1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
|
.. _mozilla_projects_nss_tools_nss_tools_certutil:
NSS Tools certutil
==================
.. _using_the_certificate_database_tool:
`Using the Certificate Database Tool <#using_the_certificate_database_tool>`__
------------------------------------------------------------------------------
.. container::
The Certificate Database Tool is a command-line utility that can create and modify the Netscape
Communicator ``cert8.db`` and ``key3.db``\ database files. It can also list, generate, modify, or
delete certificates within the ``cert8.db``\ file and create or change the password, generate new
public and private key pairs, display the contents of the key database, or delete key pairs
within the ``key3.db`` file.
Starting from NSS 3.35, the database format was upgraded to support SQLite as described in this
`document <https://wiki.mozilla.org/NSS_Shared_DB>`__. It means that ``cert9.db`` and ``key4.db``
files may be targeted instead.
The key and certificate management process generally begins with creating keys in the key
database, then generating and managing certificates in the certificate database.
This document discusses certificate and key database management. For information security module
database management, see :ref:`mozilla_projects_nss_reference_nss_tools_:_modutil`
`Availability <#availability>`__
--------------------------------
.. container::
See the release notes for the platforms this tool is available on.
`Syntax <#syntax>`__
--------------------
.. container::
To run the Certificate Database Tool, type the command
.. code::
certutil option [arguments ]
where *options* and *arguments* are combinations of the options and arguments listed in the
following section. Each command takes one option. Each option may take zero or more arguments. To
see a usage string, issue the command without options, or with the ``-H`` option.
.. _options_and_arguments:
`Options and Arguments <#options_and_arguments>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Options specify an action and are uppercase. Option arguments modify an action and are lowercase.
Certificate Database Tool command options and their arguments are defined as follows:
+-------------------------------------------------+-------------------------------------------------+
| **Options** | |
+-------------------------------------------------+-------------------------------------------------+
| ``-N`` | Create new certificate and key databases. |
+-------------------------------------------------+-------------------------------------------------+
| ``-S`` | Create an individual certificate and add it to |
| | a certificate database. |
+-------------------------------------------------+-------------------------------------------------+
| ``-R`` | Create a certificate-request file that can be |
| | submitted to a Certificate Authority (CA) for |
| | processing into a finished certificate. Output |
| | defaults to standard out unless you use |
| | ``-o``\ *output-file* argument. Use the ``-a`` |
| | argument to specify ASCII output. |
+-------------------------------------------------+-------------------------------------------------+
| ``-C`` | Create a new binary certificate file from a |
| | binary certificate-request file. Use the ``-i`` |
| | argument to specify the certificate-request |
| | file. If this argument is not used Certificate |
| | Database Tool prompts for a filename. |
+-------------------------------------------------+-------------------------------------------------+
| ``-G`` | Generate a new public and private key pair |
| | within a key database. The key database should |
| | already exist; if one is not present, this |
| | option will initialize one by default. Some |
| | smart cards (for example, the Litronic card) |
| | can store only one key pair. If you create a |
| | new key pair for such a card, the previous pair |
| | is overwritten. |
+-------------------------------------------------+-------------------------------------------------+
| ``-F`` | Delete a private key from a key database. |
| | Specify the key to delete with the ``-n`` |
| | argument. Specify the database from which to |
| | delete the key with the ``-d`` argument. |
| | |
| | Use the ``-k`` argument to specify explicitly |
| | whether to delete a DSA or an RSA key. If you |
| | don't use the ``-k`` argument, the option looks |
| | for an RSA key matching the specified nickname. |
| | |
| | When you delete keys, be sure to also remove |
| | any certificates associated with those keys |
| | from the certificate database, by using ``-D``. |
| | |
| | Some smart cards (for example, the Litronic |
| | card) do not let you remove a public key you |
| | have generated. In such a case, only the |
| | private key is deleted from the key pair. You |
| | can display the public key with the command |
| | ``certutil -K -h``\ *tokenname* . |
+-------------------------------------------------+-------------------------------------------------+
| ``-K`` | List the keyID of keys in the key database. A |
| | keyID is the modulus of the RSA key or the |
| | ``publicValue`` of the DSA key. IDs are |
| | displayed in hexadecimal ("0x" is not shown). |
+-------------------------------------------------+-------------------------------------------------+
| ``-A`` | Add an existing certificate to a certificate |
| | database. The certificate database should |
| | already exist; if one is not present, this |
| | option will initialize one by default. |
+-------------------------------------------------+-------------------------------------------------+
| ``-D`` | Delete a certificate from the certificate |
| | database. |
+-------------------------------------------------+-------------------------------------------------+
| ``-L`` | List all the certificates, or display |
| | information about a named certificate, in a |
| | certificate database. |
| | |
| | Use the ``-h``\ *tokenname* argument to specify |
| | the certificate database on a particular |
| | hardware or software token. |
+-------------------------------------------------+-------------------------------------------------+
| ``-V`` | Check the validity of a certificate and its |
| | attributes. |
+-------------------------------------------------+-------------------------------------------------+
| ``-M`` | Modify a certificate's trust attributes using |
| | the values of the ``-t`` argument. |
+-------------------------------------------------+-------------------------------------------------+
| ``-H`` | Display a list of the options and arguments |
| | used by the Certificate Database Tool. |
+-------------------------------------------------+-------------------------------------------------+
| ``-W`` | Change the password to a key database. |
+-------------------------------------------------+-------------------------------------------------+
| ``-U`` | List all available modules or print a single |
| | named module. |
+-------------------------------------------------+-------------------------------------------------+
| **Arguments** | |
+-------------------------------------------------+-------------------------------------------------+
| ``-a`` | Use ASCII format or allow the use of ASCII |
| | format for input or output. This formatting |
| | follows `RFC |
| | 1113 <https://tools.ietf.org/html/rfc1113>`__. |
| | For certificate requests, ASCII output defaults |
| | to standard output unless redirected. |
+-------------------------------------------------+-------------------------------------------------+
| ``-b``\ *validity-time* | Specify a time at which a certificate is |
| | required to be valid. Use when checking |
| | certificate validity with the ``-V`` option. |
| | The format of the\ *validity-time* argument is |
| | "YYMMDDHHMMSS[+HHMM|-HHMM|Z]". Specifying |
| | seconds (SS) is optional. When specifying an |
| | explicit time, use "YYMMDDHHMMSSZ". When |
| | specifying an offset time, use |
| | "YYMMDDHHMMSS+HHMM" or "YYMMDDHHMMSS-HHMM". If |
| | this option is not used, the validity check |
| | defaults to the current system time. |
+-------------------------------------------------+-------------------------------------------------+
| ``-c``\ *issuer* | Identify the certificate of the CA from which a |
| | new certificate will derive its authenticity. |
| | Use the exact nickname or alias of the CA |
| | certificate, or use the CA's email address. |
| | Bracket the\ *issuer* string with quotation |
| | marks if it contains spaces. |
+-------------------------------------------------+-------------------------------------------------+
| ``-d``\ *directory* | Specify the database directory containing the |
| | certificate and key database files. On Unix the |
| | Certificate Database Tool defaults to |
| | ``$HOME/.netscape`` (that is, ``~/.netscape``). |
| | On Windows NT the default is the current |
| | directory. |
| | |
| | The ``cert8.db`` and ``key3.db`` database files |
| | must reside in the same directory. |
+-------------------------------------------------+-------------------------------------------------+
| ``-P``\ *dbprefix* | Specify the prefix used on the ``cert8.db`` and |
| | ``key3.db`` files (for example, ``my_cert8.db`` |
| | and ``my_key3.db``). This option is provided as |
| | a special case. Changing the names of the |
| | certificate and key databases is not |
| | recommended. |
+-------------------------------------------------+-------------------------------------------------+
| ``-e`` | Check a certificate's signature during the |
| | process of validating a certificate. |
+-------------------------------------------------+-------------------------------------------------+
| ``-f``\ *password-file* | Specify a file that will automatically supply |
| | the password to include in a certificate or to |
| | access a certificate database. This is a |
| | plain-text file containing one password. Be |
| | sure to prevent unauthorized access to this |
| | file. |
+-------------------------------------------------+-------------------------------------------------+
| ``-g``\ *keysize* | Set a key size to use when generating new |
| | public and private key pairs. The minimum is |
| | 512 bits and the maximum is 8192 bits. The |
| | default is 1024 bits. Any size that is a |
| | multiple of 8 between the minimum and maximum |
| | is allowed. |
+-------------------------------------------------+-------------------------------------------------+
| ``-h``\ *tokenname* | Specify the name of a token to use or act on. |
| | Unless specified otherwise the default token is |
| | an internal slot (specifically, internal slot |
| | 2). This slot can also be explicitly named with |
| | the string ``"internal"``. An internal slots is |
| | a virtual slot maintained in software, rather |
| | than a hardware device. Internal slot 2 is used |
| | by key and certificate services. Internal slot |
| | 1 is used by cryptographic services. |
+-------------------------------------------------+-------------------------------------------------+
| ``-i``\ *cert|cert-request-file* | Specify a specific certificate, or a |
| | certificate-request file. |
+-------------------------------------------------+-------------------------------------------------+
| ``-k rsa|dsa|all`` | Specify the type of a key: RSA, DSA or both. |
| | The default value is ``rsa``. By specifying the |
| | type of key you can avoid mistakes caused by |
| | duplicate nicknames. |
+-------------------------------------------------+-------------------------------------------------+
| ``-l`` | Display detailed information when validating a |
| | certificate with the ``-V`` option. |
+-------------------------------------------------+-------------------------------------------------+
| ``-m``\ *serial-number* | Assign a unique serial number to a certificate |
| | being created. This operation should be |
| | performed by a CA. The default serial number is |
| | 0 (zero). Serial numbers are limited to |
| | integers. |
+-------------------------------------------------+-------------------------------------------------+
| ``-n``\ *nickname* | Specify the nickname of a certificate or key to |
| | list, create, add to a database, modify, or |
| | validate. Bracket the *nickname* string with |
| | quotation marks if it contains spaces. |
+-------------------------------------------------+-------------------------------------------------+
| ``-o``\ *output-file* | Specify the output file name for new |
| | certificates or binary certificate requests. |
| | Bracket the\ *output-file* string with |
| | quotation marks if it contains spaces. If this |
| | argument is not used the output destination |
| | defaults to standard output. |
+-------------------------------------------------+-------------------------------------------------+
| ``-p``\ *phone* | Specify a contact telephone number to include |
| | in new certificates or certificate requests. |
| | Bracket this string with quotation marks if it |
| | contains spaces. |
+-------------------------------------------------+-------------------------------------------------+
| ``-q``\ *pqgfile* | Read an alternate PQG value from the specified |
| | file when generating DSA key pairs. If this |
| | argument is not used, the Key Database Tool |
| | generates its own PQG value. PQG files are |
| | created with a separate DSA utility. |
+-------------------------------------------------+-------------------------------------------------+
| ``-r`` | Display a certificate's binary DER encoding |
| | when listing information about that certificate |
| | with the ``-L`` option. |
+-------------------------------------------------+-------------------------------------------------+
| ``-s``\ *subject* | Identify a particular certificate owner for new |
| | certificates or certificate requests. Bracket |
| | this string with quotation marks if it contains |
| | spaces. The subject identification format |
| | follows `RFC |
| | 1485 <https://tools.ietf.org/html/rfc1485>`__. |
+-------------------------------------------------+-------------------------------------------------+
| ``-t``\ *trustargs* | Specify the trust attributes to modify in an |
| | existing certificate or to apply to a |
| | certificate when creating it or adding it to a |
| | database. |
| | |
| | There are three available trust categories for |
| | each certificate, expressed in this order: |
| | "*SSL* ,\ *email* ,\ *object signing* ". In |
| | each category position use zero or more of the |
| | following attribute codes: |
| | |
| | | ``p`` prohibited (explicitly distrusted) |
| | | ``P`` Trusted peer |
| | | ``c`` Valid CA |
| | | ``T`` Trusted CA to issue client |
| | certificates (implies ``c``) |
| | | ``C`` Trusted CA to issue server |
| | certificates (SSL only) |
| | | (implies ``c``) |
| | | ``u`` Certificate can be used for |
| | authentication or signing |
| | | ``w`` Send warning (use with other |
| | attributes to include a warning when the |
| | certificate is used in that context) |
| | |
| | The attribute codes for the categories are |
| | separated by commas, and the entire set of |
| | attributes enclosed by quotation marks. For |
| | example: |
| | |
| | ``-t "TCu,Cu,Tuw"`` |
| | |
| | Use the ``-L`` option to see a list of the |
| | current certificates and trust attributes in a |
| | certificate database. |
+-------------------------------------------------+-------------------------------------------------+
| ``-u``\ *certusage* | Specify a usage context to apply when |
| | validating a certificate with the ``-V`` |
| | option. The contexts are the following: |
| | |
| | | ``C`` (as an SSL client) |
| | | ``V`` (as an SSL server) |
| | | ``S`` (as an email signer) |
| | | ``R`` (as an email recipient) |
+-------------------------------------------------+-------------------------------------------------+
| ``-v``\ *valid-months* | Set the number of months a new certificate will |
| | be valid. The validity period begins at the |
| | current system time unless an offset is added |
| | or subtracted with the ``-w`` option. If this |
| | argument is not used, the default validity |
| | period is three months. When this argument is |
| | used, the default three-month period is |
| | automatically added to any value given in |
| | the\ *valid-month* argument. For example, using |
| | this option to set a value of ``3`` would cause |
| | 3 to be added to the three-month default, |
| | creating a validity period of six months. You |
| | can use negative values to reduce the default |
| | period. For example, setting a value of ``-2`` |
| | would subtract 2 from the default and create a |
| | validity period of one month. |
+-------------------------------------------------+-------------------------------------------------+
| ``-w``\ *offset-months* | Set an offset from the current system time, in |
| | months, for the beginning of a certificate's |
| | validity period. Use when creating the |
| | certificate or adding it to a database. Express |
| | the offset in integers, using a minus sign |
| | (``-``) to indicate a negative offset. If this |
| | argument is not used, the validity period |
| | begins at the current system time. The length |
| | of the validity period is set with the ``-v`` |
| | argument. |
+-------------------------------------------------+-------------------------------------------------+
| ``-x`` | Use the Certificate Database Tool to generate |
| | the signature for a certificate being created |
| | or added to a database, rather than obtaining a |
| | signature from a separate CA. |
+-------------------------------------------------+-------------------------------------------------+
| ``-y``\ *exp* | Set an alternate exponent value to use in |
| | generating a new RSA public key for the |
| | database, instead of the default value of |
| | 65537. The available alternate values are 3 and |
| | 17. |
+-------------------------------------------------+-------------------------------------------------+
| ``-z``\ *noise-file* | Read a seed value from the specified binary |
| | file to use in generating a new RSA private and |
| | public key pair. This argument makes it |
| | possible to use hardware-generated seed values |
| | and unnecessary to manually create a value from |
| | the keyboard. The minimum file size is 20 |
| | bytes. |
+-------------------------------------------------+-------------------------------------------------+
| ``-1`` | Add a key usage extension to a certificate that |
| | is being created or added to a database. This |
| | extension allows a certificate's key to be |
| | dedicated to supporting specific operations |
| | such as SSL server or object signing. The |
| | Certificate Database Tool will prompt you to |
| | select a particular usage for the certificate's |
| | key. These usages are described under `Standard |
| | X.509 v3 Certificate |
| | Extensions <https://a |
| | ccess.redhat.com/documentation/en-US/Red_Hat_Ce |
| | rtificate_System/9/html/Administration_Guide/St |
| | andard_X.509_v3_Certificate_Extensions.html>`__ |
| | in Appendix A.3 of the\ *Red Hat Certificate |
| | System Administration Guide.* |
+-------------------------------------------------+-------------------------------------------------+
| ``-2`` | Add a basic constraint extension to a |
| | certificate that is being created or added to a |
| | database. This extension supports the |
| | certificate chain verification process. The |
| | Certificate Database Tool will prompt you to |
| | select the certificate constraint extension. |
| | Constraint extensions are described in |
| | `Standard X.509 v3 Certificate |
| | Extensions <https://a |
| | ccess.redhat.com/documentation/en-US/Red_Hat_Ce |
| | rtificate_System/9/html/Administration_Guide/St |
| | andard_X.509_v3_Certificate_Extensions.html>`__ |
| | in Appendix A.3 of the\ *Red Hat Certificate |
| | System Administration Guide.* |
+-------------------------------------------------+-------------------------------------------------+
| ``-3`` | Add an authority keyID extension to a |
| | certificate that is being created or added to a |
| | database. This extension supports the |
| | identification of a particular certificate, |
| | from among multiple certificates associated |
| | with one subject name, as the correct issuer of |
| | a certificate. The Certificate Database Tool |
| | will prompt you to select the authority keyID |
| | extension. Authority key ID extensions are |
| | described under `Standard X.509 v3 Certificate |
| | Extensions <http |
| | s://access.redhat.com/documentation/en-us/red_h |
| | at_certificate_system/9/html/administration_gui |
| | de/standard_x.509_v3_certificate_extensions>`__ |
| | in Appendix B.3 of the\ *Red Hat Certificate |
| | System Administration Guide.* |
+-------------------------------------------------+-------------------------------------------------+
| ``-4`` | Add a CRL distribution point extension to a |
| | certificate that is being created or added to a |
| | database. This extension identifies the URL of |
| | a certificate's associated certificate |
| | revocation list (CRL). The Certificate Database |
| | Tool prompts you to enter the URL. CRL |
| | distribution point extensions are described in |
| | `Standard X.509 v3 Certificate |
| | Extensions <https://a |
| | ccess.redhat.com/documentation/en-US/Red_Hat_Ce |
| | rtificate_System/9/html/Administration_Guide/St |
| | andard_X.509_v3_Certificate_Extensions.html>`__ |
| | in Appendix A.3 of the\ *Red Hat Certificate |
| | System Administration Guide.* |
+-------------------------------------------------+-------------------------------------------------+
| ``-5`` | Add a Netscape certificate type extension to a |
| | certificate that is being created or added to |
| | the database. Netscape certificate type |
| | extensions are described in `Standard X.509 v3 |
| | Certificate |
| | Extensions <https://a |
| | ccess.redhat.com/documentation/en-US/Red_Hat_Ce |
| | rtificate_System/9/html/Administration_Guide/St |
| | andard_X.509_v3_Certificate_Extensions.html>`__ |
| | in Appendix A.3 of the\ *Red Hat Certificate |
| | System Administration Guide.* |
+-------------------------------------------------+-------------------------------------------------+
| ``-6`` | Add an extended key usage extension to a |
| | certificate that is being created or added to |
| | the database. Extended key usage extensions are |
| | described in `Standard X.509 v3 Certificate |
| | Extensions <https://a |
| | ccess.redhat.com/documentation/en-US/Red_Hat_Ce |
| | rtificate_System/9/html/Administration_Guide/St |
| | andard_X.509_v3_Certificate_Extensions.html>`__ |
| | in Appendix A.3 of the\ *Red Hat Certificate |
| | System Administration Guide.* |
+-------------------------------------------------+-------------------------------------------------+
| ``-7``\ *emailAddrs* | Add a comma-separated list of email addresses |
| | to the subject alternative name extension of a |
| | certificate or certificate request that is |
| | being created or added to the database. Subject |
| | alternative name extensions are described in |
| | Section 4.2.1.7 of `RFC |
| | 3 |
| | 2800 <https://tools.ietf.org/html/rfc32800>`__. |
+-------------------------------------------------+-------------------------------------------------+
| ``-8``\ *dns-names* | Add a comma-separated list of DNS names to the |
| | subject alternative name extension of a |
| | certificate or certificate request that is |
| | being created or added to the database. Subject |
| | alternative name extensions are described in |
| | Section 4.2.1.7 of `RFC |
| | 32800 <https://tools.ietf.org/html/rfc32800>`__ |
+-------------------------------------------------+-------------------------------------------------+
`Usage <#usage>`__
------------------
.. container::
The Certificate Database Tool's capabilities are grouped as follows, using these combinations of
options and arguments. Options and arguments in square brackets are optional, those without
square brackets are required.
.. code::
-N [-d certdir ]
.. code::
-S -k rsa|dsa -n certname -s subject
[-c issuer |-x] -t trustargs [-h tokenname ]
[-m serial-number ] [-v valid-months ] [-w offset-months ]
[-d certdir ] [-p phone ] [-f password-file ] [-1] [-2] [-3] [-4]
.. code::
-R -k rsa|dsa -s subject [-h tokenname ]
[-d certdir ] [-p phone ] [-o output-file ] [-f password-file ]
.. code::
-C -c issuer [-f password-file ]
[-h tokenname ] -i cert-request-file -o output-file [-m serial-number ]
[-v valid-months ] [-w offset-months ] [-d certdir ] [-1] [-2] [-3]
[-4]
.. code::
-A -n certname -t trustargs [-h tokenname ] [-d certdir ] [-a]
[-i cert-request-file ]
.. code::
-L [-n certname ] [-d certdir ] [-r] [-a]
.. code::
-V -n certname -b validity-time -u certusage [-e] [-l] [-d certdir ]
.. code::
-M -n certname -t trustargs [-d certdir ]
.. code::
-H
- Creating a new ``cert8.db`` file:
- Creating a new certificate and adding it to the database with one command:
- Making a separate certificate request:
- Creating a new binary certificate from a binary certificate request:
- Adding a certificate to an existing database:
- Listing all certificates or a named certificate:
- Validating a certificate:
- Modifying a certificate's trust attribute:
- Displaying a list of the options and arguments used by the Certificate Database Tool:
`Examples <#examples>`__
------------------------
.. container::
.. _creating_a_new_certificate_database:
`Creating a New Certificate Database <#creating_a_new_certificate_database>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
This example creates a new certificate database (``cert8.db`` file) in the specified directory:
.. code::
certutil -N -d certdir
You must generate the associated ``key3.db`` and ``secmod.db`` files by using the Key Database
Tool or other tools.
.. _listing_certificates_in_a_database:
`Listing Certificates in a Database <#listing_certificates_in_a_database>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
This example lists all the certificates in the ``cert8.db`` file in the specified directory:
.. code::
certutil -L -d certdir
The Certificate Database Tool displays output similar to the following:
| ``Certificate Name Trust Attributes``
| ``Uptime Group Plc. Class 1 CA C,C, VeriSign Class 1 Primary CA ,C, VeriSign Class 2 Primary CA C,C,C AT&T Certificate Services C,C, GTE CyberTrust Secure Server CA C,, Verisign/RSA Commercial CA C,C, AT&T Directory Services C,C, BelSign Secure Server CA C,, Verisign/RSA Secure Server CA C,C, GTE CyberTrust Root CA C,C, Uptime Group Plc. Class 4 CA ,C, VeriSign Class 3 Primary CA C,C,C Canada Post Corporation CA C,C, Integrion CA C,C,C IBM World Registry CA C,C,C GTIS/PWGSC, Canada Gov. Web CA C,C, GTIS/PWGSC, Canada Gov. Secure CA C,C,C MCI Mall CA C,C, VeriSign Class 4 Primary CA C,C,C KEYWITNESS, Canada CA C,C, BelSign Object Publishing CA ,,C BBN Certificate Services CA Root 1 C,C, p prohibited (explicitly distrusted) P Trusted peer c Valid CA T Trusted CA to issue client certs (implies c) C Trusted CA to issue server certs(for ssl only) (implies c) u User cert w Send warning``
.. _creating_a_certificate_request:
`Creating a Certificate Request <#creating_a_certificate_request>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
This example generates a binary certificate request file named ``e95c.req`` in the specified
directory:
.. code::
certutil -R -s "CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US" -p "650-555-8888" -o mycert.req -d certdir
Before it creates the request file, the Certificate Database Tool prompts you for a password:
.. code::
Enter Password or Pin for "Communicator Certificate DB":
.. _creating_a_certificate:
`Creating a Certificate <#creating_a_certificate>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
A valid certificate must be issued by a trusted CA. If a CA key pair is not available, you can
create a self-signed certificate (for purposes of illustration) with the ``-x`` argument. This
example creates a new binary, self-signed CA certificate named ``myissuer``, in the specified
directory.
.. code::
certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234 -f password-file -d certdir
The following example creates a new binary certificate named ``mycert.crt``, from a binary
certificate request named ``mycert.req``, in the specified directory. It is issued by the
self-signed certificate created above, ``myissuer``.
.. code::
certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d certdir
.. _adding_a_certificate_to_the_database:
`Adding a Certificate to the Database <#adding_a_certificate_to_the_database>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
This example adds a certificate to the certificate database:
.. code::
certutil -A -n jsmith@netscape.com -t "p,p,p" -i mycert.crt -d certdir
You can see this certificate in the database with this command:
.. code::
certutil -L -n jsmith@netscape.com -d certdir
The Certificate Database Tool displays output similar to the following:
| ``Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US Validity: Not Before: Thu Mar 12 00:10:40 1998 Not After: Sat Sep 12 00:10:40 1998 Subject: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US``
| ``Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:da:53:23:58:00:91:6a:d1:a2:39:26:2f:06:3a: 38:eb:d4:c1:54:a3:62:00:b9:f0:7f:d6:00:76:aa: 18:da:6b:79:71:5b:d9:8a:82:24:07:ed:49:5b:33: bf:c5:79:7c:f6:22:a7:18:66:9f:ab:2d:33:03:ec: 63:eb:9d:0d:02:1b:da:32:ae:6c:d4:40:95:9f:b3: 44:8b:8e:8e:a3:ae:ad:08:38:4f:2e:53:e9:e1:3f: 8e:43:7f:51:61:b9:0f:f3:a6:25:1e:0b:93:74:8f: c6:13:a3:cd:51:40:84:0e:79:ea:b7:6b:d1:cc:6b: 78:d0:5d:da:be:2b:57:c2:6f Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 44:15:e5:ae:c4:30:2c:cd:60:89:f1:1d:22:ed:5e:5b:10:c8: 7e:5f:56:8c:b4:00:12:ed:5f:a4:6a:12:c3:0d:01:03:09:f2: 2f:e7:fd:95:25:47:80:ea:c1:25:5a:33:98:16:52:78:24:80: c9:53:11:40:99:f5:bd:b8:e9:35:0e:5d:3e:38:6a:5c:10:d1: c6:f9:54:af:28:56:62:f4:2f:b3:9b:50:e1:c3:a2:ba:27:ee: 07:9f:89:2e:78:5c:6d:46:b6:5e:99:de:e6:9d:eb:d9:ff:b2: 5f:c6:f6:c6:52:4a:d4:67:be:8d:fc:dd:52:51:8e:a2:d7:15: 71:3e``
| ``Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA``
.. _validating_a_certificate:
`Validating a Certificate <#validating_a_certificate>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
This example validates a certificate:
.. code::
certutil -V -n jsmith@netscape.com -b 9803201212Z -u SR -e -l -d certdir
The Certificate Database Tool shows results similar to
.. code::
Certificate:'jsmith@netscape.com' is valid.
or
.. code::
UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Expired certificate
or
.. code::
UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Certificate not approved for this operation
|
