Source code
Revision control
Copy as Markdown
Other Tools
.. _mozilla_projects_nss_tools_certutil:
certutil
========
.. container::
| Name
| certutil — Manage keys and certificate in the NSS database.
| Synopsis
| certutil [options] `arguments <arguments>`__
| Description
| The Certificate Database Tool, certutil, is a command-line utility that
| can create and modify certificate and key database files. It can also
| list, generate, modify, or delete certificates within the database, create
| or change the password, generate new public and private key pairs, display
| the contents of the key database, or delete key pairs within the key
| database.
| The key and certificate management process generally begins with creating
| keys in the key database, then generating and managing certificates in the
| certificate database. This document discusses certificate and key database
| management. For information security module database management, see the
| modutil manpages.
| Options and Arguments
| Running certutil always requires one (and only one) option to specify the
| type of certificate operation. Each option may take arguments, anywhere
| from none to multiple arguments. Run the command option and -H to see the
| arguments available for each command option.
| Options
| Options specify an action and are uppercase.
| -A
| Add an existing certificate to a certificate database. The
| certificate database should already exist; if one is not present,
| this option will initialize one by default.
| -B
| Run a series of commands from the specified batch file. This
| requires the -i argument.
| -C
| Create a new binary certificate file from a binary certificate
| request file. Use the -i argument to specify the certificate
| request file. If this argument is not used, certutil prompts for a
| filename.
| -D
| Delete a certificate from the certificate database.
| -E
| Add an email certificate to the certificate database.
| -F
| Delete a private key from a key database. Specify the key to
| delete with the -n argument. Specify the database from which to
| delete the key with the -d argument. Use the -k argument to
| specify explicitly whether to delete a DSA, RSA, or ECC key. If
| you don't use the -k argument, the option looks for an RSA key
| matching the specified nickname.
| When you delete keys, be sure to also remove any certificates
| associated with those keys from the certificate database, by using
| -D. Some smart cards (for example, the Litronic card) do not let
| you remove a public key you have generated. In such a case, only
| the private key is deleted from the key pair. You can display the
| public key with the command certutil -K -h tokenname.
| -G
| Generate a new public and private key pair within a key database.
| The key database should already exist; if one is not present, this
| option will initialize one by default. Some smart cards (for
| example, the Litronic card) can store only one key pair. If you
| create a new key pair for such a card, the previous pair is
| overwritten.
| -H
| Display a list of the options and arguments used by the
| Certificate Database Tool.
| -K
| List the key ID of keys in the key database. A key ID is the
| modulus of the RSA key or the publicValue of the DSA key. IDs are
| displayed in hexadecimal ("0x" is not shown).
| -L
| List all the certificates, or display information about a named
| certificate, in a certificate database. Use the -h tokenname
| argument to specify the certificate database on a particular
| hardware or software token.
| -M
| Modify a certificate's trust attributes using the values of the -t
| argument.
| -N
| Create new certificate and key databases.
| -O
| Print the certificate chain.
| -R
| Create a certificate request file that can be submitted to a
| Certificate Authority (CA) for processing into a finished
| certificate. Output defaults to standard out unless you use -o
| output-file argument. Use the -a argument to specify ASCII output.
| -S
| Create an individual certificate and add it to a certificate
| database.
| -T
| Reset the key database or token.
| -U
| List all available modules or print a single named module.
| -V
| Check the validity of a certificate and its attributes.
| -W
| Change the password to a key database.
| --merge
| Merge a source database into the target database. This is used to
| merge legacy NSS databases (cert8.db and key3.db) into the newer
| SQLite databases (cert9.db and key4.db).
| --upgrade-merge
| Upgrade an old database and merge it into a new database. This is
| used to migrate legacy NSS databases (cert8.db and key3.db) into
| the newer SQLite databases (cert9.db and key4.db).
| Arguments
| Option arguments modify an action and are lowercase.
| -a
| Use ASCII format or allow the use of ASCII format for input or
| output. This formatting follows RFC 1113. For certificate
| requests, ASCII output defaults to standard output unless
| redirected.
| -b validity-time
| Specify a time at which a certificate is required to be valid. Use
| when checking certificate validity with the -V option. The format
| of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z],
| which allows offsets to be set relative to the validity end time.
| Specifying seconds (SS) is optional. When specifying an explicit
| time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it.
| When specifying an offset time, use YYMMDDHHMMSS+HHMM or
| YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively.
| If this option is not used, the validity check defaults to the
| current system time.
| -c issuer
| Identify the certificate of the CA from which a new certificate
| will derive its authenticity. Use the exact nickname or alias of
| the CA certificate, or use the CA's email address. Bracket the
| issuer string with quotation marks if it contains spaces.
| -d [sql:]directory
| Specify the database directory containing the certificate and key
| database files.
| certutil supports two types of databases: the legacy security
| databases (cert8.db, key3.db, and secmod.db) and new SQLite
| databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
| is not used, then the tool assumes that the given databases are in
| the old format.
| -e
| Check a certificate's signature during the process of validating a
| certificate.
| -f password-file
| Specify a file that will automatically supply the password to
| include in a certificate or to access a certificate database. This
| is a plain-text file containing one password. Be sure to prevent
| unauthorized access to this file.
| -g keysize
| Set a key size to use when generating new public and private key
| pairs. The minimum is 512 bits and the maximum is 8192 bits. The
| default is 1024 bits. Any size between the minimum and maximum is
| allowed.
| -h tokenname
| Specify the name of a token to use or act on. Unless specified
| otherwise the default token is an internal slot (specifically,
| internal slot 2). This slot can also be explicitly named with the
| string "internal". An internal slots is a virtual slot maintained
| in software, rather than a hardware device. Internal slot 2 is
| used by key and certificate services. Internal slot 1 is used by
| cryptographic services.
| -i input_file
| Pass an input file to the command. Depending on the command
| option, an input file can be a specific certificate, a certificate
| request file, or a batch file of commands.
| -k rsa|dsa|ec|all
| Specify the type of a key. The valid options are RSA, DSA, ECC, or
| all. The default value is rsa. Specifying the type of key can
| avoid mistakes caused by duplicate nicknames.
| -k key-type-or-id
| Specify the type or specific ID of a key. Giving a key type
| generates a new key pair; giving the ID of an existing key reuses
| that key pair (which is required to renew certificates).
| -l
| Display detailed information when validating a certificate with
| the -V option.
| -m serial-number
| Assign a unique serial number to a certificate being created. This
| operation should be performed by a CA. The default serial number
| is 0 (zero). Serial numbers are limited to integers.
| -n nickname
| Specify the nickname of a certificate or key to list, create, add
| to a database, modify, or validate. Bracket the nickname string
| with quotation marks if it contains spaces.
| -o output-file
| Specify the output file name for new certificates or binary
| certificate requests. Bracket the output-file string with
| quotation marks if it contains spaces. If this argument is not
| used the output destination defaults to standard output.
| -P dbPrefix
| Specify the prefix used on the certificate and key database file.
| This option is provided as a special case. Changing the names of
| the certificate and key databases is not recommended.
| -p phone
| Specify a contact telephone number to include in new certificates
| or certificate requests. Bracket this string with quotation marks
| if it contains spaces.
| -q pqgfile
| Read an alternate PQG value from the specified file when
| generating DSA key pairs. If this argument is not used, certutil
| generates its own PQG value. PQG files are created with a separate
| DSA utility.
| -q curve-name
| Set the elliptic curve name to use when generating ECC key pairs.
| A complete list of ECC curves is given in the help (-H).
| -r
| Display a certificate's binary DER encoding when listing
| information about that certificate with the -L option.
| -s subject
| Identify a particular certificate owner for new certificates or
| certificate requests. Bracket this string with quotation marks if
| it contains spaces. The subject identification format follows RFC
| #1485.
| -t trustargs
| Specify the trust attributes to modify in an existing certificate
| or to apply to a certificate when creating it or adding it to a
| database. There are three available trust categories for each
| certificate, expressed in the order SSL, email, object signing for
| each trust setting. In each category position, use none, any, or
| all of the attribute codes:
| o p - Valid peer
| o P - Trusted peer (implies p)
| o c - Valid CA
| o T - Trusted CA to issue client certificates (implies c)
| o C - Trusted CA to issue server certificates (SSL only)
| (implies c)
| o u - Certificate can be used for authentication or signing
| o w - Send warning (use with other attributes to include a
| warning when the certificate is used in that context)
| The attribute codes for the categories are separated by commas,
| and the entire set of attributes enclosed by quotation marks. For
| example:
| -t "TCu,Cu,Tuw"
| Use the -L option to see a list of the current certificates and
| trust attributes in a certificate database.
| -u certusage
| Specify a usage context to apply when validating a certificate
| with the -V option.
| The contexts are the following:
| o C (as an SSL client)
| o V (as an SSL server)
| o S (as an email signer)
| o R (as an email recipient)
| o O (as an OCSP status responder)
| o J (as an object signer)
| -v valid-months
| Set the number of months a new certificate will be valid. The
| validity period begins at the current system time unless an offset
| is added or subtracted with the -w option. If this argument is not
| used, the default validity period is three months. When this
| argument is used, the default three-month period is automatically
| added to any value given in the valid-month argument. For example,
| using this option to set a value of 3 would cause 3 to be added to
| the three-month default, creating a validity period of six months.
| You can use negative values to reduce the default period. For
| example, setting a value of -2 would subtract 2 from the default
| and create a validity period of one month.
| -w offset-months
| Set an offset from the current system time, in months, for the
| beginning of a certificate's validity period. Use when creating
| the certificate or adding it to a database. Express the offset in
| integers, using a minus sign (-) to indicate a negative offset. If
| this argument is not used, the validity period begins at the
| current system time. The length of the validity period is set with
| the -v argument.
| -X
| Force the key and certificate database to open in read-write mode.
| This is used with the -U and -L command options.
| -x
| Use certutil to generate the signature for a certificate being
| created or added to a database, rather than obtaining a signature
| from a separate CA.
| -y exp
| Set an alternate exponent value to use in generating a new RSA
| public key for the database, instead of the default value of
| 65537. The available alternate values are 3 and 17.
| -z noise-file
| Read a seed value from the specified file to generate a new
| private and public key pair. This argument makes it possible to
| use hardware-generated seed values or manually create a value from
| the keyboard. The minimum file size is 20 bytes.
| -0 SSO_password
| Set a site security officer password on a token.
| -1 \| --keyUsage keyword,keyword
| Set a Netscape Certificate Type Extension in the certificate.
| There are several available keywords:
| o digital signature
| o nonRepudiation
| o keyEncipherment
| o dataEncipherment
| o keyAgreement
| o certSigning
| o crlSigning
| o critical
| -2
| Add a basic constraint extension to a certificate that is being
| created or added to a database. This extension supports the
| certificate chain verification process. certutil prompts for the
| certificate constraint extension to select.
| X.509 certificate extensions are described in RFC 5280.
| -3
| Add an authority key ID extension to a certificate that is being
| created or added to a database. This extension supports the
| identification of a particular certificate, from among multiple
| certificates associated with one subject name, as the correct
| issuer of a certificate. The Certificate Database Tool will prompt
| you to select the authority key ID extension.
| X.509 certificate extensions are described in RFC 5280.
| -4
| Add a CRL distribution point extension to a certificate that is
| being created or added to a database. This extension identifies
| the URL of a certificate's associated certificate revocation list
| (CRL). certutil prompts for the URL.
| X.509 certificate extensions are described in RFC 5280.
| -5 \| --nsCertType keyword,keyword
| Add a Netscape certificate type extension to a certificate that is
| being created or added to the database. There are several
| available keywords:
| o sslClient
| o sslServer
| o smime
| o objectSigning
| o sslCA
| o smimeCA
| o objectSigningCA
| o critical
| X.509 certificate extensions are described in RFC 5280.
| -6 \| --extKeyUsage keyword,keyword
| Add an extended key usage extension to a certificate that is being
| created or added to the database. Several keywords are available:
| o serverAuth
| o clientAuth
| o codeSigning
| o emailProtection
| o timeStamp
| o ocspResponder
| o stepUp
| o critical
| X.509 certificate extensions are described in RFC 5280.
| -7 emailAddrs
| Add a comma-separated list of email addresses to the subject
| alternative name extension of a certificate or certificate request
| that is being created or added to the database. Subject
| alternative name extensions are described in Section 4.2.1.7 of
| RFC 3280.
| -8 dns-names
| Add a comma-separated list of DNS names to the subject alternative
| name extension of a certificate or certificate request that is
| being created or added to the database. Subject alternative name
| extensions are described in Section 4.2.1.7 of RFC 3280.
| --extAIA
| Add the Authority Information Access extension to the certificate.
| X.509 certificate extensions are described in RFC 5280.
| --extSIA
| Add the Subject Information Access extension to the certificate.
| X.509 certificate extensions are described in RFC 5280.
| --extCP
| Add the Certificate Policies extension to the certificate. X.509
| certificate extensions are described in RFC 5280.
| --extPM
| Add the Policy Mappings extension to the certificate. X.509
| certificate extensions are described in RFC 5280.
| --extPC
| Add the Policy Constraints extension to the certificate. X.509
| certificate extensions are described in RFC 5280.
| --extIA
| Add the Inhibit Any Policy Access extension to the certificate.
| X.509 certificate extensions are described in RFC 5280.
| --extSKID
| Add the Subject Key ID extension to the certificate. X.509
| certificate extensions are described in RFC 5280.
| --source-dir certdir
| Identify the certificate database directory to upgrade.
| --source-prefix certdir
| Give the prefix of the certificate and key databases to upgrade.
| --upgrade-id uniqueID
| Give the unique ID of the database to upgrade.
| --upgrade-token-name name
| Set the name of the token to use while it is being upgraded.
| -@ pwfile
| Give the name of a password file to use for the database being
| upgraded.
| Usage and Examples
| Most of the command options in the examples listed here have more
| arguments available. The arguments included in these examples are the most
| common ones or are used to illustrate a specific scenario. Use the -H
| option to show the complete list of arguments for each command option.
| Creating New Security Databases
| Certificates, keys, and security modules related to managing certificates
| are stored in three related databases:
| o cert8.db or cert9.db
| o key3.db or key4.db
| o secmod.db or pkcs11.txt
| These databases must be created before certificates or keys can be
| generated.
| certutil -N -d [sql:]directory
| Creating a Certificate Request
| A certificate request contains most or all of the information that is used
| to generate the final certificate. This request is submitted separately to
| a certificate authority and is then approved by some mechanism
| (automatically or by human review). Once the request is approved, then the
| certificate is generated.
| $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname]
-d [sql:]directory [-p phone] [-o output-file] [-a]
| The -R command options requires four arguments:
| o -k to specify either the key type to generate or, when renewing a
| certificate, the existing key pair to use
| o -g to set the keysize of the key to generate
| o -s to set the subject name of the certificate
| o -d to give the security database directory
| The new certificate request can be output in ASCII format (-a) or can be
| written to a specified file (-o).
| For example:
| $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain
View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
| Generating key. This may take a few moments...
| Certificate request generated by Netscape
| Phone: 650-555-0123
| Common Name: John Smith
| Email: (not ed)
| Organization: Example Corp
| State: California
| Country: US
| -----BEGIN NEW CERTIFICATE REQUEST-----
| MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
| MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
| EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
| KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
| CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
| qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
| 1hP9Gg==
| -----END NEW CERTIFICATE REQUEST-----
| Creating a Certificate
| A valid certificate must be issued by a trusted CA. This can be done by
| specifying a CA certificate (-c) that is stored in the certificate
| database. If a CA key pair is not available, you can create a self-signed
| certificate using the -x argument with the -S command option.
| $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer \|-x] -t trustargs -d
[sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2]
[-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA]
[--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]
| The series of numbers and --ext\* options set certificate extensions that
| can be added to the certificate when it is generated by the CA.
| For example, this creates a self-signed certificate:
| $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650
| From there, new certificates can reference the self-signed certificate:
| $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8
-m 730
| Generating a Certificate from a Certificate Request
| When a certificate request is created, a certificate can be generated by
| using the request and then referencing a certificate authority signing
| certificate (the issuer specified in the -c argument). The issuing
| certificate must be in the certificate database in the specified
| directory.
| certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months]
[-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7
emailAddress] [-8 dns-names]
| For example:
| $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d
sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7
jsmith@example.com
| Generating Key Pairs
| Key pairs are generated automatically with a certificate request or
| certificate, but they can also be generated independently using the -G
| command option.
| certutil -G -d [sql:]directory \| -h tokenname -k key-type -g key-size [-y exponent-value] -q
pqgfile|curve-name
| For example:
| $ certutil -G -h lunasa -k ec -g 256 -q sect193r2
| Listing Certificates
| The -L command option lists all of the certificates listed in the
| certificate database. The path to the directory (-d) is required.
| $ certutil -L -d sql:/home/my/sharednssdb
| Certificate Nickname Trust Attributes
| SSL,S/MIME,JAR/XPI
| CA Administrator of Instance pki-ca1's Example Domain ID u,u,u
| TPS Administrator's Example Domain ID u,u,u
| Google Internet Authority ,,
| Certificate Authority - Example Domain CT,C,C
| Using additional arguments with -L can return and print the information
| for a single, specific certificate. For example, the -n argument passes
| the certificate name, while the -a argument prints the certificate in
| ASCII format:
| $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain"
| -----BEGIN CERTIFICATE-----
| MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
| cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
| MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
| b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
| Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
| RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
| udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
| bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
| 3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
| qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
| AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
| rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
| LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
| L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
| lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
| JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
| bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
| U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
| nI7q5n1USM3eWQlVXw==
| -----END CERTIFICATE-----
| Listing Keys
| Keys are the original material used to encrypt certificate data. The keys
| generated for certificates are stored separately, in the key database.
| To list all keys in the database, use the -K command option and the
| (required) -d argument to give the path to the directory.
| $ certutil -K -d sql:/home/my/sharednssdb
| certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate
Services "
| < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte
Consulting (Pty) Ltd. ID
| < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert
| < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert
| There are ways to narrow the keys listed in the search results:
| o To return a specific key, use the -n name argument with the name of
| the key.
| o If there are multiple security devices loaded, then the -h tokenname
| argument can search a specific token or all tokens.
| o If there are multiple key types available, then the -k key-type
| argument can search a specific type of key, like RSA, DSA, or ECC.
| Listing Security Modules
| The devices that can be used to store certificates -- both internal
| databases and external devices like smart cards -- are recognized and used
| by loading security modules. The -U command option lists all of the
| security modules listed in the secmod.db database. The path to the
| directory (-d) is required.
| $ certutil -U -d sql:/home/my/sharednssdb
| slot: NSS User Private Key and Certificate Services
| token: NSS Certificate DB
| slot: NSS Internal Cryptographic Services
| token: NSS Generic Crypto Services
| Adding Certificates to the Database
| Existing certificates or certificate requests can be added manually to the
| certificate database, even if they were generated elsewhere. This uses the
| -A command option.
| certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]
| For example:
| $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i
/home/example-certs/cert.cer
| A related command option, -E, is used specifically to add email
| certificates to the certificate database. The -E command has the same
| arguments as the -A command. The trust arguments for certificates have the
| format SSL,S/MIME,Code-signing, so the middle trust settings relate most
| to email certificates (though the others can be set). For example:
| $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i
/home/example-certs/email.cer
| Deleting Certificates to the Database
| Certificates can be deleted from a database using the -D option. The only
| required options are to give the security database directory and to
| identify the certificate nickname.
| certutil -D -d [sql:]directory -n "nickname"
| For example:
| $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"
| Validating Certificates
| A certificate contains an expiration date in itself, and expired
| certificates are easily rejected. However, certificates can also be
| revoked before they hit their expiration date. Checking whether a
| certificate has been revoked requires validating the certificate.
| Validation can also be used to ensure that the certificate is only used
| for the purposes it was initially issued for. Validation is carried out by
| the -V command option.
| certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory
| For example, to validate an email certificate:
| $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb
| Modifying Certificate Trust Settings
| The trust settings (which relate to the operations that a certificate is
| allowed to be used for) can be changed after a certificate is created or
| added to the database. This is especially useful for CA certificates, but
| it can be performed for any type of certificate.
| certutil -M -n certificate-name -t trust-args -d [sql:]directory
| For example:
| $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu"
| Printing the Certificate Chain
| Certificates can be issued in chains because every certificate authority
| itself has a certificate; when a CA issues a certificate, it essentially
| stamps that certificate with its own fingerprint. The -O prints the full
| chain of a certificate, going from the initial CA (the root CA) through
| ever intermediary CA to the actual certificate. For example, for an email
| certificate with two CAs in the chain:
| $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com"
| "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte
Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape
Town,ST=Western Cape,C=ZA]
| "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail
Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
| "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member]
| Resetting a Token
| The device which stores certificates -- both external hardware devices and
| internal software databases -- can be blanked and reused. This operation
| is performed on the device which stores the data, not directly on the
| security databases, so the location must be referenced through the token
| name (-h) as well as any directory path. If there is no external token
| used, the default value is internal.
| certutil -T -d [sql:]directory -h token-name -0 security-officer-password
| Many networks have dedicated personnel who handle changes to security
| tokens (the security officer). This person must supply the password to
| access the specified token. For example:
| $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret
| Upgrading or Merging the Security Databases
| Many networks or applications may be using older BerkeleyDB versions of
| the certificate database (cert8.db). Databases can be upgraded to the new
| SQLite version of the database (cert9.db) using the --upgrade-merge
| command option or existing databases can be merged with the new cert9.db
| databases using the ---merge command.
| The --upgrade-merge command must give information about the original
| database and then use the standard arguments (like -d) to give the
| information about the new databases. The command also requires information
| that the tool uses for the process to upgrade and write over the original
| database.
| certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory
--source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]
| For example:
| $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/
--source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal
| The --merge command only requires information about the location of the
| original database; since it doesn't change the format of the database, it
| can write over information without performing interim step.
| certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix
dbprefix [-@ password-file]
| For example:
| $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix
serverapp-
| Running certutil Commands from a Batch File
| A series of commands can be run sequentially from a text file with the -B
| command option. The only argument for this specifies the input file.
| $ certutil -B -i /path/to/batch-file
| NSS Database Types
| NSS originally used BerkeleyDB databases to store security information.
| The last versions of these legacy databases are:
| o cert8.db for certificates
| o key3.db for keys
| o secmod.db for PKCS #11 module information
| BerkeleyDB has performance limitations, though, which prevent it from
| being easily used by multiple applications simultaneously. NSS has some
| flexibility that allows applications to use their own, independent
| database engine while keeping a shared database and working around the
| access issues. Still, NSS requires more flexibility to provide a truly
| shared security database.
| In 2009, NSS introduced a new set of databases that are SQLite databases
| rather than BerkleyDB. These new databases provide more accessibility and
| performance:
| o cert9.db for certificates
| o key4.db for keys
| o pkcs11.txt, which is listing of all of the PKCS #11 modules contained
| in a new subdirectory in the security databases directory
| Because the SQLite databases are designed to be shared, these are the
| shared database type. The shared database type is preferred; the legacy
| format is included for backward compatibility.
| By default, the tools (certutil, pk12util, modutil) assume that the given
| security databases follow the more common legacy type. Using the SQLite
| databases must be manually specified by using the sql: prefix with the
| given security directory. For example:
| $ certutil -L -d sql:/home/my/sharednssdb
| To set the shared database type as the default type for the tools, set the
| NSS_DEFAULT_DB_TYPE environment variable to sql:
| export NSS_DEFAULT_DB_TYPE="sql"
| This line can be set added to the ~/.bashrc file to make the change
| permanent.
| Most applications do not use the shared database by default, but they can
| be configured to use them. For example, this how-to article covers how to
| configure Firefox and Thunderbird to use the new shared NSS databases:
| For an engineering draft on the changes in the shared NSS databases, see
| the NSS project wiki:
| See Also
| pk12util (1)
| modutil (1)
| certutil has arguments or operations that use features defined in several
| IETF RFCs.
| The NSS wiki has information on the new database design and how to
| configure applications to use it.
| Additional Resources
| For information about NSS and other tools related to NSS (like JSS), check
| out the NSS project wiki at
|
[1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
The NSS site relates
| directly to NSS code changes and releases.
| IRC: Freenode at #dogtag-pki
| Authors
| The NSS tools were written and maintained by developers with Netscape, Red
| Hat, and Sun.
| Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
| <dlackey@redhat.com>.
| Copyright
| (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
| References
| Visible links
| 1.