diff options
Diffstat (limited to 'doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst')
| -rw-r--r-- | doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst | 1356 |
1 files changed, 678 insertions, 678 deletions
diff --git a/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst b/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst index 0c1535b73..134cce4e3 100644 --- a/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst +++ b/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst @@ -6,519 +6,519 @@ NSS tools : certutil .. container:: | Name - | certutil — Manage keys and certificate in both NSS databases and other NSS tokens + | certutil — Manage keys and certificate in both NSS databases and other NSS tokens | Synopsis - | certutil [options] [[arguments]] + | certutil [options] [[arguments]] | Description - | The Certificate Database Tool, certutil, is a command-line utility - | that can create and modify certificate and key databases. - | It can specifically list, generate, modify, or delete certificates, create or - | change the password, generate new public and private key pairs, - | display the contents of the key database, or delete key pairs within the key database. - | Certificate issuance, part of the key and certificate management process, requires that - | keys and certificates be created in the key database. This document discusses certificate - | and key database management. For information on the security module database management, - | see the modutil manpage. + | The Certificate Database Tool, certutil, is a command-line utility + | that can create and modify certificate and key databases. + | It can specifically list, generate, modify, or delete certificates, create or + | change the password, generate new public and private key pairs, + | display the contents of the key database, or delete key pairs within the key database. + | Certificate issuance, part of the key and certificate management process, requires that + | keys and certificates be created in the key database. This document discusses certificate + | and key database management. For information on the security module database management, + | see the modutil manpage. | Options and Arguments - | Running certutil always requires one and only one command option to - | specify the type of certificate operation. Each option may take arguments, - | anywhere from none to multiple arguments. The command option -H will list - | all the command options available and their relevant arguments. - | Command Options - | -A - | Add an existing certificate to a certificate database. - | The certificate database should already exist; if one is - | not present, this command option will initialize one by default. - | -B - | Run a series of commands from the specified batch file. - | This requires the -i argument. - | -C - | Create a new binary certificate file from a binary - | certificate request file. Use the -i argument to specify - | the certificate request file. If this argument is not - | used, certutil prompts for a filename. - | -D - | Delete a certificate from the certificate database. - - | --rename - | Change the database nickname of a certificate. + | Running certutil always requires one and only one command option to + | specify the type of certificate operation. Each option may take arguments, + | anywhere from none to multiple arguments. The command option -H will list + | all the command options available and their relevant arguments. + | Command Options + | -A + | Add an existing certificate to a certificate database. + | The certificate database should already exist; if one is + | not present, this command option will initialize one by default. + | -B + | Run a series of commands from the specified batch file. + | This requires the -i argument. + | -C + | Create a new binary certificate file from a binary + | certificate request file. Use the -i argument to specify + | the certificate request file. If this argument is not + | used, certutil prompts for a filename. + | -D + | Delete a certificate from the certificate database. + + | --rename + | Change the database nickname of a certificate. | - | -E - | Add an email certificate to the certificate database. - | -F - | Delete a private key from a key database. Specify the - | key to delete with the -n argument. Specify the database - | from which to delete the key with the -d argument. Use - | the -k argument to specify explicitly whether to delete - | a DSA, RSA, or ECC key. If you don't use the -k - | argument, the option looks for an RSA key matching the - | specified nickname. - | When you delete keys, be sure to also remove any - | certificates associated with those keys from the - | certificate database, by using -D. Some smart cards (for - | example, the Litronic card) do not let you remove a - | public key you have generated. In such a case, only the - | private key is deleted from the key pair. You can - | display the public key with the command certutil -K -h - | tokenname. - | -G - | Generate a new public and private key pair within a key - | database. The key database should already exist; if one - | is not present, this option will initialize one by - | default. Some smart cards (for example, the Litronic - | card) can store only one key pair. If you create a new - | key pair for such a card, the previous pair is - | overwritten. - | -H - | Display a list of the options and arguments used by the - | Certificate Database Tool. - | -K - | List the key ID of keys in the key database. A key ID is - | the modulus of the RSA key or the publicValue of the DSA - | key. IDs are displayed in hexadecimal ("0x" is not - | shown). - | -L - | List all the certificates, or display information about - | a named certificate, in a certificate database. Use the - | -h tokenname argument to specify the certificate - | database on a particular hardware or software token. - | -M - | Modify a certificate's trust attributes using the values - | of the -t argument. - | -N - | Create new certificate and key databases. - | -O - | Print the certificate chain. - | -R - | Create a certificate request file that can be submitted - | to a Certificate Authority (CA) for processing into a - | finished certificate. Output defaults to standard out - | unless you use -o output-file argument. Use the -a - | argument to specify ASCII output. - | -S - | Create an individual certificate and add it to a - | certificate database. - | -T - | Reset the key database or token. - | -U - | List all available modules or print a single named - | module. - | -V - | Check the validity of a certificate and its attributes. - | -W - | Change the password to a key database. - | --merge - | Merge two databases into one. - | --upgrade-merge - | Upgrade an old database and merge it into a new - | database. This is used to migrate legacy NSS databases - | (cert8.db and key3.db) into the newer SQLite databases - | (cert9.db and key4.db). - | Arguments - | Arguments modify a command option and are usually lower case, numbers, or symbols. - | -a - | Use ASCII format or allow the use of ASCII format for - | input or output. This formatting follows RFC 1113. For - | certificate requests, ASCII output defaults to standard - | output unless redirected. - | -b validity-time - | Specify a time at which a certificate is required to be - | valid. Use when checking certificate validity with the - | -V option. The format of the validity-time argument is - | YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be - | set relative to the validity end time. Specifying - | seconds (SS) is optional. When specifying an explicit - | time, use a Z at the end of the term, YYMMDDHHMMSSZ, to - | close it. When specifying an offset time, use - | YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or - | subtracting time, respectively. - | If this option is not used, the validity check defaults - | to the current system time. - | -c issuer - | Identify the certificate of the CA from which a new - | certificate will derive its authenticity. Use the exact - | nickname or alias of the CA certificate, or use the CA's - | email address. Bracket the issuer string with quotation - | marks if it contains spaces. - | -d [prefix]directory - | Specify the database directory containing the - | certificate and key database files. - | certutil supports two types of databases: the legacy - | security databases (cert8.db, key3.db, and secmod.db) - | and new SQLite databases (cert9.db, key4.db, and - | pkcs11.txt). - - NSS recognizes the following prefixes: - - · sql: requests the newer database - - · dbm: requests the legacy database - - | If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If + | -E + | Add an email certificate to the certificate database. + | -F + | Delete a private key from a key database. Specify the + | key to delete with the -n argument. Specify the database + | from which to delete the key with the -d argument. Use + | the -k argument to specify explicitly whether to delete + | a DSA, RSA, or ECC key. If you don't use the -k + | argument, the option looks for an RSA key matching the + | specified nickname. + | When you delete keys, be sure to also remove any + | certificates associated with those keys from the + | certificate database, by using -D. Some smart cards (for + | example, the Litronic card) do not let you remove a + | public key you have generated. In such a case, only the + | private key is deleted from the key pair. You can + | display the public key with the command certutil -K -h + | tokenname. + | -G + | Generate a new public and private key pair within a key + | database. The key database should already exist; if one + | is not present, this option will initialize one by + | default. Some smart cards (for example, the Litronic + | card) can store only one key pair. If you create a new + | key pair for such a card, the previous pair is + | overwritten. + | -H + | Display a list of the options and arguments used by the + | Certificate Database Tool. + | -K + | List the key ID of keys in the key database. A key ID is + | the modulus of the RSA key or the publicValue of the DSA + | key. IDs are displayed in hexadecimal ("0x" is not + | shown). + | -L + | List all the certificates, or display information about + | a named certificate, in a certificate database. Use the + | -h tokenname argument to specify the certificate + | database on a particular hardware or software token. + | -M + | Modify a certificate's trust attributes using the values + | of the -t argument. + | -N + | Create new certificate and key databases. + | -O + | Print the certificate chain. + | -R + | Create a certificate request file that can be submitted + | to a Certificate Authority (CA) for processing into a + | finished certificate. Output defaults to standard out + | unless you use -o output-file argument. Use the -a + | argument to specify ASCII output. + | -S + | Create an individual certificate and add it to a + | certificate database. + | -T + | Reset the key database or token. + | -U + | List all available modules or print a single named + | module. + | -V + | Check the validity of a certificate and its attributes. + | -W + | Change the password to a key database. + | --merge + | Merge two databases into one. + | --upgrade-merge + | Upgrade an old database and merge it into a new + | database. This is used to migrate legacy NSS databases + | (cert8.db and key3.db) into the newer SQLite databases + | (cert9.db and key4.db). + | Arguments + | Arguments modify a command option and are usually lower case, numbers, or symbols. + | -a + | Use ASCII format or allow the use of ASCII format for + | input or output. This formatting follows RFC 1113. For + | certificate requests, ASCII output defaults to standard + | output unless redirected. + | -b validity-time + | Specify a time at which a certificate is required to be + | valid. Use when checking certificate validity with the + | -V option. The format of the validity-time argument is + | YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be + | set relative to the validity end time. Specifying + | seconds (SS) is optional. When specifying an explicit + | time, use a Z at the end of the term, YYMMDDHHMMSSZ, to + | close it. When specifying an offset time, use + | YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or + | subtracting time, respectively. + | If this option is not used, the validity check defaults + | to the current system time. + | -c issuer + | Identify the certificate of the CA from which a new + | certificate will derive its authenticity. Use the exact + | nickname or alias of the CA certificate, or use the CA's + | email address. Bracket the issuer string with quotation + | marks if it contains spaces. + | -d [prefix]directory + | Specify the database directory containing the + | certificate and key database files. + | certutil supports two types of databases: the legacy + | security databases (cert8.db, key3.db, and secmod.db) + | and new SQLite databases (cert9.db, key4.db, and + | pkcs11.txt). + + NSS recognizes the following prefixes: + + · sql: requests the newer database + + · dbm: requests the legacy database + + | If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set - | then dbm: is the default. + | then dbm: is the default. - | --dump-ext-val OID - | For single cert, print binary DER encoding of extension OID. - | -e - | Check a certificate's signature during the process of - | validating a certificate. + | --dump-ext-val OID + | For single cert, print binary DER encoding of extension OID. + | -e + | Check a certificate's signature during the process of + | validating a certificate. - | --email email-address - | Specify the email address of a certificate to list. Used with the -L command option. + | --email email-address + | Specify the email address of a certificate to list. Used with the -L command option. - | --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... - | Add one or multiple extensions that certutil cannot encode yet, by loading their + | --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... + | Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. - · OID (example): 1.2.3.4 + · OID (example): 1.2.3.4 - · critical-flag: critical or not-critical + · critical-flag: critical or not-critical - · filename: full path to a file containing an encoded extension + · filename: full path to a file containing an encoded extension | - | -f password-file - | Specify a file that will automatically supply the - | password to include in a certificate or to access a - | certificate database. This is a plain-text file - | containing one password. Be sure to prevent unauthorized - | access to this file. - | -g keysize - | Set a key size to use when generating new public and - | private key pairs. The minimum is 512 bits and the - | maximum is 16384 bits. The default is 2048 bits. Any size - | between the minimum and maximum is allowed. - | -h tokenname - | Specify the name of a token to use or act on. Unless - | specified otherwise the default token is an internal - | slot. - | -i input_file - | Pass an input file to the command. Depending on the - | command option, an input file can be a specific - | certificate, a certificate request file, or a batch file - | of commands. - | -k rsa|dsa|ec|all - | Specify the type of a key. The valid options are RSA, - | DSA, ECC, or all. The default value is rsa. Specifying - | the type of key can avoid mistakes caused by duplicate - | nicknames. - | -k key-type-or-id - | Specify the type or specific ID of a key. - - | The valid key type options are rsa, dsa, ec, or all. The default value is rsa. + | -f password-file + | Specify a file that will automatically supply the + | password to include in a certificate or to access a + | certificate database. This is a plain-text file + | containing one password. Be sure to prevent unauthorized + | access to this file. + | -g keysize + | Set a key size to use when generating new public and + | private key pairs. The minimum is 512 bits and the + | maximum is 16384 bits. The default is 2048 bits. Any size + | between the minimum and maximum is allowed. + | -h tokenname + | Specify the name of a token to use or act on. Unless + | specified otherwise the default token is an internal + | slot. + | -i input_file + | Pass an input file to the command. Depending on the + | command option, an input file can be a specific + | certificate, a certificate request file, or a batch file + | of commands. + | -k rsa|dsa|ec|all + | Specify the type of a key. The valid options are RSA, + | DSA, ECC, or all. The default value is rsa. Specifying + | the type of key can avoid mistakes caused by duplicate + | nicknames. + | -k key-type-or-id + | Specify the type or specific ID of a key. + + | The valid key type options are rsa, dsa, ec, or all. The default value is rsa. Specifying the type of key can avoid - | mistakes caused by duplicate nicknames. Giving a key type generates a new key pair; + | mistakes caused by duplicate nicknames. Giving a key type generates a new key pair; giving the ID of an existing key - | reuses that key pair (which is required to renew certificates). - | -l - | Display detailed information when validating a - | certificate with the -V option. - | -m serial-number - | Assign a unique serial number to a certificate being created. This operation should + | reuses that key pair (which is required to renew certificates). + | -l + | Display detailed information when validating a + | certificate with the -V option. + | -m serial-number + | Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no - | serial number is provided a default serial number is made from the current time. + | serial number is provided a default serial number is made from the current time. Serial numbers are limited to - | integers. - | -n nickname - | Specify the nickname of a certificate or key to list, - | create, add to a database, modify, or validate. Bracket - | the nickname string with quotation marks if it contains - | spaces. - | -o output-file - | Specify the output file name for new certificates or - | binary certificate requests. Bracket the output-file - | string with quotation marks if it contains spaces. If - | this argument is not used the output destination - | defaults to standard output. - | -P dbPrefix - | Specify the prefix used on the certificate and key - | database file. This argument is provided to support - | legacy servers. Most applications do not use a database prefix. - | -p phone - | Specify a contact telephone number to include in new - | certificates or certificate requests. Bracket this - | string with quotation marks if it contains spaces. - | -q pqgfile or curve-name - | Read an alternate PQG value from the specified file when generating DSA key pairs. - | If this argument is not used,certutil generates its own PQG value. PQG files are + | integers. + | -n nickname + | Specify the nickname of a certificate or key to list, + | create, add to a database, modify, or validate. Bracket + | the nickname string with quotation marks if it contains + | spaces. + | -o output-file + | Specify the output file name for new certificates or + | binary certificate requests. Bracket the output-file + | string with quotation marks if it contains spaces. If + | this argument is not used the output destination + | defaults to standard output. + | -P dbPrefix + | Specify the prefix used on the certificate and key + | database file. This argument is provided to support + | legacy servers. Most applications do not use a database prefix. + | -p phone + | Specify a contact telephone number to include in new + | certificates or certificate requests. Bracket this + | string with quotation marks if it contains spaces. + | -q pqgfile or curve-name + | Read an alternate PQG value from the specified file when generating DSA key pairs. + | If this argument is not used,certutil generates its own PQG value. PQG files are created with a separate DSA utility. - Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521 + Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521 - | If NSS has been compiled with support curves outside of SUITE B: sect163k1, + | If NSS has been compiled with support curves outside of SUITE B: sect163k1, nistk163, sect163r1, sect163r2, nistb163, - | sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, + | sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, - | sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, + | sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, - | secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, + | secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, - | prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, + | prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, - | c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, + | c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, - | c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, + | c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2 - | sect131r1, sect131r2 + | sect131r1, sect131r2 | - | -r - | Display a certificate's binary DER encoding when listing - | information about that certificate with the -L option. - | -s subject - | Identify a particular certificate owner for new - | certificates or certificate requests. Bracket this - | string with quotation marks if it contains spaces. The - | subject identification format follows RFC #1485. - | -t trustargs - | Specify the trust attributes to modify in an existing - | certificate or to apply to a certificate when creating - | it or adding it to a database. There are three available - | trust categories for each certificate, expressed in the - | order SSL, email, object signing for each trust setting. - | In each category position, use none, any, or all of the - | attribute codes: - | + p - Valid peer - | + P - Trusted peer (implies p) - | + c - Valid CA - | + T - Trusted CA to issue client certificates (implies - | c) - | + C - Trusted CA to issue server certificates (SSL only) - | (implies c) - | + u - Certificate can be used for authentication or - | signing - | + w - Send warning (use with other attributes to include - | a warning when the certificate is used in that - | context) - | The attribute codes for the categories are separated by - | commas, and the entire set of attributes enclosed by - | quotation marks. For example: - | -t "TC,C,T" - | Use the -L option to see a list of the current - | certificates and trust attributes in a certificate - | database. - - | Note that the output of the -L option may include "u" flag, which means that there + | -r + | Display a certificate's binary DER encoding when listing + | information about that certificate with the -L option. + | -s subject + | Identify a particular certificate owner for new + | certificates or certificate requests. Bracket this + | string with quotation marks if it contains spaces. The + | subject identification format follows RFC #1485. + | -t trustargs + | Specify the trust attributes to modify in an existing + | certificate or to apply to a certificate when creating + | it or adding it to a database. There are three available + | trust categories for each certificate, expressed in the + | order SSL, email, object signing for each trust setting. + | In each category position, use none, any, or all of the + | attribute codes: + | + p - Valid peer + | + P - Trusted peer (implies p) + | + c - Valid CA + | + T - Trusted CA to issue client certificates (implies + | c) + | + C - Trusted CA to issue server certificates (SSL only) + | (implies c) + | + u - Certificate can be used for authentication or + | signing + | + w - Send warning (use with other attributes to include + | a warning when the certificate is used in that + | context) + | The attribute codes for the categories are separated by + | commas, and the entire set of attributes enclosed by + | quotation marks. For example: + | -t "TC,C,T" + | Use the -L option to see a list of the current + | certificates and trust attributes in a certificate + | database. + + | Note that the output of the -L option may include "u" flag, which means that there is a private key associated with - | the certificate. It is a dynamic flag and you cannot set it with certutil. - | -u certusage - | Specify a usage context to apply when validating a - | certificate with the -V option. - | The contexts are the following: + | the certificate. It is a dynamic flag and you cannot set it with certutil. + | -u certusage + | Specify a usage context to apply when validating a + | certificate with the -V option. + | The contexts are the following: - · C (as an SSL client) + · C (as an SSL client) - · V (as an SSL server) + · V (as an SSL server) - · L (as an SSL CA) + · L (as an SSL CA) - · A (as Any CA) + · A (as Any CA) - · Y (Verify CA) + · Y (Verify CA) - · S (as an email signer) + · S (as an email signer) - · R (as an email recipient) + · R (as an email recipient) - · O (as an OCSP status responder) + · O (as an OCSP status responder) - · J (as an object signer) + · J (as an object signer) | - | -v valid-months - | Set the number of months a new certificate will be - | valid. The validity period begins at the current system - | time unless an offset is added or subtracted with the -w - | option. If this argument is not used, the default - | validity period is three months. When this argument is - | used, the default three-month period is automatically - | added to any value given in the valid-month argument. - | For example, using this option to set a value of 3 would - | cause 3 to be added to the three-month default, creating - | a validity period of six months. You can use negative - | values to reduce the default period. For example, - | setting a value of -2 would subtract 2 from the default - | and create a validity period of one month. - | -w offset-months - | Set an offset from the current system time, in months, - | for the beginning of a certificate's validity period. - | Use when creating the certificate or adding it to a - | database. Express the offset in integers, using a minus - | sign (-) to indicate a negative offset. If this argument - | is not used, the validity period begins at the current - | system time. The length of the validity period is set - | with the -v argument. - | -X - | Force the key and certificate database to open in - | read-write mode. This is used with the -U and -L command - | options. - | -x - | Use certutil to generate the signature for a certificate - | being created or added to a database, rather than - | obtaining a signature from a separate CA. - | -y exp - | Set an alternate exponent value to use in generating a - | new RSA public key for the database, instead of the - | default value of 65537. The available alternate values - | are 3 and 17. - | -z noise-file - | Read a seed value from the specified file to generate a - | new private and public key pair. This argument makes it - | possible to use hardware-generated seed values or - | manually create a value from the keyboard. The minimum - | file size is 20 bytes. - | -0 SSO_password - | Set a site security officer password on a token. - | -1 \| --keyUsage keyword,keyword - | Set a Netscape Certificate Type Extension in the - | certificate. There are several available keywords: - | + digital signature - | + nonRepudiation - | + keyEncipherment - | + dataEncipherment - | + keyAgreement - | + certSigning - | + crlSigning - | + critical - | -2 - | Add a basic constraint extension to a certificate that - | is being created or added to a database. This extension - | supports the certificate chain verification process. - | certutil prompts for the certificate constraint - | extension to select. - | X.509 certificate extensions are described in RFC 5280. - | -3 - | Add an authority key ID extension to a certificate that - | is being created or added to a database. This extension - | supports the identification of a particular certificate, - | from among multiple certificates associated with one - | subject name, as the correct issuer of a certificate. - | The Certificate Database Tool will prompt you to select - | the authority key ID extension. - | X.509 certificate extensions are described in RFC 5280. - | -4 - | Add a CRL distribution point extension to a certificate - | that is being created or added to a database. This - | extension identifies the URL of a certificate's - | associated certificate revocation list (CRL). certutil - | prompts for the URL. - | X.509 certificate extensions are described in RFC 5280. - | -5 \| --nsCertType keyword,keyword - | Add a Netscape certificate type extension to a - | certificate that is being created or added to the - | database. There are several available keywords: - | + sslClient - | + sslServer - | + smime - | + objectSigning - | + sslCA - | + smimeCA - | + objectSigningCA - | + critical - | X.509 certificate extensions are described in RFC 5280. - | -6 \| --extKeyUsage keyword,keyword - | Add an extended key usage extension to a certificate - | that is being created or added to the database. Several - | keywords are available: - | + serverAuth - | + clientAuth - | + codeSigning - | + emailProtection - | + timeStamp - | + ocspResponder - | + stepUp - | + critical - | X.509 certificate extensions are described in RFC 5280. - | -7 emailAddrs - | Add a comma-separated list of email addresses to the - | subject alternative name extension of a certificate or - | certificate request that is being created or added to - | the database. Subject alternative name extensions are - | described in Section 4.2.1.7 of RFC 3280. - | -8 dns-names - | Add a comma-separated list of DNS names to the subject - | alternative name extension of a certificate or - | certificate request that is being created or added to - | the database. Subject alternative name extensions are - | described in Section 4.2.1.7 of RFC 3280. - | --extAIA - | Add the Authority Information Access extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extSIA - | Add the Subject Information Access extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extCP - | Add the Certificate Policies extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extPM - | Add the Policy Mappings extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extPC - | Add the Policy Constraints extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extIA - | Add the Inhibit Any Policy Access extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extSKID - | Add the Subject Key ID extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --source-dir certdir - | Identify the certificate database directory to upgrade. - | --source-prefix certdir - | Give the prefix of the certificate and key databases to - | upgrade. - | --upgrade-id uniqueID - | Give the unique ID of the database to upgrade. - | --upgrade-token-name name - | Set the name of the token to use while it is being - | upgraded. - | -@ pwfile - | Give the name of a password file to use for the database - | being upgraded. + | -v valid-months + | Set the number of months a new certificate will be + | valid. The validity period begins at the current system + | time unless an offset is added or subtracted with the -w + | option. If this argument is not used, the default + | validity period is three months. When this argument is + | used, the default three-month period is automatically + | added to any value given in the valid-month argument. + | For example, using this option to set a value of 3 would + | cause 3 to be added to the three-month default, creating + | a validity period of six months. You can use negative + | values to reduce the default period. For example, + | setting a value of -2 would subtract 2 from the default + | and create a validity period of one month. + | -w offset-months + | Set an offset from the current system time, in months, + | for the beginning of a certificate's validity period. + | Use when creating the certificate or adding it to a + | database. Express the offset in integers, using a minus + | sign (-) to indicate a negative offset. If this argument + | is not used, the validity period begins at the current + | system time. The length of the validity period is set + | with the -v argument. + | -X + | Force the key and certificate database to open in + | read-write mode. This is used with the -U and -L command + | options. + | -x + | Use certutil to generate the signature for a certificate + | being created or added to a database, rather than + | obtaining a signature from a separate CA. + | -y exp + | Set an alternate exponent value to use in generating a + | new RSA public key for the database, instead of the + | default value of 65537. The available alternate values + | are 3 and 17. + | -z noise-file + | Read a seed value from the specified file to generate a + | new private and public key pair. This argument makes it + | possible to use hardware-generated seed values or + | manually create a value from the keyboard. The minimum + | file size is 20 bytes. + | -0 SSO_password + | Set a site security officer password on a token. + | -1 \| --keyUsage keyword,keyword + | Set a Netscape Certificate Type Extension in the + | certificate. There are several available keywords: + | + digital signature + | + nonRepudiation + | + keyEncipherment + | + dataEncipherment + | + keyAgreement + | + certSigning + | + crlSigning + | + critical + | -2 + | Add a basic constraint extension to a certificate that + | is being created or added to a database. This extension + | supports the certificate chain verification process. + | certutil prompts for the certificate constraint + | extension to select. + | X.509 certificate extensions are described in RFC 5280. + | -3 + | Add an authority key ID extension to a certificate that + | is being created or added to a database. This extension + | supports the identification of a particular certificate, + | from among multiple certificates associated with one + | subject name, as the correct issuer of a certificate. + | The Certificate Database Tool will prompt you to select + | the authority key ID extension. + | X.509 certificate extensions are described in RFC 5280. + | -4 + | Add a CRL distribution point extension to a certificate + | that is being created or added to a database. This + | extension identifies the URL of a certificate's + | associated certificate revocation list (CRL). certutil + | prompts for the URL. + | X.509 certificate extensions are described in RFC 5280. + | -5 \| --nsCertType keyword,keyword + | Add a Netscape certificate type extension to a + | certificate that is being created or added to the + | database. There are several available keywords: + | + sslClient + | + sslServer + | + smime + | + objectSigning + | + sslCA + | + smimeCA + | + objectSigningCA + | + critical + | X.509 certificate extensions are described in RFC 5280. + | -6 \| --extKeyUsage keyword,keyword + | Add an extended key usage extension to a certificate + | that is being created or added to the database. Several + | keywords are available: + | + serverAuth + | + clientAuth + | + codeSigning + | + emailProtection + | + timeStamp + | + ocspResponder + | + stepUp + | + critical + | X.509 certificate extensions are described in RFC 5280. + | -7 emailAddrs + | Add a comma-separated list of email addresses to the + | subject alternative name extension of a certificate or + | certificate request that is being created or added to + | the database. Subject alternative name extensions are + | described in Section 4.2.1.7 of RFC 3280. + | -8 dns-names + | Add a comma-separated list of DNS names to the subject + | alternative name extension of a certificate or + | certificate request that is being created or added to + | the database. Subject alternative name extensions are + | described in Section 4.2.1.7 of RFC 3280. + | --extAIA + | Add the Authority Information Access extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extSIA + | Add the Subject Information Access extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extCP + | Add the Certificate Policies extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extPM + | Add the Policy Mappings extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extPC + | Add the Policy Constraints extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extIA + | Add the Inhibit Any Policy Access extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extSKID + | Add the Subject Key ID extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --source-dir certdir + | Identify the certificate database directory to upgrade. + | --source-prefix certdir + | Give the prefix of the certificate and key databases to + | upgrade. + | --upgrade-id uniqueID + | Give the unique ID of the database to upgrade. + | --upgrade-token-name name + | Set the name of the token to use while it is being + | upgraded. + | -@ pwfile + | Give the name of a password file to use for the database + | being upgraded. | Usage and Examples - | Most of the command options in the examples listed here have - | more arguments available. The arguments included in these - | examples are the most common ones or are used to illustrate a - | specific scenario. Use the -H option to show the complete list - | of arguments for each command option. - | Creating New Security Databases - | Certificates, keys, and security modules related to managing - | certificates are stored in three related databases: - | \* cert8.db or cert9.db - | \* key3.db or key4.db - | \* secmod.db or pkcs11.txt - | These databases must be created before certificates or keys can - | be generated. + | Most of the command options in the examples listed here have + | more arguments available. The arguments included in these + | examples are the most common ones or are used to illustrate a + | specific scenario. Use the -H option to show the complete list + | of arguments for each command option. + | Creating New Security Databases + | Certificates, keys, and security modules related to managing + | certificates are stored in three related databases: + | \* cert8.db or cert9.db + | \* key3.db or key4.db + | \* secmod.db or pkcs11.txt + | These databases must be created before certificates or keys can + | be generated. | certutil -N -d [sql:]directory - | Creating a Certificate Request - | A certificate request contains most or all of the information - | that is used to generate the final certificate. This request is - | submitted separately to a certificate authority and is then - | approved by some mechanism (automatically or by human review). - | Once the request is approved, then the certificate is - | generated. + | Creating a Certificate Request + | A certificate request contains most or all of the information + | that is used to generate the final certificate. This request is + | submitted separately to a certificate authority and is then + | approved by some mechanism (automatically or by human review). + | Once the request is approved, then the certificate is + | generated. | $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s s | ubject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a | ] - | The -R command options requires four arguments: - | \* -k to specify either the key type to generate or, when - | renewing a certificate, the existing key pair to use - | \* -g to set the keysize of the key to generate - | \* -s to set the subject name of the certificate - | \* -d to give the security database directory - | The new certificate request can be output in ASCII format (-a) - | or can be written to a specified file (-o). - | For example: + | The -R command options requires four arguments: + | \* -k to specify either the key type to generate or, when + | renewing a certificate, the existing key pair to use + | \* -g to set the keysize of the key to generate + | \* -s to set the subject name of the certificate + | \* -d to give the security database directory + | The new certificate request can be output in ASCII format (-a) + | or can be written to a specified file (-o). + | For example: | $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp, | L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-5 | 55-0123 -a -o cert.cer - | Generating key. This may take a few moments... + | Generating key. This may take a few moments... | Certificate request generated by Netscape | Phone: 650-555-0123 | Common Name: John Smith @@ -535,67 +535,67 @@ NSS tools : certutil | qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | 1hP9Gg== | -----END NEW CERTIFICATE REQUEST----- - | Creating a Certificate - | A valid certificate must be issued by a trusted CA. This can be - | done by specifying a CA certificate (-c) that is stored in the - | certificate database. If a CA key pair is not available, you - | can create a self-signed certificate using the -x argument with - | the -S command option. + | Creating a Certificate + | A valid certificate must be issued by a trusted CA. This can be + | done by specifying a CA certificate (-c) that is stored in the + | certificate database. If a CA key pair is not available, you + | can create a self-signed certificate using the -x argument with + | the -S command option. | $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer \|-x] -t tr | ustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offs | et-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 | emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [ | --extPC] [--extIA] [--extSKID] - | The series of numbers and --ext\* options set certificate - | extensions that can be added to the certificate when it is - | generated by the CA. - | For example, this creates a self-signed certificate: + | The series of numbers and --ext\* options set certificate + | extensions that can be added to the certificate when it is + | generated by the CA. + | For example, this creates a self-signed certificate: | $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m - | 3650 - | From there, new certificates can reference the self-signed - | certificate: + | 3650 + | From there, new certificates can reference the self-signed + | certificate: | $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" - | t "u,u,u" -1 -5 -6 -8 -m 730 - | Generating a Certificate from a Certificate Request - | When a certificate request is created, a certificate can be - | generated by using the request and then referencing a - | certificate authority signing certificate (the issuer specified - | in the -c argument). The issuing certificate must be in the - | certificate database in the specified directory. + | Generating a Certificate from a Certificate Request + | When a certificate request is created, a certificate can be + | generated by using the request and then referencing a + | certificate authority signing certificate (the issuer specified + | in the -c argument). The issuing certificate must be in the + | certificate database in the specified directory. | certutil -C -c issuer -i cert-request-file -o output-file [-m serial-num | ber] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [ | -3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] - | For example: + | For example: | $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 - | -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherme + | -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherme | nt -5 sslClient -6 clientAuth -7 jsmith@example.com - | Generating Key Pairs - | Key pairs are generated automatically with a certificate - | request or certificate, but they can also be generated - | independently using the -G command option. + | Generating Key Pairs + | Key pairs are generated automatically with a certificate + | request or certificate, but they can also be generated + | independently using the -G command option. | certutil -G -d [sql:]directory \| -h tokenname -k key-type -g key-size [- | y exponent-value] -q pqgfile|curve-name - | For example: + | For example: | $ certutil -G -h lunasa -k ec -g 256 -q sect193r2 - | Listing Certificates - | The -L command option lists all of the certificates listed in - | the certificate database. The path to the directory (-d) is - | required. + | Listing Certificates + | The -L command option lists all of the certificates listed in + | the certificate database. The path to the directory (-d) is + | required. | $ certutil -L -d sql:/home/my/sharednssdb - | Certificate Nickname Trust Attri + | Certificate Nickname Trust Attri | butes - | SSL,S/MIME, + | SSL,S/MIME, | JAR/XPI - | CA Administrator of Instance pki-ca1's Example Domain ID u,u,u - | TPS Administrator's Example Domain ID u,u,u - | Google Internet Authority ,, - | Certificate Authority - Example Domain CT,C,C - | Using additional arguments with -L can return and print the - | information for a single, specific certificate. For example, - | the -n argument passes the certificate name, while the -a - | argument prints the certificate in ASCII format: + | CA Administrator of Instance pki-ca1's Example Domain ID u,u,u + | TPS Administrator's Example Domain ID u,u,u + | Google Internet Authority ,, + | Certificate Authority - Example Domain CT,C,C + | Using additional arguments with -L can return and print the + | information for a single, specific certificate. For example, + | the -n argument passes the certificate name, while the -a + | argument prints the certificate in ASCII format: | $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - - | Example Domain" + | Example Domain" | -----BEGIN CERTIFICATE----- | MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw @@ -618,228 +618,228 @@ NSS tools : certutil | U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a | nI7q5n1USM3eWQlVXw== | -----END CERTIFICATE----- - | Listing Keys - | Keys are the original material used to encrypt certificate - | data. The keys generated for certificates are stored - | separately, in the key database. - | To list all keys in the database, use the -K command option and - | the (required) -d argument to give the path to the directory. + | Listing Keys + | Keys are the original material used to encrypt certificate + | data. The keys generated for certificates are stored + | separately, in the key database. + | To list all keys in the database, use the -K command option and + | the (required) -d argument to give the path to the directory. | $ certutil -K -d sql:/home/my/sharednssdb | certutil: Checking token "NSS Certificate DB" in slot "NSS User Private - | Key and Certificate Services " - | < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail - | Member's Thawte Consulting (Pty) Ltd. ID - | < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain + | Key and Certificate Services " + | < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail + | Member's Thawte Consulting (Pty) Ltd. ID + | < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain | Administrator Cert - | < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user - | cert - | There are ways to narrow the keys listed in the search results: - | \* To return a specific key, use the -n name argument with the - | name of the key. - | \* If there are multiple security devices loaded, then the -h - | tokenname argument can search a specific token or all - | tokens. - | \* If there are multiple key types available, then the -k - | key-type argument can search a specific type of key, like - | RSA, DSA, or ECC. - | Listing Security Modules - | The devices that can be used to store certificates -- both - | internal databases and external devices like smart cards -- are - | recognized and used by loading security modules. The -U command - | option lists all of the security modules listed in the - | secmod.db database. The path to the directory (-d) is required. + | < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user + | cert + | There are ways to narrow the keys listed in the search results: + | \* To return a specific key, use the -n name argument with the + | name of the key. + | \* If there are multiple security devices loaded, then the -h + | tokenname argument can search a specific token or all + | tokens. + | \* If there are multiple key types available, then the -k + | key-type argument can search a specific type of key, like + | RSA, DSA, or ECC. + | Listing Security Modules + | The devices that can be used to store certificates -- both + | internal databases and external devices like smart cards -- are + | recognized and used by loading security modules. The -U command + | option lists all of the security modules listed in the + | secmod.db database. The path to the directory (-d) is required. | $ certutil -U -d sql:/home/my/sharednssdb - | slot: NSS User Private Key and Certificate Services - | token: NSS Certificate DB - | slot: NSS Internal Cryptographic Services - | token: NSS Generic Crypto Services - | Adding Certificates to the Database - | Existing certificates or certificate requests can be added - | manually to the certificate database, even if they were - | generated elsewhere. This uses the -A command option. + | slot: NSS User Private Key and Certificate Services + | token: NSS Certificate DB + | slot: NSS Internal Cryptographic Services + | token: NSS Generic Crypto Services + | Adding Certificates to the Database + | Existing certificates or certificate requests can be added + | manually to the certificate database, even if they were + | generated elsewhere. This uses the -A command option. | certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-f | ile] - | For example: + | For example: | $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/shar | ednssdb -i /home/example-certs/cert.cer - | A related command option, -E, is used specifically to add email - | certificates to the certificate database. The -E command has - | the same arguments as the -A command. The trust arguments for - | certificates have the format SSL,S/MIME,Code-signing, so the - | middle trust settings relate most to email certificates (though - | the others can be set). For example: + | A related command option, -E, is used specifically to add email + | certificates to the certificate database. The -E command has + | the same arguments as the -A command. The trust arguments for + | certificates have the format SSL,S/MIME,Code-signing, so the + | middle trust settings relate most to email certificates (though + | the others can be set). For example: | $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sh | arednssdb -i /home/example-certs/email.cer - | Deleting Certificates to the Database - | Certificates can be deleted from a database using the -D - | option. The only required options are to give the security - | database directory and to identify the certificate nickname. + | Deleting Certificates to the Database + | Certificates can be deleted from a database using the -D + | option. The only required options are to give the security + | database directory and to identify the certificate nickname. | certutil -D -d [sql:]directory -n "nickname" - | For example: + | For example: | $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert" - | Validating Certificates - | A certificate contains an expiration date in itself, and - | expired certificates are easily rejected. However, certificates - | can also be revoked before they hit their expiration date. - | Checking whether a certificate has been revoked requires - | validating the certificate. Validation can also be used to - | ensure that the certificate is only used for the purposes it - | was initially issued for. Validation is carried out by the -V - | command option. + | Validating Certificates + | A certificate contains an expiration date in itself, and + | expired certificates are easily rejected. However, certificates + | can also be revoked before they hit their expiration date. + | Checking whether a certificate has been revoked requires + | validating the certificate. Validation can also be used to + | ensure that the certificate is only used for the purposes it + | was initially issued for. Validation is carried out by the -V + | command option. | certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:] | directory - | For example, to validate an email certificate: + | For example, to validate an email certificate: | $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sha | rednssdb - | Modifying Certificate Trust Settings - | The trust settings (which relate to the operations that a - | certificate is allowed to be used for) can be changed after a - | certificate is created or added to the database. This is - | especially useful for CA certificates, but it can be performed - | for any type of certificate. + | Modifying Certificate Trust Settings + | The trust settings (which relate to the operations that a + | certificate is allowed to be used for) can be changed after a + | certificate is created or added to the database. This is + | especially useful for CA certificates, but it can be performed + | for any type of certificate. | certutil -M -n certificate-name -t trust-args -d [sql:]directory - | For example: + | For example: | $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu | ,CTu,CTu" - | Printing the Certificate Chain - | Certificates can be issued in chains because every certificate - | authority itself has a certificate; when a CA issues a - | certificate, it essentially stamps that certificate with its - | own fingerprint. The -O prints the full chain of a certificate, - | going from the initial CA (the root CA) through ever - | intermediary CA to the actual certificate. For example, for an - | email certificate with two CAs in the chain: + | Printing the Certificate Chain + | Certificates can be issued in chains because every certificate + | authority itself has a certificate; when a CA issues a + | certificate, it essentially stamps that certificate with its + | own fingerprint. The -O prints the full chain of a certificate, + | going from the initial CA (the root CA) through ever + | intermediary CA to the actual certificate. For example, for an + | email certificate with two CAs in the chain: | $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" | "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@ | thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Divi | sion,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] - | "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte P + | "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte P | ersonal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] - | "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] - | Resetting a Token - | The device which stores certificates -- both external hardware - | devices and internal software databases -- can be blanked and - | reused. This operation is performed on the device which stores - | the data, not directly on the security databases, so the - | location must be referenced through the token name (-h) as well - | as any directory path. If there is no external token used, the - | default value is internal. + | "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] + | Resetting a Token + | The device which stores certificates -- both external hardware + | devices and internal software databases -- can be blanked and + | reused. This operation is performed on the device which stores + | the data, not directly on the security databases, so the + | location must be referenced through the token name (-h) as well + | as any directory path. If there is no external token used, the + | default value is internal. | certutil -T -d [sql:]directory -h token-name -0 security-officer-passwor | d - | Many networks have dedicated personnel who handle changes to - | security tokens (the security officer). This person must supply - | the password to access the specified token. For example: + | Many networks have dedicated personnel who handle changes to + | security tokens (the security officer). This person must supply + | the password to access the specified token. For example: | $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret - | Upgrading or Merging the Security Databases - | Many networks or applications may be using older BerkeleyDB - | versions of the certificate database (cert8.db). Databases can - | be upgraded to the new SQLite version of the database - | (cert9.db) using the --upgrade-merge command option or existing - | databases can be merged with the new cert9.db databases using - | the ---merge command. - | The --upgrade-merge command must give information about the - | original database and then use the standard arguments (like -d) - | to give the information about the new databases. The command - | also requires information that the tool uses for the process to - | upgrade and write over the original database. + | Upgrading or Merging the Security Databases + | Many networks or applications may be using older BerkeleyDB + | versions of the certificate database (cert8.db). Databases can + | be upgraded to the new SQLite version of the database + | (cert9.db) using the --upgrade-merge command option or existing + | databases can be merged with the new cert9.db databases using + | the ---merge command. + | The --upgrade-merge command must give information about the + | original database and then use the standard arguments (like -d) + | to give the information about the new databases. The command + | also requires information that the tool uses for the process to + | upgrade and write over the original database. | certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir d | irectory --source-prefix dbprefix --upgrade-id id --upgrade-token-name n | ame [-@ password-file] - | For example: + | For example: | $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt | /my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token | -name internal - | The --merge command only requires information about the - | location of the original database; since it doesn't change the - | format of the database, it can write over information without - | performing interim step. + | The --merge command only requires information about the + | location of the original database; since it doesn't change the + | format of the database, it can write over information without + | performing interim step. | certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory - | --source-prefix dbprefix [-@ password-file] - | For example: + | --source-prefix dbprefix [-@ password-file] + | For example: | $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/ | alias/ --source-prefix serverapp- - | Running certutil Commands from a Batch File - | A series of commands can be run sequentially from a text file - | with the -B command option. The only argument for this - | specifies the input file. + | Running certutil Commands from a Batch File + | A series of commands can be run sequentially from a text file + | with the -B command option. The only argument for this + | specifies the input file. | $ certutil -B -i /path/to/batch-file | NSS Database Types - | NSS originally used BerkeleyDB databases to store security - | information. The last versions of these legacy databases are: - | \* cert8.db for certificates - | \* key3.db for keys - | \* secmod.db for PKCS #11 module information - | BerkeleyDB has performance limitations, though, which prevent - | it from being easily used by multiple applications - | simultaneously. NSS has some flexibility that allows - | applications to use their own, independent database engine - | while keeping a shared database and working around the access - | issues. Still, NSS requires more flexibility to provide a truly - | shared security database. - | In 2009, NSS introduced a new set of databases that are SQLite - | databases rather than BerkleyDB. These new databases provide - | more accessibility and performance: - | \* cert9.db for certificates - | \* key4.db for keys - | \* pkcs11.txt, which is listing of all of the PKCS #11 modules - | contained in a new subdirectory in the security databases - | directory - | Because the SQLite databases are designed to be shared, these - | are the shared database type. The shared database type is - | preferred; the legacy format is included for backward - | compatibility. - | By default, the tools (certutil, pk12util, modutil) assume that - | the given security databases follow the more common legacy - | type. Using the SQLite databases must be manually specified by - | using the sql: prefix with the given security directory. For - | example: + | NSS originally used BerkeleyDB databases to store security + | information. The last versions of these legacy databases are: + | \* cert8.db for certificates + | \* key3.db for keys + | \* secmod.db for PKCS #11 module information + | BerkeleyDB has performance limitations, though, which prevent + | it from being easily used by multiple applications + | simultaneously. NSS has some flexibility that allows + | applications to use their own, independent database engine + | while keeping a shared database and working around the access + | issues. Still, NSS requires more flexibility to provide a truly + | shared security database. + | In 2009, NSS introduced a new set of databases that are SQLite + | databases rather than BerkleyDB. These new databases provide + | more accessibility and performance: + | \* cert9.db for certificates + | \* key4.db for keys + | \* pkcs11.txt, which is listing of all of the PKCS #11 modules + | contained in a new subdirectory in the security databases + | directory + | Because the SQLite databases are designed to be shared, these + | are the shared database type. The shared database type is + | preferred; the legacy format is included for backward + | compatibility. + | By default, the tools (certutil, pk12util, modutil) assume that + | the given security databases follow the more common legacy + | type. Using the SQLite databases must be manually specified by + | using the sql: prefix with the given security directory. For + | example: | $ certutil -L -d sql:/home/my/sharednssdb - | To set the shared database type as the default type for the - | tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: + | To set the shared database type as the default type for the + | tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: | export NSS_DEFAULT_DB_TYPE="sql" - | This line can be set added to the ~/.bashrc file to make the - | change permanent. - | Most applications do not use the shared database by default, - | but they can be configured to use them. For example, this - | how-to article covers how to configure Firefox and Thunderbird - | to use the new shared NSS databases: - | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto - | For an engineering draft on the changes in the shared NSS - | databases, see the NSS project wiki: - | \* https://wiki.mozilla.org/NSS_Shared_DB + | This line can be set added to the ~/.bashrc file to make the + | change permanent. + | Most applications do not use the shared database by default, + | but they can be configured to use them. For example, this + | how-to article covers how to configure Firefox and Thunderbird + | to use the new shared NSS databases: + | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto + | For an engineering draft on the changes in the shared NSS + | databases, see the NSS project wiki: + | \* https://wiki.mozilla.org/NSS_Shared_DB | See Also - | pk12util (1) - | modutil (1) - | certutil has arguments or operations that use features defined - | in several IETF RFCs. - | \* `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__ - | \* `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__ - | \* `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__ - | The NSS wiki has information on the new database design and how - | to configure applications to use it. - | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto - | \* https://wiki.mozilla.org/NSS_Shared_DB + | pk12util (1) + | modutil (1) + | certutil has arguments or operations that use features defined + | in several IETF RFCs. + | \* `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__ + | \* `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__ + | \* `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__ + | The NSS wiki has information on the new database design and how + | to configure applications to use it. + | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto + | \* https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like - | JSS), check out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like + | JSS), check out the NSS project wiki at + | `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site - | relates directly to NSS code changes and releases. - | Mailing lists: - | https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | relates directly to NSS code changes and releases. + | Mailing lists: + | https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with - | Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with + | Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | LICENSE - | Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not + | Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can - | obtain one at https://mozilla.org/MPL/2.0/. + | obtain one at https://mozilla.org/MPL/2.0/. | NOTES - | 1. Mozilla NSS bug 836477 - | https://bugzilla.mozilla.org/show_bug.cgi?id=836477
\ No newline at end of file + | 1. Mozilla NSS bug 836477 + | https://bugzilla.mozilla.org/show_bug.cgi?id=836477
\ No newline at end of file |