | The -s option can | - | | | be used with the -G | + | | | be used with the -G | | | | option only. | - | | | -t token | - | | | Specifies which | + | | | -t token | + | | | Specifies which | | | | available token should | | | | generate the key and | - | | | receive the | + | | | receive the | | | | certificate. Use the -M option | | | | to find out what tokens | - | | | are available. The | + | | | are available. The | | | | -t option can be used with the | | | | -G option only. | - | | | -v archive | - | | | Displays the | + | | | -v archive | + | | | Displays the | | | | contents of an archive and | | | | verifies the cryptographic | - | | | integrity of the | + | | | integrity of the | | | | digital signatures it contains | | | | and the files with | - | | | which they are | + | | | which they are | | | | associated. This includes | | | | checking that the | - | | | certificate for the | + | | | certificate for the | | | | issuer of the object-signing | | | | certificate is | - | | | listed in the | + | | | listed in the | | | | certificate database, that the | | | | CA's digital | - | | | signature on the | + | | | signature on the | | | | object-signing certificate is | | | | valid, that the | - | | | relevant | + | | | relevant | | | | certificates have not expired, | | | | and so on. | - | | | --verbosity value | - | | | Sets the quantity | + | | | --verbosity value | + | | | Sets the quantity | | | | of information Netscape | | | | Signing Tool generates | - | | | in operation. A | + | | | in operation. A | | | | value of 0 (zero) is the | | | | default and gives full | - | | | information. A | + | | | information. A | | | | value of -1 suppresses most | | | | messages, but not error | - | | | messages. | - | | | -w archive | - | | | Displays the names | + | | | messages. | + | | | -w archive | + | | | Displays the names | | | | of signers of any files in the | | | | archive. | - | | | -x directory | - | | | Excludes the | + | | | -x directory | + | | | Excludes the | | | | specified directory from | | | | signing. Note that with | - | | | Netscape Signing | + | | | Netscape Signing | | | | Tool version 1.1 and later | | | | this option can appear | - | | | multiple times on | + | | | multiple times on | | | | one command line, making it | | | | possible to specify | - | | | several particular | + | | | several particular | | | | directories to exclude. | - | | | -z | - | | | Tells signtool not | + | | | -z | + | | | Tells signtool not | | | | to store the signing time in | | | | the digital | - | | | signature. This | + | | | signature. This | | | | option is useful if you want | | | | the expiration date | - | | | of the signature | + | | | of the signature | | | | checked against the current | | | | date and time rather | - | | | than the time the | + | | | than the time the | | | | files were signed. | - | | | -Z jarfile | - | | | Creates a JAR file | + | | | -Z jarfile | + | | | Creates a JAR file | | | | with the specified name. You | | | | must specify this | - | | | option if you want | + | | | option if you want | | | | signtool to create the JAR | | | | file; it does not do | - | | | so automatically. | + | | | so automatically. | | | | If you don't specify -Z, you | | | | must use an | - | | | external ZIP tool | + | | | external ZIP tool | | | | to create the JAR file. The -Z | | | | option cannot be | - | | | used at the same | + | | | used at the same | | | | time as the -J option. If the | | | | -c# option is not | - | | | used with the -Z | + | | | used with the -Z | | | | option, the default | | | | compression value is 6. | | | | The Command File Format | - | | | Entries in a Netscape | + | | | Entries in a Netscape | | | | Signing Tool command file have | | | | this general format: | - | | | keyword=value Everything | + | | | keyword=value Everything | | | | before the = sign on a single | | | | line is a keyword, | - | | | and everything from the = | + | | | and everything from the = | | | | sign to the end of line is a | | | | value. The value | - | | | may include = signs; only | + | | | may include = signs; only | | | | the first = sign on a line is | | | | interpreted. Blank | - | | | lines are ignored, but | + | | | lines are ignored, but | | | | white space on a line with | | | | keywords and values is | - | | | assumed to be part of the | + | | | assumed to be part of the | | | | keyword (if it comes before | | | | the equal sign) or | - | | | part of the value (if it | + | | | part of the value (if it | | | | comes after the first equal | | | | sign). Keywords are | - | | | case insensitive, values | + | | | case insensitive, values | | | | are generally case sensitive. | | | | Since the = sign | - | | | and newline delimit the | + | | | and newline delimit the | | | | value, it should not be | | | | quoted. | - | | | Subsection | - | | | basename | - | | | Same as -b option. | - | | | compression | - | | | Same as -c option. | - | | | certdir | - | | | Same as -d option. | - | | | extension | - | | | Same as -e option. | - | | | generate | - | | | Same as -G option. | - | | | installscript | - | | | Same as -i option. | - | | | javascriptdir | - | | | Same as -j option. | - | | | htmldir | - | | | Same as -J option. | - | | | certname | - | | | Nickname of | + | | | Subsection | + | | | basename | + | | | Same as -b option. | + | | | compression | + | | | Same as -c option. | + | | | certdir | + | | | Same as -d option. | + | | | extension | + | | | Same as -e option. | + | | | generate | + | | | Same as -G option. | + | | | installscript | + | | | Same as -i option. | + | | | javascriptdir | + | | | Same as -j option. | + | | | htmldir | + | | | Same as -J option. | + | | | certname | + | | | Nickname of | | | | certificate, as with -k and -l | | | | -k options. | - | | | signdir | - | | | The directory to be | + | | | signdir | + | | | The directory to be | | | | signed, as with -k option. | - | | | list | - | | | Same as -l option. | + | | | list | + | | | Same as -l option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | listall | - | | | Same as -L option. | + | | | listall | + | | | Same as -L option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | metafile | - | | | Same as -m option. | - | | | modules | - | | | Same as -M option. | + | | | metafile | + | | | Same as -m option. | + | | | modules | + | | | Same as -M option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | optimize | - | | | Same as -o option. | + | | | optimize | + | | | Same as -o option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | password | - | | | Same as -p option. | - | | | keysize | - | | | Same as -s option. | - | | | token | - | | | Same as -t option. | - | | | verify | - | | | Same as -v option. | - | | | who | - | | | Same as -w option. | - | | | exclude | - | | | Same as -x option. | - | | | notime | - | | | Same as -z option. | + | | | password | + | | | Same as -p option. | + | | | keysize | + | | | Same as -s option. | + | | | token | + | | | Same as -t option. | + | | | verify | + | | | Same as -v option. | + | | | who | + | | | Same as -w option. | + | | | exclude | + | | | Same as -x option. | + | | | notime | + | | | Same as -z option. | | | | value is ignored, but = sign | | | | must be present. | - | | | jarfile | - | | | Same as -Z option. | - | | | outfile | - | | | Name of a file to | + | | | jarfile | + | | | Same as -Z option. | + | | | outfile | + | | | Name of a file to | | | | which output and error | | | | messages will be | - | | | redirected. This | + | | | redirected. This | | | | option has no command-line | | | | equivalent. | | | | Extended Examples | - | | | The following example will | + | | | The following example will | | | | do this and that | - | | | Listing Available Signing | + | | | Listing Available Signing | | | | Certificates | - | | | You use the -L option to | + | | | You use the -L option to | | | | list the nicknames for all | | | | available certificates | - | | | and check which ones are | + | | | and check which ones are | | | | signing certificates. | - | | | signtool -L | - | | | using certificate directory: | + | | | signtool -L | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | S Certificates | - | | | - ------------ | - | | | BBN Certificate Services CA | + | | | S Certificates | + | | | - ------------ | + | | | BBN Certificate Services CA | | | | Root 1 | - | | | IBM World Registry CA | - | | | VeriSign Class 1 CA - | + | | | IBM World Registry CA | + | | | VeriSign Class 1 CA - | | | | Individual Subscriber - | | | | VeriSign, Inc. | - | | | GTE CyberTrust Root CA | - | | | Uptime Group Plc. Class 4 | + | | | GTE CyberTrust Root CA | + | | | Uptime Group Plc. Class 4 | | | | CA | - | | | \* Verisign Object Signing | + | | | \* Verisign Object Signing | | | | Cert | - | | | Integrion CA | - | | | GTE CyberTrust Secure | + | | | Integrion CA | + | | | GTE CyberTrust Secure | | | | Server CA | - | | | AT&T Directory Services | - | | | \* test object signing cert | - | | | Uptime Group Plc. Class 1 | + | | | AT&T Directory Services | + | | | \* test object signing cert | + | | | Uptime Group Plc. Class 1 | | | | CA | - | | | VeriSign Class 1 Primary CA | - | | | - ------------ | - | | | Certificates that can be used | + | | | VeriSign Class 1 Primary CA | + | | | - ------------ | + | | | Certificates that can be used | | | | to sign objects have \*'s to | | | | their left. | - | | | Two signing certificates | + | | | Two signing certificates | | | | are displayed: Verisign Object | | | | Signing Cert and | - | | | test object signing cert. | - | | | You use the -l option to | + | | | test object signing cert. | + | | | You use the -l option to | | | | get a list of signing | | | | certificates only, | - | | | including the signing CA | + | | | including the signing CA | | | | for each. | - | | | signtool -l | - | | | using certificate directory: | + | | | signtool -l | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | Object signing certificates | - | | | --------- | + | | | Object signing certificates | + | | | --------- | | | | ------------------------------ | - | | | Verisign Object Signing Cert | - | | | Issued by: VeriSign, Inc. | + | | | Verisign Object Signing Cert | + | | | Issued by: VeriSign, Inc. | | | | - Verisign, Inc. | - | | | Expires: Tue May 19, 1998 | - | | | test object signing cert | - | | | Issued by: test object | + | | | Expires: Tue May 19, 1998 | + | | | test object signing cert | + | | | Issued by: test object | | | | signing cert (Signtool 1.0 | | | | Testing | - | | | Certificate (960187691)) | - | | | Expires: Sun May 17, 1998 | - | | | --------- | + | | | Certificate (960187691)) | + | | | Expires: Sun May 17, 1998 | + | | | --------- | | | | ------------------------------ | - | | | For a list including CAs, | + | | | For a list including CAs, | | | | use the -L option. | - | | | Signing a File | - | | | 1. Create an empty | + | | | Signing a File | + | | | 1. Create an empty | | | | directory. | - | | | mkdir signdir | - | | | 2. Put some file into it. | - | | | echo boo > signdir/test.f | - | | | 3. Specify the name of your | + | | | mkdir signdir | + | | | 2. Put some file into it. | + | | | echo boo > signdir/test.f | + | | | 3. Specify the name of your | | | | object-signing certificate and | | | | sign the | - | | | directory. | - | | | signtool -k MySignCert -Z | + | | | directory. | + | | | signtool -k MySignCert -Z | | | | testjar.jar signdir | - | | | using key "MySignCert" | - | | | using certificate directory: | + | | | using key "MySignCert" | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | Generating | + | | | Generating | | | | signdir/META-INF/manifest.mf | | | | file.. | - | | | --> test.f | - | | | adding signdir/test.f to | + | | | --> test.f | + | | | adding signdir/test.f to | | | | testjar.jar | - | | | Generating signtool.sf file.. | - | | | Enter Password or Pin for | + | | | Generating signtool.sf file.. | + | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | - | | | adding | + | | | adding | | | | signdir/META-INF/manifest.mf | | | | to testjar.jar | - | | | adding | + | | | adding | | | | signdir/META-INF/signtool.sf | | | | to testjar.jar | - | | | adding | + | | | adding | | | | signdir/META-INF/signtool.rsa | | | | to testjar.jar | - | | | tree "signdir" signed | + | | | tree "signdir" signed | | | | successfully | - | | | 4. Test the archive you | + | | | 4. Test the archive you | | | | just created. | - | | | signtool -v testjar.jar | - | | | using certificate directory: | + | | | signtool -v testjar.jar | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | archive "testjar.jar" has | + | | | archive "testjar.jar" has | | | | passed crypto verification. | - | | | status path | - | | | ------------ | + | | | status path | + | | | ------------ | | | | ------------------- | - | | | verified test.f | - | | | Using Netscape Signing Tool | + | | | verified test.f | + | | | Using Netscape Signing Tool | | | | with a ZIP Utility | - | | | To use Netscape Signing | + | | | To use Netscape Signing | | | | Tool with a ZIP utility, you | | | | must have the utility | - | | | in your path environment | + | | | in your path environment | | | | variable. You should use the | | | | zip.exe utility | - | | | rather than pkzip.exe, | + | | | rather than pkzip.exe, | | | | which cannot handle long | | | | filenames. You can use a | - | | | ZIP utility instead of the | + | | | ZIP utility instead of the | | | | -Z option to package a signed | | | | archive into a | - | | | JAR file after you have | + | | | JAR file after you have | | | | signed it: | - | | | cd signdir | - | | | zip -r ../myjar.jar \* | - | | | adding: META-INF/ (stored | + | | | cd signdir | + | | | zip -r ../myjar.jar \* | + | | | adding: META-INF/ (stored | | | | 0%) | - | | | adding: | + | | | adding: | | | | META-INF/manifest.mf (deflated | | | | 15%) | - | | | adding: | + | | | adding: | | | | META-INF/signtool.sf (deflated | | | | 28%) | - | | | adding: | + | | | adding: | | | | META-INF/signtool.rsa (stored | | | | 0%) | - | | | adding: text.txt (stored | + | | | adding: text.txt (stored | | | | 0%) | - | | | Generating the Keys and | + | | | Generating the Keys and | | | | Certificate | - | | | The signtool option -G | + | | | The signtool option -G | | | | generates a new public-private | | | | key pair and | - | | | certificate. It takes the | + | | | certificate. It takes the | | | | nickname of the new | | | | certificate as an argument. | - | | | The newly generated keys | + | | | The newly generated keys | | | | and certificate are installed | | | | into the key and | - | | | certificate databases in | + | | | certificate databases in | | | | the directory specified by the | | | | -d option. With | - | | | the NT version of Netscape | + | | | the NT version of Netscape | | | | Signing Tool, you must use the | | | | -d option with | - | | | the -G option. With the | + | | | the -G option. With the | | | | Unix version of Netscape | | | | Signing Tool, omitting | - | | | the -d option causes the | + | | | the -d option causes the | | | | tool to install the keys and | | | | certificate in the | - | | | Communicator key and | + | | | Communicator key and | | | | certificate databases. In all | | | | cases, the certificate | - | | | is also output to a file | + | | | is also output to a file | | | | named x509.cacert, which has | | | | the MIME-type | - | | | application/x-x509-ca-cert. | - | | | Certificates contain | + | | | application/x-x509-ca-cert. | + | | | Certificates contain | | | | standard information about the | | | | entity they identify, | - | | | such as the common name and | + | | | such as the common name and | | | | organization name. Netscape | | | | Signing Tool | - | | | prompts you for this | + | | | prompts you for this | | | | information when you run the | | | | command with the -G | - | | | option. However, all of the | + | | | option. However, all of the | | | | requested fields are optional | | | | for test | - | | | certificates. If you do not | + | | | certificates. If you do not | | | | enter a common name, the tool | | | | provides a | - | | | default name. In the | + | | | default name. In the | | | | following example, the user | | | | input is in boldface: | - | | | signtool -G MyTestCert | - | | | using certificate directory: | + | | | signtool -G MyTestCert | + | | | using certificate directory: | | | | /u/someuser/.netscape | - | | | Enter certificate | + | | | Enter certificate | | | | information. All fields are | | | | optional. Acceptable | - | | | characters are numbers, | + | | | characters are numbers, | | | | letters, spaces, and | | | | apostrophes. | - | | | certificate common name: Test | + | | | certificate common name: Test | | | | Object Signing Certificate | - | | | organization: Netscape | + | | | organization: Netscape | | | | Communications Corp. | - | | | organization unit: Server | + | | | organization unit: Server | | | | Products Division | - | | | state or province: California | - | | | country (must be exactly 2 | + | | | state or province: California | + | | | country (must be exactly 2 | | | | characters): US | - | | | username: someuser | - | | | email address: | + | | | username: someuser | + | | | email address: | | | | someuser@netscape.com | - | | | Enter Password or Pin for | + | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | [Password will not echo] | - | | | generated public/private key | + | | | generated public/private key | | | | pair | - | | | certificate request generated | - | | | certificate has been signed | - | | | certificate "MyTestCert" | + | | | certificate request generated | + | | | certificate has been signed | + | | | certificate "MyTestCert" | | | | added to database | - | | | Exported certificate to | + | | | Exported certificate to | | | | x509.raw and x509.cacert. | - | | | The certificate information | + | | | The certificate information | | | | is read from standard input. | | | | Therefore, the | - | | | information can be read | + | | | information can be read | | | | from a file using the | | | | redirection operator (<) in | - | | | some operating systems. To | + | | | some operating systems. To | | | | create a file for this | | | | purpose, enter each of | - | | | the seven input fields, in | + | | | the seven input fields, in | | | | order, on a separate line. | | | | Make sure there is a | - | | | newline character at the | + | | | newline character at the | | | | end of the last line. Then run | | | | signtool with | - | | | standard input redirected | + | | | standard input redirected | | | | from your file as follows: | - | | | signtool -G MyTestCert | + | | | signtool -G MyTestCert | | | | inputfile | - | | | The prompts show up on the | + | | | The prompts show up on the | | | | screen, but the responses will | | | | be automatically | - | | | read from the file. The | + | | | read from the file. The | | | | password will still be read | | | | from the console | - | | | unless you use the -p | + | | | unless you use the -p | | | | option to give the password on | | | | the command line. | - | | | Using the -M Option to List | + | | | Using the -M Option to List | | | | Smart Cards | - | | | You can use the -M option | + | | | You can use the -M option | | | | to list the PKCS #11 modules, | | | | including smart | - | | | cards, that are available | + | | | cards, that are available | | | | to signtool: | - | | | signtool -d | + | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | - | | | using certificate directory: | + | | | using certificate directory: | | | | c:\netscape\users\username | - | | | Listing of PKCS11 modules | - | | | ----------------- | + | | | Listing of PKCS11 modules | + | | | ----------------- | | | | ------------------------------ | - | | | 1. Netscape Internal | + | | | 1. Netscape Internal | | | | PKCS #11 Module | - | | | | + | | | | | | | (this module is internally | | | | loaded) | - | | | | + | | | | | | | slots: 2 slots attached | - | | | | + | | | | | | | status: loaded | - | | | slot: Communicator | + | | | slot: Communicator | | | | Internal Cryptographic | | | | Services Version 4.0 | - | | | token: Communicator | + | | | token: Communicator | | | | Generic Crypto Svcs | - | | | slot: Communicator | + | | | slot: Communicator | | | | User Private Key and | | | | Certificate Services | - | | | token: Communicator | + | | | token: Communicator | | | | Certificate DB | - | | | 2. CryptOS | - | | | | + | | | 2. CryptOS | + | | | | | | | (this is an external module) | - | | | DLL name: core32 | - | | | slots: 1 slots | + | | | DLL name: core32 | + | | | slots: 1 slots | | | | attached | - | | | status: loaded | - | | | slot: Litronic 210 | - | | | token: | - | | | | + | | | status: loaded | + | | | slot: Litronic 210 | + | | | token: | + | | | | | | | ----------------- | | | | ------------------------------ | - | | | Using Netscape Signing Tool | + | | | Using Netscape Signing Tool | | | | and a Smart Card to Sign Files | - | | | The signtool command | + | | | The signtool command | | | | normally takes an argument of | | | | the -k option to | - | | | specify a signing | + | | | specify a signing | | | | certificate. To sign with a | | | | smart card, you supply only | - | | | the fully qualified name of | + | | | the fully qualified name of | | | | the certificate. | - | | | To see fully qualified | + | | | To see fully qualified | | | | certificate names when you run | | | | Communicator, click | - | | | the Security button in | + | | | the Security button in | | | | Navigator, then click Yours | | | | under Certificates in | - | | | the left frame. Fully | + | | | the left frame. Fully | | | | qualified names are of the | | | | format smart | - | | | card:certificate, for | + | | | card:certificate, for | | | | example "MyCard:My Signing | | | | Cert". You use this name | - | | | with the -k argument as | + | | | with the -k argument as | | | | follows: | - | | | signtool -k "MyCard:My | + | | | signtool -k "MyCard:My | | | | Signing Cert" directory | - | | | Verifying FIPS Mode | - | | | Use the -M option to verify | + | | | Verifying FIPS Mode | + | | | Use the -M option to verify | | | | that you are using the | | | | FIPS-140-1 module. | - | | | signtool -d | + | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | - | | | using certificate directory: | + | | | using certificate directory: | | | | c:\netscape\users\jsmith | - | | | Listing of PKCS11 modules | - | | | ----------------- | + | | | Listing of PKCS11 modules | + | | | ----------------- | | | | ------------------------------ | - | | | 1. Netscape Internal PKCS | + | | | 1. Netscape Internal PKCS | | | | #11 Module | - | | | (this module is | + | | | (this module is | | | | internally loaded) | - | | | slots: 2 slots | + | | | slots: 2 slots | | | | attached | - | | | status: loaded | - | | | slot: Communicator | + | | | status: loaded | + | | | slot: Communicator | | | | Internal Cryptographic | | | | Services Version 4.0 | - | | | token: Communicator | + | | | token: Communicator | | | | Generic Crypto Svcs | - | | | slot: Communicator User | + | | | slot: Communicator User | | | | Private Key and Certificate | | | | Services | - | | | token: Communicator | + | | | token: Communicator | | | | Certificate DB | - | | | ----------------- | + | | | ----------------- | | | | ------------------------------ | - | | | This Unix example shows | + | | | This Unix example shows | | | | that Netscape Signing Tool is | | | | using a FIPS-140-1 | - | | | module: | - | | | signtool -d | + | | | module: | + | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | - | | | using certificate directory: | + | | | using certificate directory: | | | | c:\netscape\users\jsmith | - | | | Enter Password or Pin for | + | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | [password will not echo] | - | | | Listing of PKCS11 modules | - | | | ----------------- | + | | | Listing of PKCS11 modules | + | | | ----------------- | | | | ------------------------------ | - | | | 1. Netscape Internal FIPS | + | | | 1. Netscape Internal FIPS | | | | PKCS #11 Module | - | | | (this module is internally | + | | | (this module is internally | | | | loaded) | - | | | slots: 1 slots attached | - | | | status: loaded | - | | | slot: Netscape Internal | + | | | slots: 1 slots attached | + | | | status: loaded | + | | | slot: Netscape Internal | | | | FIPS-140-1 Cryptographic | | | | Services | - | | | token: Communicator | + | | | token: Communicator | | | | Certificate DB | - | | | ----------------- | + | | | ----------------- | | | | ------------------------------ | | | | See Also | - | | | signver (1) | - | | | The NSS wiki has | + | | | signver (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -10422,241 +10422,241 @@ Index | | la_projects_nss_tools_signver` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | signver — Verify a detached | + | | | signver — Verify a detached | | | | PKCS#7 signature for a file. | | | | Synopsis | - | | | signtool -A \| -V -d | + | | | signtool -A \| -V -d | | | | directory [-a] [-i input_file] | | | | [-o output_file] [-s | - | | | signature_file] [-v] | + | | | signature_file] [-v] | | | | Description | - | | | The Signature Verification | + | | | The Signature Verification | | | | Tool, signver, is a simple | | | | command-line utility | - | | | that unpacks a | + | | | that unpacks a | | | | base-64-encoded PKCS#7 signed | | | | object and verifies the | - | | | digital signature using | + | | | digital signature using | | | | standard cryptographic | | | | techniques. The Signature | - | | | Verification Tool can also | + | | | Verification Tool can also | | | | display the contents of the | | | | signed object. | | | | Options | - | | | -A | - | | | Displays all of the | + | | | -A | + | | | Displays all of the | | | | information in the PKCS#7 | | | | signature. | - | | | -V | - | | | Verifies the | + | | | -V | + | | | Verifies the | | | | digital signature. | - | | | -d [sql:]directory | - | | | Specify the | + | | | -d [sql:]directory | + | | | Specify the | | | | database directory which | | | | contains the certificates and | - | | | keys. | - | | | signver supports | + | | | keys. | + | | | signver supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | -a | - | | | Sets that the given | + | | | the old format. | + | | | -a | + | | | Sets that the given | | | | signature file is in ASCII | | | | format. | - | | | -i input_file | - | | | Gives the input | + | | | -i input_file | + | | | Gives the input | | | | file for the object with | | | | signed data. | - | | | -o output_file | - | | | Gives the output | + | | | -o output_file | + | | | Gives the output | | | | file to which to write the | | | | results. | - | | | -s signature_file | - | | | Gives the input | + | | | -s signature_file | + | | | Gives the input | | | | file for the digital | | | | signature. | - | | | -v | - | | | Enables verbose | + | | | -v | + | | | Enables verbose | | | | output. | | | | Extended Examples | - | | | Verifying a Signature | - | | | The -V option verifies that | + | | | Verifying a Signature | + | | | The -V option verifies that | | | | the signature in a given | | | | signature file is | - | | | valid when used to sign the | + | | | valid when used to sign the | | | | given object (from the input | | | | file). | - | | | signver -V -s signature_file | + | | | signver -V -s signature_file | | | | -i signed_file -d | | | | sql:/home/my/sharednssdb | - | | | signatureValid=yes | - | | | Printing Signature Data | - | | | The -A option prints all of | + | | | signatureValid=yes | + | | | Printing Signature Data | + | | | The -A option prints all of | | | | the information contained in a | | | | signature file. | - | | | Using the -o option prints | + | | | Using the -o option prints | | | | the signature file information | | | | to the given | - | | | output file rather than | + | | | output file rather than | | | | stdout. | - | | | signver -A -s signature_file | + | | | signver -A -s signature_file | | | | -o output_file | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | # signver -A -s signature -d | + | | | # signver -A -s signature -d | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | signtool (1) | - | | | The NSS wiki has | + | | | signtool (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | o Setting up the shared | + | | | o Setting up the shared | | | | NSS database | - | | | | + | | | | | | | https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | o Engineering and | + | | | o Engineering and | | | | technical information about | | | | the shared NSS database | - | | | | + | | | | | | | https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -10668,883 +10668,883 @@ Index | | lla_projects_nss_tools_ssltap` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | ssltap — Tap into SSL | + | | | ssltap — Tap into SSL | | | | connections and display the | | | | data going by | | | | Synopsis | - | | | libssltap [-vhfsxl] [-p | + | | | libssltap [-vhfsxl] [-p | | | | port] [hostname:port] | | | | Description | - | | | The SSL Debugging Tool | + | | | The SSL Debugging Tool | | | | ssltap is an SSL-aware | | | | command-line proxy. It | - | | | watches TCP connections and | + | | | watches TCP connections and | | | | displays the data going by. If | | | | a connection is | - | | | SSL, the data display | + | | | SSL, the data display | | | | includes interpreted SSL | | | | records and handshaking | | | | Options | - | | | -v | - | | | Print a version | + | | | -v | + | | | Print a version | | | | string for the tool. | - | | | -h | - | | | Turn on hex/ASCII | + | | | -h | + | | | Turn on hex/ASCII | | | | printing. Instead of | | | | outputting raw data, the | - | | | command interprets | + | | | command interprets | | | | each record as a numbered line | | | | of hex values, | - | | | followed by the | + | | | followed by the | | | | same data as ASCII characters. | | | | The two parts are | - | | | separated by a | + | | | separated by a | | | | vertical bar. Nonprinting | | | | characters are replaced | - | | | by dots. | - | | | -f | - | | | Turn on fancy | + | | | by dots. | + | | | -f | + | | | Turn on fancy | | | | printing. Output is printed in | | | | colored HTML. Data | - | | | sent from the | + | | | sent from the | | | | client to the server is in | | | | blue; the server's reply | - | | | is in red. When | + | | | is in red. When | | | | used with looping mode, the | | | | different connections | - | | | are separated with | + | | | are separated with | | | | horizontal lines. You can use | | | | this option to | - | | | upload the output | + | | | upload the output | | | | into a browser. | - | | | -s | - | | | Turn on SSL parsing | + | | | -s | + | | | Turn on SSL parsing | | | | and decoding. The tool does | | | | not automatically | - | | | detect SSL | + | | | detect SSL | | | | sessions. If you are | | | | intercepting an SSL | | | | connection, | - | | | use this option so | + | | | use this option so | | | | that the tool can detect and | | | | decode SSL | - | | | structures. | - | | | If the tool detects | + | | | structures. | + | | | If the tool detects | | | | a certificate chain, it saves | | | | the DER-encoded | - | | | certificates into | + | | | certificates into | | | | files in the current | | | | directory. The files are | - | | | named cert.0x, | + | | | named cert.0x, | | | | where x is the sequence number | | | | of the certificate. | - | | | If the -s option is | + | | | If the -s option is | | | | used with -h, two separate | | | | parts are printed | - | | | for each record: | + | | | for each record: | | | | the plain hex/ASCII output, | | | | and the parsed SSL | - | | | output. | - | | | -x | - | | | Turn on hex/ASCII | + | | | output. | + | | | -x | + | | | Turn on hex/ASCII | | | | printing of undecoded data | | | | inside parsed SSL | - | | | records. Used only | + | | | records. Used only | | | | with the -s option. This | | | | option uses the same | - | | | output format as | + | | | output format as | | | | the -h option. | - | | | -l prefix | - | | | Turn on looping; | + | | | -l prefix | + | | | Turn on looping; | | | | that is, continue to accept | | | | connections rather | - | | | than stopping after | + | | | than stopping after | | | | the first connection is | | | | complete. | - | | | -p port | - | | | Change the default | + | | | -p port | + | | | Change the default | | | | rendezvous port (1924) to | | | | another port. | - | | | The following are | + | | | The following are | | | | well-known port numbers: | - | | | \* HTTP 80 | - | | | \* HTTPS 443 | - | | | \* SMTP 25 | - | | | \* FTP 21 | - | | | \* IMAP 143 | - | | | \* IMAPS 993 (IMAP | + | | | \* HTTP 80 | + | | | \* HTTPS 443 | + | | | \* SMTP 25 | + | | | \* FTP 21 | + | | | \* IMAP 143 | + | | | \* IMAPS 993 (IMAP | | | | over SSL) | - | | | \* NNTP 119 | - | | | \* NNTPS 563 (NNTP | + | | | \* NNTP 119 | + | | | \* NNTPS 563 (NNTP | | | | over SSL) | | | | Usage and Examples | - | | | You can use the SSL | + | | | You can use the SSL | | | | Debugging Tool to intercept | | | | any connection | - | | | information. Although you | + | | | information. Although you | | | | can run the tool at its most | | | | basic by issuing | - | | | the ssltap command with no | + | | | the ssltap command with no | | | | options other than | | | | hostname:port, the | - | | | information you get in this | + | | | information you get in this | | | | way is not very useful. For | | | | example, assume | - | | | your development machine is | + | | | your development machine is | | | | called intercept. The simplest | | | | way to use the | - | | | debugging tool is to | + | | | debugging tool is to | | | | execute the following command | | | | from a command shell: | - | | | $ ssltap www.netscape.com | - | | | The program waits for an | + | | | $ ssltap www.netscape.com | + | | | The program waits for an | | | | incoming connection on the | | | | default port 1924. In | - | | | your browser window, enter | + | | | your browser window, enter | | | | the URL http://intercept:1924. | | | | The browser | - | | | retrieves the requested | + | | | retrieves the requested | | | | page from the server at | | | | www.netscape.com, but the | - | | | page is intercepted and | + | | | page is intercepted and | | | | passed on to the browser by | | | | the debugging tool on | - | | | intercept. On its way to | + | | | intercept. On its way to | | | | the browser, the data is | | | | printed to the command | - | | | shell from which you issued | + | | | shell from which you issued | | | | the command. Data sent from | | | | the client to the | - | | | server is surrounded by the | + | | | server is surrounded by the | | | | following symbols: --> [ data | | | | ] Data sent from | - | | | the server to the client is | + | | | the server to the client is | | | | surrounded by the following | | | | symbols: "left | - | | | arrow"-- [ data ] The raw | + | | | arrow"-- [ data ] The raw | | | | data stream is sent to | | | | standard output and is | - | | | not interpreted in any way. | + | | | not interpreted in any way. | | | | This can result in peculiar | | | | effects, such as | - | | | sounds, flashes, and even | + | | | sounds, flashes, and even | | | | crashes of the command shell | | | | window. To output a | - | | | basic, printable | + | | | basic, printable | | | | interpretation of the data, | | | | use the -h option, or, if you | - | | | are looking at an SSL | + | | | are looking at an SSL | | | | connection, the -s option. You | | | | will notice that the | - | | | page you retrieved looks | + | | | page you retrieved looks | | | | incomplete in the browser. | | | | This is because, by | - | | | default, the tool closes | + | | | default, the tool closes | | | | down after the first | | | | connection is complete, so | - | | | the browser is not able to | + | | | the browser is not able to | | | | load images. To make the tool | | | | continue to | - | | | accept connections, switch | + | | | accept connections, switch | | | | on looping mode with the -l | | | | option. The | - | | | following examples show the | + | | | following examples show the | | | | output from commonly used | | | | combinations of | - | | | options. | - | | | Example 1 | - | | | $ ssltap.exe -sx -p 444 | + | | | options. | + | | | Example 1 | + | | | $ ssltap.exe -sx -p 444 | | | | interzone.mcom.com:443 > | | | | sx.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | -->; [ | - | | | alloclen = 66 bytes | - | | | [ssl2] ClientHelloV2 { | - | | | version = {0x03, | + | | | -->; [ | + | | | alloclen = 66 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | | | | 0x00} | - | | | | + | | | | | | | cipher-specs-length = 39 | | | | (0x27) | - | | | sid-length = 0 | + | | | sid-length = 0 | | | | (0x00) | - | | | challenge-length | + | | | challenge-length | | | | = 16 (0x10) | - | | | cipher-suites = { | - | | | (0x010080) | + | | | cipher-suites = { | + | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | - | | | (0x020080) | + | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | - | | | (0x030080) | + | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | - | | | (0x040080) | + | | | (0x040080) | | | | SSL2/RSA/RC2CBC40/MD5 | - | | | (0x060040) | + | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | - | | | (0x0700c0) | + | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | - | | | (0x000004) | + | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | - | | | (0x00ffe0) | + | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | - | | | (0x00000a) | + | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | - | | | (0x00ffe1) | + | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | - | | | (0x000009) | + | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | - | | | (0x000003) | + | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | - | | | (0x000006) | + | | | (0x000006) | | | | SSL3/RSA/RC2CBC40/MD5 | - | | | } | - | | | session-id = { } | - | | | challenge = { | + | | | } | + | | | session-id = { } | + | | | challenge = { | | | | 0xec5d 0x8edb 0x37c9 0xb5c9 | | | | 0x7b70 0x8fe9 0xd1d3 | - | | | 0x2592 } | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 16 03 00 03 | - | | | e5 | - | | | | + | | | 0x2592 } | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 03 | + | | | e5 | + | | | | | | | \|..... | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 997 (0x3e5) | - | | | handshake { | - | | | 0: 02 00 00 | - | | | 46 | - | | | | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | 0: 02 00 00 | + | | | 46 | + | | | | | | | \|...F | - | | | type = 2 (server_hello) | - | | | length = 70 (0x000046) | - | | | ServerHello { | - | | | server_version = | + | | | type = 2 (server_hello) | + | | | length = 70 (0x000046) | + | | | ServerHello { | + | | | server_version = | | | | {3, 0} | - | | | random = {...} | - | | | 0: 77 8c 6e 26 6c 0c ec | - | | | c0 d9 58 4f 47 d3 2d 01 45 | + | | | random = {...} | + | | | 0: 77 8c 6e 26 6c 0c ec | + | | | c0 d9 58 4f 47 d3 2d 01 45 | | | | \| | - | | | wn&l.ì..XOG.-.E | - | | | 10: 5c 17 75 43 a7 4c 88 | - | | | c7 88 64 3c 50 41 48 4f 7f | + | | | wn&l.ì..XOG.-.E | + | | | 10: 5c 17 75 43 a7 4c 88 | + | | | c7 88 64 3c 50 41 48 4f 7f | | | | \| | - | | | \.uC§L.Ç.d<PAHO. | - | | | session ID | + | | | \.uC§L.Ç.d<PAHO. | + | | | session ID | | | | = { | - | | | length = 32 | - | | | contents = | + | | | length = 32 | + | | | contents = | | | | {..} | - | | | 0: 14 11 07 a8 2a 31 91 | - | | | 29 11 94 40 37 57 10 a7 32 | + | | | 0: 14 11 07 a8 2a 31 91 | + | | | 29 11 94 40 37 57 10 a7 32 | | | | \| ...¨*1.)..@7W.§2 | - | | | 10: 56 6f 52 62 fe 3d b3 | - | | | 65 b1 e4 13 0f 52 a3 c8 f6 | + | | | 10: 56 6f 52 62 fe 3d b3 | + | | | 65 b1 e4 13 0f 52 a3 c8 f6 | | | | \| VoRbþ=³e±...R£È. | - | | | } | - | | | cipher_suite = | + | | | } | + | | | cipher_suite = | | | | (0x0003) SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | 0: 0b 00 02 | - | | | c5 | - | | | | + | | | } | + | | | 0: 0b 00 02 | + | | | c5 | + | | | | | | | \|...Å | - | | | type = 11 (certificate) | - | | | length = 709 (0x0002c5) | - | | | CertificateChain | + | | | type = 11 (certificate) | + | | | length = 709 (0x0002c5) | + | | | CertificateChain | | | | { | - | | | chainlength = 706 | + | | | chainlength = 706 | | | | (0x02c2) | - | | | Certificate { | - | | | size = 703 | + | | | Certificate { | + | | | size = 703 | | | | (0x02bf) | - | | | data = { saved | + | | | data = { saved | | | | in file 'cert.001' } | - | | | } | - | | | } | - | | | 0: 0c 00 00 | - | | | ca | - | | | | + | | | } | + | | | } | + | | | 0: 0c 00 00 | + | | | ca | + | | | | | | | \|.... | - | | | type = 12 | + | | | type = 12 | | | | (server_key_exchange) | - | | | length = 202 | + | | | length = 202 | | | | (0x0000ca) | - | | | 0: 0e 00 00 | - | | | 00 | - | | | | + | | | 0: 0e 00 00 | + | | | 00 | + | | | | | | | \|.... | - | | | type = 14 | + | | | type = 14 | | | | (server_hello_done) | - | | | length = 0 | + | | | length = 0 | | | | (0x000000) | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | 0: 16 03 00 00 | - | | | 44 | - | | | | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 44 | + | | | | | | | \|....D | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 68 (0x44) | - | | | handshake { | - | | | 0: 10 00 00 | - | | | 40 | - | | | | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | 0: 10 00 00 | + | | | 40 | + | | | | | | | \|...@ | - | | | type = 16 | + | | | type = 16 | | | | (client_key_exchange) | - | | | length = 64 (0x000040) | - | | | ClientKeyExchange { | - | | | message = {...} | - | | | } | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | 0: 14 03 00 00 | - | | | 01 | - | | | | + | | | length = 64 (0x000040) | + | | | ClientKeyExchange { | + | | | message = {...} | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | | | | \|..... | - | | | type = 20 | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | 0: | - | | | 01 | - | | | | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | | | | \|. | - | | | } | - | | | SSLRecord { | - | | | 0: 16 03 00 00 | - | | | 38 | - | | | | + | | | } | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | | | | \|....8 | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 14 03 00 00 | - | | | 01 | - | | | | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | | | | \|..... | - | | | type = 20 | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | 0: | - | | | 01 | - | | | | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | | | | \|. | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 16 03 00 00 | - | | | 38 | - | | | | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | | | | \|....8 | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | < encrypted | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted | | | | > | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | 0: 17 03 00 01 | - | | | 1f | - | | | | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 17 03 00 01 | + | | | 1f | + | | | | | | | \|..... | - | | | type = 23 | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 287 (0x11f) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 17 03 00 00 | - | | | a0 | - | | | | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | a0 | + | | | | | | | \|.... | - | | | type = 23 | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 160 (0xa0) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 17 03 00 00 | - | | | df | - | | | | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | df | + | | | | | | | \|....ß | - | | | type = 23 | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 223 (0xdf) | - | | | < encrypted > | - | | | } | - | | | SSLRecord { | - | | | 0: 15 03 00 00 | - | | | 12 | - | | | | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | < encrypted > | + | | | } | + | | | SSLRecord { | + | | | 0: 15 03 00 00 | + | | | 12 | + | | | | | | | \|..... | - | | | type = 21 (alert) | - | | | version = { 3,0 } | - | | | length = 18 (0x12) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | Server socket closed. | - | | | Example 2 | - | | | The -s option turns on SSL | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 2 | + | | | The -s option turns on SSL | | | | parsing. Because the -x option | | | | is not used in | - | | | this example, undecoded | + | | | this example, undecoded | | | | values are output as raw data. | | | | The output is | - | | | routed to a text file. | - | | | $ ssltap -s -p 444 | + | | | routed to a text file. | + | | | $ ssltap -s -p 444 | | | | interzone.mcom.com:443 > s.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | --> [ | - | | | alloclen = 63 bytes | - | | | [ssl2] ClientHelloV2 { | - | | | version = {0x03, | + | | | --> [ | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | | | | 0x00} | - | | | | + | | | | | | | cipher-specs-length = 36 | | | | (0x24) | - | | | sid-length = 0 | + | | | sid-length = 0 | | | | (0x00) | - | | | challenge-length | + | | | challenge-length | | | | = 16 (0x10) | - | | | cipher-suites = { | - | | | (0x010080) | + | | | cipher-suites = { | + | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | - | | | (0x020080) | + | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | - | | | (0x030080) | + | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | - | | | (0x060040) | + | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | - | | | (0x0700c0) | + | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | - | | | (0x000004) | + | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | - | | | (0x00ffe0) | + | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | - | | | (0x00000a) | + | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | - | | | (0x00ffe1) | + | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | - | | | (0x000009) | + | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | - | | | (0x000003) | + | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | session-id = { | + | | | } | + | | | session-id = { | | | | } | - | | | challenge = { | + | | | challenge = { | | | | 0x713c 0x9338 0x30e1 0xf8d6 | | | | 0xb934 0x7351 0x200c | - | | | 0x3fd0 } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 997 (0x3e5) | - | | | handshake { | - | | | type = 2 | + | | | 0x3fd0 } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | type = 2 | | | | (server_hello) | - | | | length = 70 | + | | | length = 70 | | | | (0x000046) | - | | | ServerHello { | - | | | server_version = | + | | | ServerHello { | + | | | server_version = | | | | {3, 0} | - | | | random = {...} | - | | | session ID = { | - | | | length = 32 | - | | | contents = | + | | | random = {...} | + | | | session ID = { | + | | | length = 32 | + | | | contents = | | | | {..} | - | | | } | - | | | cipher_suite = | + | | | } | + | | | cipher_suite = | | | | (0x0003) SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | type = 11 | + | | | } | + | | | type = 11 | | | | (certificate) | - | | | length = 709 | + | | | length = 709 | | | | (0x0002c5) | - | | | CertificateChain | + | | | CertificateChain | | | | { | - | | | chainlength = | + | | | chainlength = | | | | 706 (0x02c2) | - | | | Certificate { | - | | | size = 703 | + | | | Certificate { | + | | | size = 703 | | | | (0x02bf) | - | | | data = { | + | | | data = { | | | | saved in file 'cert.001' } | - | | | } | - | | | } | - | | | type = 12 | + | | | } | + | | | } | + | | | type = 12 | | | | (server_key_exchange) | - | | | length = 202 | + | | | length = 202 | | | | (0x0000ca) | - | | | type = 14 | + | | | type = 14 | | | | (server_hello_done) | - | | | length = 0 | + | | | length = 0 | | | | (0x000000) | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 68 (0x44) | - | | | handshake { | - | | | type = 16 | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | type = 16 | | | | (client_key_exchange) | - | | | length = 64 | + | | | length = 64 | | | | (0x000040) | - | | | ClientKeyExchange | + | | | ClientKeyExchange | | | | { | - | | | message = | + | | | message = | | | | {...} | - | | | } | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | type = 20 | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | } | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 20 | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | type = 23 | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 287 (0x11f) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | [ | - | | | SSLRecord { | - | | | type = 23 | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | [ | + | | | SSLRecord { | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 160 (0xa0) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 23 | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 223 (0xdf) | - | | | > encrypted > | - | | | } | - | | | SSLRecord { | - | | | type = 21 (alert) | - | | | version = { 3,0 } | - | | | length = 18 (0x12) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | Server socket closed. | - | | | Example 3 | - | | | In this example, the -h | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | > encrypted > | + | | | } | + | | | SSLRecord { | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 3 | + | | | In this example, the -h | | | | option turns hex/ASCII format. | | | | There is no SSL | - | | | parsing or decoding. The | + | | | parsing or decoding. The | | | | output is routed to a text | | | | file. | - | | | $ ssltap -h -p 444 | + | | | $ ssltap -h -p 444 | | | | interzone.mcom.com:443 > h.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | --> [ | - | | | 0: 80 40 01 03 00 00 27 | - | | | 00 00 00 10 01 00 80 02 00 | + | | | --> [ | + | | | 0: 80 40 01 03 00 00 27 | + | | | 00 00 00 10 01 00 80 02 00 | | | | \| .@....'......... | - | | | 10: 80 03 00 80 04 00 80 | - | | | 06 00 40 07 00 c0 00 00 04 | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | | | | \| .........@...... | - | | | 20: 00 ff e0 00 00 0a 00 | - | | | ff e1 00 00 09 00 00 03 00 | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 00 | | | | \| ........á....... | - | | | 30: 00 06 9b fe 5b 56 96 | - | | | 49 1f 9f ca dd d5 ba b9 52 | + | | | 30: 00 06 9b fe 5b 56 96 | + | | | 49 1f 9f ca dd d5 ba b9 52 | | | | \| ..þ[V.I.\xd9 ...º¹R | - | | | 40: 6f | - | | | 2d | - | | | | + | | | 40: 6f | + | | | 2d | + | | | | | | | \|o- | - | | | ] | - | | | <-- [ | - | | | 0: 16 03 00 03 e5 02 00 | - | | | 00 46 03 00 7f e5 0d 1b 1d | + | | | ] | + | | | <-- [ | + | | | 0: 16 03 00 03 e5 02 00 | + | | | 00 46 03 00 7f e5 0d 1b 1d | | | | \| ........F....... | - | | | 10: 68 7f 3a 79 60 d5 17 | - | | | 3c 1d 9c 96 b3 88 d2 69 3b | + | | | 10: 68 7f 3a 79 60 d5 17 | + | | | 3c 1d 9c 96 b3 88 d2 69 3b | | | | \| h.:y`..<..³.Òi; | - | | | 20: 78 e2 4b 8b a6 52 12 | - | | | 4b 46 e8 c2 20 14 11 89 05 | + | | | 20: 78 e2 4b 8b a6 52 12 | + | | | 4b 46 e8 c2 20 14 11 89 05 | | | | \| x.K.¦R.KFè. ... | - | | | 30: 4d 52 91 fd 93 e0 51 | - | | | 48 91 90 08 96 c1 b6 76 77 | + | | | 30: 4d 52 91 fd 93 e0 51 | + | | | 48 91 90 08 96 c1 b6 76 77 | | | | \| MR.ý..QH.....¶vw | - | | | 40: 2a f4 00 08 a1 06 61 | - | | | a2 64 1f 2e 9b 00 03 00 0b | + | | | 40: 2a f4 00 08 a1 06 61 | + | | | a2 64 1f 2e 9b 00 03 00 0b | | | | \| \*ô..¡.a¢d...... | - | | | 50: 00 02 c5 00 02 c2 00 | - | | | 02 bf 30 82 02 bb 30 82 02 | + | | | 50: 00 02 c5 00 02 c2 00 | + | | | 02 bf 30 82 02 bb 30 82 02 | | | | \| ..Å......0...0.. | - | | | 60: 24 a0 03 02 01 02 02 | - | | | 02 01 36 30 0d 06 09 2a 86 | + | | | 60: 24 a0 03 02 01 02 02 | + | | | 02 01 36 30 0d 06 09 2a 86 | | | | \| $ .......60...*. | - | | | 70: 48 86 f7 0d 01 01 04 | - | | | 05 00 30 77 31 0b 30 09 06 | + | | | 70: 48 86 f7 0d 01 01 04 | + | | | 05 00 30 77 31 0b 30 09 06 | | | | \| H.÷......0w1.0.. | - | | | 80: 03 55 04 06 13 02 55 | - | | | 53 31 2c 30 2a 06 03 55 04 | + | | | 80: 03 55 04 06 13 02 55 | + | | | 53 31 2c 30 2a 06 03 55 04 | | | | \| .U....US1,0*..U. | - | | | 90: 0a 13 23 4e 65 74 73 | - | | | 63 61 70 65 20 43 6f 6d 6d | + | | | 90: 0a 13 23 4e 65 74 73 | + | | | 63 61 70 65 20 43 6f 6d 6d | | | | \| ..#Netscape Comm | - | | | a0: 75 6e 69 63 61 74 69 | - | | | 6f 6e 73 20 43 6f 72 70 6f | + | | | a0: 75 6e 69 63 61 74 69 | + | | | 6f 6e 73 20 43 6f 72 70 6f | | | | \| unications Corpo | - | | | b0: 72 61 74 69 6f 6e 31 | - | | | 11 30 0f 06 03 55 04 0b 13 | + | | | b0: 72 61 74 69 6f 6e 31 | + | | | 11 30 0f 06 03 55 04 0b 13 | | | | \| ration1.0...U... | - | | | c0: 08 48 61 72 64 63 6f | - | | | 72 65 31 27 30 25 06 03 55 | + | | | c0: 08 48 61 72 64 63 6f | + | | | 72 65 31 27 30 25 06 03 55 | | | | \| .Hardcore1'0%..U | - | | | d0: 04 03 13 1e 48 61 72 | - | | | 64 63 6f 72 65 20 43 65 72 | + | | | d0: 04 03 13 1e 48 61 72 | + | | | 64 63 6f 72 65 20 43 65 72 | | | | \| ....Hardcore Cer | - | | | e0: 74 69 66 69 63 61 74 | - | | | 65 20 53 65 72 76 65 72 20 | + | | | e0: 74 69 66 69 63 61 74 | + | | | 65 20 53 65 72 76 65 72 20 | | | | \| tificate Server | - | | | f0: 49 49 30 1e 17 0d 39 | - | | | 38 30 35 31 36 30 31 30 33 | + | | | f0: 49 49 30 1e 17 0d 39 | + | | | 38 30 35 31 36 30 31 30 33 | | | | \| II0...9805160103 | - | | | <additional data lines> | - | | | ] | - | | | <additional records in same | + | | | <additional data lines> | + | | | ] | + | | | <additional records in same | | | | format> | - | | | Server socket closed. | - | | | Example 4 | - | | | In this example, the -s | + | | | Server socket closed. | + | | | Example 4 | + | | | In this example, the -s | | | | option turns on SSL parsing, | | | | and the -h option | - | | | turns on hex/ASCII format. | + | | | turns on hex/ASCII format. | | | | Both formats are shown for | | | | each record. The | - | | | output is routed to a text | + | | | output is routed to a text | | | | file. | - | | | $ ssltap -hs -p 444 | + | | | $ ssltap -hs -p 444 | | | | interzone.mcom.com:443 > | | | | hs.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | --> [ | - | | | 0: 80 3d 01 03 00 00 24 | - | | | 00 00 00 10 01 00 80 02 00 | + | | | --> [ | + | | | 0: 80 3d 01 03 00 00 24 | + | | | 00 00 00 10 01 00 80 02 00 | | | | \| .=....$......... | - | | | 10: 80 03 00 80 04 00 80 | - | | | 06 00 40 07 00 c0 00 00 04 | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | | | | \| .........@...... | - | | | 20: 00 ff e0 00 00 0a 00 | - | | | ff e1 00 00 09 00 00 03 03 | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 03 | | | | \| ........á....... | - | | | 30: 55 e6 e4 99 79 c7 d7 | - | | | 2c 86 78 96 5d b5 cf e9 | + | | | 30: 55 e6 e4 99 79 c7 d7 | + | | | 2c 86 78 96 5d b5 cf e9 | | | | \|U..yÇ\xb0 ,.x.]µÏé | - | | | alloclen = 63 bytes | - | | | [ssl2] ClientHelloV2 { | - | | | version = {0x03, | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | | | | 0x00} | - | | | | + | | | | | | | cipher-specs-length = 36 | | | | (0x24) | - | | | sid-length = 0 | + | | | sid-length = 0 | | | | (0x00) | - | | | challenge-length | + | | | challenge-length | | | | = 16 (0x10) | - | | | cipher-suites = { | - | | | (0x010080) | + | | | cipher-suites = { | + | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | - | | | (0x020080) | + | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | - | | | (0x030080) | + | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | - | | | (0x040080) | + | | | (0x040080) | | | | SSL2/RSA/RC2CBC40/MD5 | - | | | (0x060040) | + | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | - | | | (0x0700c0) | + | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | - | | | (0x000004) | + | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | - | | | (0x00ffe0) | + | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | - | | | (0x00000a) | + | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | - | | | (0x00ffe1) | + | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | - | | | (0x000009) | + | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | - | | | (0x000003) | + | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | session-id = { } | - | | | challenge = { | + | | | } | + | | | session-id = { } | + | | | challenge = { | | | | 0x0355 0xe6e4 0x9979 0xc7d7 | | | | 0x2c86 0x7896 0x5db | - | | | 0xcfe9 } | - | | | } | - | | | ] | - | | | <additional records in same | + | | | 0xcfe9 } | + | | | } | + | | | ] | + | | | <additional records in same | | | | formats> | - | | | Server socket closed. | + | | | Server socket closed. | | | | Usage Tips | - | | | When SSL restarts a | + | | | When SSL restarts a | | | | previous session, it makes use | | | | of cached information | - | | | to do a partial handshake. | + | | | to do a partial handshake. | | | | If you wish to capture a full | | | | SSL handshake, | - | | | restart the browser to | + | | | restart the browser to | | | | clear the session id cache. | - | | | If you run the tool on a | + | | | If you run the tool on a | | | | machine other than the SSL | | | | server to which you | - | | | are trying to connect, the | + | | | are trying to connect, the | | | | browser will complain that the | | | | host name you | - | | | are trying to connect to is | + | | | are trying to connect to is | | | | different from the | | | | certificate. If you are | - | | | using the default BadCert | + | | | using the default BadCert | | | | callback, you can still | | | | connect through a | - | | | dialog. If you are not | + | | | dialog. If you are not | | | | using the default BadCert | | | | callback, the one you | - | | | supply must allow for this | + | | | supply must allow for this | | | | possibility. | | | | See Also | - | | | The NSS Security Tools are | + | | | The NSS Security Tools are | | | | also documented at | - | | | | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | Additional Resources | - | | | NSS is maintained in | + | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | - | | | through Mozilla dn Fedora. | + | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | - | | | with a project wiki at | + | | | with a project wiki at | | | | [2]\ http: | | | | //pki.fedoraproject.org/wiki/. | - | | | For information | + | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | - | | | | + | | | | | | | [3]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | - | | | now with Red Hat and Sun. | - | | | Authors: Elio Maldonado | + | | | now with Red Hat and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozilla.org/p | | | | rojects/secu.../pki/nss/tools | | | | <https://www.mozilla.org/proje | | | | cts/security/pki/nss/tools>`__ | - | | | 2. | + | | | 2. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | - | | | 3. | + | | | 3. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -11556,164 +11556,164 @@ Index | | a_projects_nss_tools_vfychain` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | vfychain — vfychain | + | | | vfychain — vfychain | | | | [options] [revocation options] | | | | certfile [[options] | - | | | certfile] ... | + | | | certfile] ... | | | | Synopsis | - | | | vfychain | + | | | vfychain | | | | Description | - | | | The verification Tool, | + | | | The verification Tool, | | | | vfychain, verifies certificate | | | | chains. modutil can | - | | | add and delete PKCS #11 | + | | | add and delete PKCS #11 | | | | modules, change passwords on | | | | security databases, | - | | | set defaults, list module | + | | | set defaults, list module | | | | contents, enable or disable | | | | slots, enable or | - | | | disable FIPS 140-2 | + | | | disable FIPS 140-2 | | | | compliance, and assign default | | | | providers for | - | | | cryptographic operations. | + | | | cryptographic operations. | | | | This tool can also create | | | | certificate, key, and | - | | | module security database | + | | | module security database | | | | files. | - | | | The tasks associated with | + | | | The tasks associated with | | | | security module database | | | | management are part of | - | | | a process that typically | + | | | a process that typically | | | | also involves managing key | | | | databases and | - | | | certificate databases. | + | | | certificate databases. | | | | Options | - | | | -a | - | | | the following | + | | | -a | + | | | the following | | | | certfile is base64 encoded | - | | | -b YYMMDDHHMMZ | - | | | Validate date | + | | | -b YYMMDDHHMMZ | + | | | Validate date | | | | (default: now) | - | | | -d directory | - | | | database directory | - | | | -f | - | | | Enable cert | + | | | -d directory | + | | | database directory | + | | | -f | + | | | Enable cert | | | | fetching from AIA URL | - | | | -o oid | - | | | Set policy OID for | + | | | -o oid | + | | | Set policy OID for | | | | cert validation(Format | | | | OID.1.2.3) | - | | | -p | - | | | Use PKIX Library to | + | | | -p | + | | | Use PKIX Library to | | | | validate certificate by | | | | calling: | - | | | \* | + | | | \* | | | | CERT_VerifyCertificate if | | | | specified once, | - | | | \* | + | | | \* | | | | CERT_PKIXVerifyCert if | | | | specified twice and more. | - | | | -r | - | | | Following certfile | + | | | -r | + | | | Following certfile | | | | is raw binary DER (default) | - | | | -t | - | | | Following cert is | + | | | -t | + | | | Following cert is | | | | explicitly trusted (overrides | | | | db trust) | - | | | -u usage | - | | | 0=SSL client, 1=SSL | + | | | -u usage | + | | | 0=SSL client, 1=SSL | | | | server, 2=SSL StepUp, 3=SSL | | | | CA, 4=Email | - | | | signer, 5=Email | + | | | signer, 5=Email | | | | recipient, 6=Object signer, | - | | | | + | | | | | | | 9=ProtectedObjectSigner, | | | | 10=OCSP responder, 11=Any CA | - | | | -v | - | | | Verbose mode. | + | | | -v | + | | | Verbose mode. | | | | Prints root cert | | | | subject(double the argument | | | | for | - | | | whole root cert | + | | | whole root cert | | | | info) | - | | | -w password | - | | | Database password | - | | | -W pwfile | - | | | Password file | - | | | Revocation options | + | | | -w password | + | | | Database password | + | | | -W pwfile | + | | | Password file | + | | | Revocation options | | | | for PKIX API (invoked with -pp | | | | options) is a | - | | | collection of the | + | | | collection of the | | | | following flags: [-g type [-h | | | | flags] [-m type | - | | | [-s flags]] ...] | + | | | [-s flags]] ...] | | | | ... | - | | | Where: | - | | | -g test-type | - | | | Sets status | + | | | Where: | + | | | -g test-type | + | | | Sets status | | | | checking test type. Possible | | | | values are "leaf" or | - | | | "chain" | - | | | -g test type | - | | | Sets status | + | | | "chain" | + | | | -g test type | + | | | Sets status | | | | checking test type. Possible | | | | values are "leaf" or | - | | | "chain". | - | | | -h test flags | - | | | Sets revocation | + | | | "chain". | + | | | -h test flags | + | | | Sets revocation | | | | flags for the test type it | | | | follows. Possible | - | | | flags: | + | | | flags: | | | | "testLocalInfoFirst" and | | | | "requireFreshInfo". | - | | | -m method type | - | | | Sets method type | + | | | -m method type | + | | | Sets method type | | | | for the test type it follows. | | | | Possible types are | - | | | "crl" and "ocsp". | - | | | -s method flags | - | | | Sets revocation | + | | | "crl" and "ocsp". | + | | | -s method flags | + | | | Sets revocation | | | | flags for the method it | | | | follows. Possible types | - | | | are "doNotUse", | + | | | are "doNotUse", | | | | "forbidFetching", | | | | "ignoreDefaultSrc", | - | | | "requireInfo" and | + | | | "requireInfo" and | | | | "failIfNoInfo". | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | |