diff options
Diffstat (limited to 'doc/rst/legacy/tools/crlutil/index.rst')
-rw-r--r-- | doc/rst/legacy/tools/crlutil/index.rst | 412 |
1 files changed, 206 insertions, 206 deletions
diff --git a/doc/rst/legacy/tools/crlutil/index.rst b/doc/rst/legacy/tools/crlutil/index.rst index 90b38cc91..ee68b4dbf 100644 --- a/doc/rst/legacy/tools/crlutil/index.rst +++ b/doc/rst/legacy/tools/crlutil/index.rst @@ -6,224 +6,224 @@ NSS tools : crlutil .. container:: | Name - | crlutil — List, generate, modify, or delete CRLs within the NSS security - | database file(s) and list, create, modify or delete certificates entries - | in a particular CRL. + | crlutil — List, generate, modify, or delete CRLs within the NSS security + | database file(s) and list, create, modify or delete certificates entries + | in a particular CRL. | Synopsis - | crlutil [options] `arguments <arguments>`__ + | crlutil [options] `arguments <arguments>`__ | Description - | The Certificate Revocation List (CRL) Management Tool, crlutil, is a - | command-line utility that can list, generate, modify, or delete CRLs - | within the NSS security database file(s) and list, create, modify or - | delete certificates entries in a particular CRL. - | The key and certificate management process generally begins with creating - | keys in the key database, then generating and managing certificates in the - | certificate database(see certutil tool) and continues with certificates - | expiration or revocation. - | This document discusses certificate revocation list management. For - | information on security module database management, see Using the Security - | Module Database Tool. For information on certificate and key database - | management, see Using the Certificate Database Tool. - | To run the Certificate Revocation List Management Tool, type the command - | crlutil option [arguments] - | where options and arguments are combinations of the options and arguments - | listed in the following section. Each command takes one option. Each - | option may take zero or more arguments. To see a usage string, issue the - | command without options, or with the -H option. + | The Certificate Revocation List (CRL) Management Tool, crlutil, is a + | command-line utility that can list, generate, modify, or delete CRLs + | within the NSS security database file(s) and list, create, modify or + | delete certificates entries in a particular CRL. + | The key and certificate management process generally begins with creating + | keys in the key database, then generating and managing certificates in the + | certificate database(see certutil tool) and continues with certificates + | expiration or revocation. + | This document discusses certificate revocation list management. For + | information on security module database management, see Using the Security + | Module Database Tool. For information on certificate and key database + | management, see Using the Certificate Database Tool. + | To run the Certificate Revocation List Management Tool, type the command + | crlutil option [arguments] + | where options and arguments are combinations of the options and arguments + | listed in the following section. Each command takes one option. Each + | option may take zero or more arguments. To see a usage string, issue the + | command without options, or with the -H option. | Options and Arguments - | Options - | Options specify an action. Option arguments modify an action. The options - | and arguments for the crlutil command are defined as follows: - | -G - | Create new Certificate Revocation List(CRL). - | -D - | Delete Certificate Revocation List from cert database. - | -I - | Import a CRL to the cert database - | -E - | Erase all CRLs of specified type from the cert database - | -L - | List existing CRL located in cert database file. - | -M - | Modify existing CRL which can be located in cert db or in - | arbitrary file. If located in file it should be encoded in ASN.1 - | encode format. - | -G - | Arguments - | Option arguments modify an action and are lowercase. - | -B - | Bypass CA signature checks. - | -P dbprefix - | Specify the prefix used on the NSS security database files (for - | example, my_cert8.db and my_key3.db). This option is provided as a - | special case. Changing the names of the certificate and key - | databases is not recommended. - | -a - | Use ASCII format or allow the use of ASCII format for input and - | output. This formatting follows RFC #1113. - | -c crl-gen-file - | Specify script file that will be used to control crl - | generation/modification. See crl-cript-file format below. If - | options -M|-G is used and -c crl-script-file is not specified, - | crlutil will read script data from standard input. - | -d directory - | Specify the database directory containing the certificate and key - | database files. On Unix the Certificate Database Tool defaults to - | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default - | is the current directory. - | The NSS database files must reside in the same directory. - | -i crl-import-file - | Specify the file which contains the CRL to import - | -f password-file - | Specify a file that will automatically supply the password to - | include in a certificate or to access a certificate database. This - | is a plain-text file containing one password. Be sure to prevent - | unauthorized access to this file. - | -l algorithm-name - | Specify a specific signature algorithm. List of possible - | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512 - | -n nickname - | Specify the nickname of a certificate or key to list, create, add - | to a database, modify, or validate. Bracket the nickname string - | with quotation marks if it contains spaces. - | -o output-file - | Specify the output file name for new CRL. Bracket the output-file - | string with quotation marks if it contains spaces. If this - | argument is not used the output destination defaults to standard - | output. - | -t crl-type - | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - - | SEC_CRL_TYPE. This option is obsolete - | -u url - | Specify the url. + | Options + | Options specify an action. Option arguments modify an action. The options + | and arguments for the crlutil command are defined as follows: + | -G + | Create new Certificate Revocation List(CRL). + | -D + | Delete Certificate Revocation List from cert database. + | -I + | Import a CRL to the cert database + | -E + | Erase all CRLs of specified type from the cert database + | -L + | List existing CRL located in cert database file. + | -M + | Modify existing CRL which can be located in cert db or in + | arbitrary file. If located in file it should be encoded in ASN.1 + | encode format. + | -G + | Arguments + | Option arguments modify an action and are lowercase. + | -B + | Bypass CA signature checks. + | -P dbprefix + | Specify the prefix used on the NSS security database files (for + | example, my_cert8.db and my_key3.db). This option is provided as a + | special case. Changing the names of the certificate and key + | databases is not recommended. + | -a + | Use ASCII format or allow the use of ASCII format for input and + | output. This formatting follows RFC #1113. + | -c crl-gen-file + | Specify script file that will be used to control crl + | generation/modification. See crl-cript-file format below. If + | options -M|-G is used and -c crl-script-file is not specified, + | crlutil will read script data from standard input. + | -d directory + | Specify the database directory containing the certificate and key + | database files. On Unix the Certificate Database Tool defaults to + | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default + | is the current directory. + | The NSS database files must reside in the same directory. + | -i crl-import-file + | Specify the file which contains the CRL to import + | -f password-file + | Specify a file that will automatically supply the password to + | include in a certificate or to access a certificate database. This + | is a plain-text file containing one password. Be sure to prevent + | unauthorized access to this file. + | -l algorithm-name + | Specify a specific signature algorithm. List of possible + | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512 + | -n nickname + | Specify the nickname of a certificate or key to list, create, add + | to a database, modify, or validate. Bracket the nickname string + | with quotation marks if it contains spaces. + | -o output-file + | Specify the output file name for new CRL. Bracket the output-file + | string with quotation marks if it contains spaces. If this + | argument is not used the output destination defaults to standard + | output. + | -t crl-type + | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - + | SEC_CRL_TYPE. This option is obsolete + | -u url + | Specify the url. | CRL Generation script syntax - | CRL generation script file has the following syntax: - | \* Line with comments should have # as a first symbol of a line - | \* Set "this update" or "next update" CRL fields: - | update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ - | Field "next update" is optional. Time should be in GeneralizedTime format - | (YYYYMMDDhhmmssZ). For example: 20050204153000Z - | \* Add an extension to a CRL or a crl certificate entry: - | addext extension-name critical/non-critical [arg1[arg2 ...]] - | Where: - | extension-name: string value of a name of known extensions. - | critical/non-critical: is 1 when extension is critical and 0 otherwise. - | arg1, arg2: specific to extension type extension parameters - | addext uses the range that was set earlier by addcert and will install an - | extension to every cert entries within the range. - | \* Add certificate entries(s) to CRL: - | addcert range date - | range: two integer values separated by dash: range of certificates that - | will be added by this command. dash is used as a delimiter. Only one cert - | will be added if there is no delimiter. date: revocation date of a cert. - | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). - | \* Remove certificate entry(s) from CRL - | rmcert range - | Where: - | range: two integer values separated by dash: range of certificates that - | will be added by this command. dash is used as a delimiter. Only one cert - | will be added if there is no delimiter. - | \* Change range of certificate entry(s) in CRL - | range new-range - | Where: - | new-range: two integer values separated by dash: range of certificates - | that will be added by this command. dash is used as a delimiter. Only one - | cert will be added if there is no delimiter. - | Implemented Extensions - | The extensions defined for CRL provide methods for associating additional - | attributes with CRLs of theirs entries. For more information see RFC #3280 - | \* Add The Authority Key Identifier extension: - | The authority key identifier extension provides a means of identifying the - | public key corresponding to the private key used to sign a CRL. - | authKeyId critical [key-id \| dn cert-serial] - | Where: - | authKeyIdent: identifies the name of an extension critical: value of 1 of - | 0. Should be set to 1 if this extension is critical or 0 otherwise. - | key-id: key identifier represented in octet string. dn:: is a CA - | distinguished name cert-serial: authority certificate serial number. - | \* Add Issuer Alternative Name extension: - | The issuer alternative names extension allows additional identities to be - | associated with the issuer of the CRL. Defined options include an rfc822 - | name (electronic mail address), a DNS name, an IP address, and a URI. - | issuerAltNames non-critical name-list - | Where: - | subjAltNames: identifies the name of an extension should be set to 0 since - | this is non-critical extension name-list: comma separated list of names - | \* Add CRL Number extension: - | The CRL number is a non-critical CRL extension which conveys a - | monotonically increasing sequence number for a given CRL scope and CRL - | issuer. This extension allows users to easily determine when a particular - | CRL supersedes another CRL - | crlNumber non-critical number - | Where: - | crlNumber: identifies the name of an extension critical: should be set to - | 0 since this is non-critical extension number: value of long which - | identifies the sequential number of a CRL. - | \* Add Revocation Reason Code extension: - | The reasonCode is a non-critical CRL entry extension that identifies the - | reason for the certificate revocation. - | reasonCode non-critical code - | Where: - | reasonCode: identifies the name of an extension non-critical: should be - | set to 0 since this is non-critical extension code: the following codes - | are available: - | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged - | (3), superseded (4), cessationOfOperation (5), certificateHold (6), - | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) - | \* Add Invalidity Date extension: - | The invalidity date is a non-critical CRL entry extension that provides - | the date on which it is known or suspected that the private key was - | compromised or that the certificate otherwise became invalid. - | invalidityDate non-critical date - | Where: - | crlNumber: identifies the name of an extension non-critical: should be set - | to 0 since this is non-critical extension date: invalidity date of a cert. - | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). + | CRL generation script file has the following syntax: + | \* Line with comments should have # as a first symbol of a line + | \* Set "this update" or "next update" CRL fields: + | update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ + | Field "next update" is optional. Time should be in GeneralizedTime format + | (YYYYMMDDhhmmssZ). For example: 20050204153000Z + | \* Add an extension to a CRL or a crl certificate entry: + | addext extension-name critical/non-critical [arg1[arg2 ...]] + | Where: + | extension-name: string value of a name of known extensions. + | critical/non-critical: is 1 when extension is critical and 0 otherwise. + | arg1, arg2: specific to extension type extension parameters + | addext uses the range that was set earlier by addcert and will install an + | extension to every cert entries within the range. + | \* Add certificate entries(s) to CRL: + | addcert range date + | range: two integer values separated by dash: range of certificates that + | will be added by this command. dash is used as a delimiter. Only one cert + | will be added if there is no delimiter. date: revocation date of a cert. + | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). + | \* Remove certificate entry(s) from CRL + | rmcert range + | Where: + | range: two integer values separated by dash: range of certificates that + | will be added by this command. dash is used as a delimiter. Only one cert + | will be added if there is no delimiter. + | \* Change range of certificate entry(s) in CRL + | range new-range + | Where: + | new-range: two integer values separated by dash: range of certificates + | that will be added by this command. dash is used as a delimiter. Only one + | cert will be added if there is no delimiter. + | Implemented Extensions + | The extensions defined for CRL provide methods for associating additional + | attributes with CRLs of theirs entries. For more information see RFC #3280 + | \* Add The Authority Key Identifier extension: + | The authority key identifier extension provides a means of identifying the + | public key corresponding to the private key used to sign a CRL. + | authKeyId critical [key-id \| dn cert-serial] + | Where: + | authKeyIdent: identifies the name of an extension critical: value of 1 of + | 0. Should be set to 1 if this extension is critical or 0 otherwise. + | key-id: key identifier represented in octet string. dn:: is a CA + | distinguished name cert-serial: authority certificate serial number. + | \* Add Issuer Alternative Name extension: + | The issuer alternative names extension allows additional identities to be + | associated with the issuer of the CRL. Defined options include an rfc822 + | name (electronic mail address), a DNS name, an IP address, and a URI. + | issuerAltNames non-critical name-list + | Where: + | subjAltNames: identifies the name of an extension should be set to 0 since + | this is non-critical extension name-list: comma separated list of names + | \* Add CRL Number extension: + | The CRL number is a non-critical CRL extension which conveys a + | monotonically increasing sequence number for a given CRL scope and CRL + | issuer. This extension allows users to easily determine when a particular + | CRL supersedes another CRL + | crlNumber non-critical number + | Where: + | crlNumber: identifies the name of an extension critical: should be set to + | 0 since this is non-critical extension number: value of long which + | identifies the sequential number of a CRL. + | \* Add Revocation Reason Code extension: + | The reasonCode is a non-critical CRL entry extension that identifies the + | reason for the certificate revocation. + | reasonCode non-critical code + | Where: + | reasonCode: identifies the name of an extension non-critical: should be + | set to 0 since this is non-critical extension code: the following codes + | are available: + | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged + | (3), superseded (4), cessationOfOperation (5), certificateHold (6), + | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) + | \* Add Invalidity Date extension: + | The invalidity date is a non-critical CRL entry extension that provides + | the date on which it is known or suspected that the private key was + | compromised or that the certificate otherwise became invalid. + | invalidityDate non-critical date + | Where: + | crlNumber: identifies the name of an extension non-critical: should be set + | to 0 since this is non-critical extension date: invalidity date of a cert. + | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). | Usage - | The Certificate Revocation List Management Tool's capabilities are grouped - | as follows, using these combinations of options and arguments. Options and - | arguments in square brackets are optional, those without square brackets - | are required. - | See "Implemented extensions" for more information regarding extensions and - | their parameters. - | \* Creating or modifying a CRL: - | crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] + | The Certificate Revocation List Management Tool's capabilities are grouped + | as follows, using these combinations of options and arguments. Options and + | arguments in square brackets are optional, those without square brackets + | are required. + | See "Implemented extensions" for more information regarding extensions and + | their parameters. + | \* Creating or modifying a CRL: + | crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B] - | \* Listing all CRls or a named CRL: - | crlutil -L [-n crl-name] [-d krydir] - | \* Deleting CRL from db: - | crlutil -D -n nickname [-d keydir] [-P dbprefix] - | \* Erasing CRLs from db: - | crlutil -E [-d keydir] [-P dbprefix] - | \* Deleting CRL from db: - | crlutil -D -n nickname [-d keydir] [-P dbprefix] - | \* Erasing CRLs from db: - | crlutil -E [-d keydir] [-P dbprefix] - | \* Import CRL from file: - | crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] + | \* Listing all CRls or a named CRL: + | crlutil -L [-n crl-name] [-d krydir] + | \* Deleting CRL from db: + | crlutil -D -n nickname [-d keydir] [-P dbprefix] + | \* Erasing CRLs from db: + | crlutil -E [-d keydir] [-P dbprefix] + | \* Deleting CRL from db: + | crlutil -D -n nickname [-d keydir] [-P dbprefix] + | \* Erasing CRLs from db: + | crlutil -E [-d keydir] [-P dbprefix] + | \* Import CRL from file: + | crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] | See also - | certutil(1) + | certutil(1) | See Also | Additional Resources - | NSS is maintained in conjunction with PKI and security-related projects - | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, - | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. - | For information specifically about NSS, the NSS project wiki is located at - | + | NSS is maintained in conjunction with PKI and security-related projects + | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, + | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. + | For information specifically about NSS, the NSS project wiki is located at + | [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape and - | now with Red Hat. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape and + | now with Red Hat. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. http://pki.fedoraproject.org/wiki/ - | 2. + | Visible links + | 1. http://pki.fedoraproject.org/wiki/ + | 2. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file |