diff options
Diffstat (limited to 'nss/doc/certutil.xml')
-rw-r--r-- | nss/doc/certutil.xml | 62 |
1 files changed, 29 insertions, 33 deletions
diff --git a/nss/doc/certutil.xml b/nss/doc/certutil.xml index 95d68cf..461b213 100644 --- a/nss/doc/certutil.xml +++ b/nss/doc/certutil.xml @@ -314,28 +314,27 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their <term>-q pqgfile or curve-name</term> <listitem> <para>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <command>certutil</command> generates its own PQG value. PQG files are created with a separate DSA utility.</para> - <para>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</para> + <para>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</para> <para> - If NSS has been compiled with support curves outside of SUITE B: - sect163k1, nistk163, sect163r1, sect163r2, - nistb163, sect193r1, sect193r2, sect233k1, nistk233, - sect233r1, nistb233, sect239k1, sect283k1, nistk283, - sect283r1, nistb283, sect409k1, nistk409, sect409r1, - nistb409, sect571k1, nistk571, sect571r1, nistb571, - secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, - nistp192, secp224k1, secp224r1, nistp224, secp256k1, - secp256r1, secp384r1, secp521r1, - prime192v1, prime192v2, prime192v3, - prime239v1, prime239v2, prime239v3, c2pnb163v1, - c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, - c2tnb191v2, c2tnb191v3, - c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, - c2pnb272w1, c2pnb304w1, - c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, - secp112r2, secp128r1, secp128r2, sect113r1, sect113r2 - sect131r1, sect131r2 + If a token is available that supports more curves, the foolowing curves are supported as well: + sect163k1, nistk163, sect163r1, sect163r2, + nistb163, sect193r1, sect193r2, sect233k1, nistk233, + sect233r1, nistb233, sect239k1, sect283k1, nistk283, + sect283r1, nistb283, sect409k1, nistk409, sect409r1, + nistb409, sect571k1, nistk571, sect571r1, nistb571, + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, + nistp192, secp224k1, secp224r1, nistp224, secp256k1, + secp256r1, secp384r1, secp521r1, + prime192v1, prime192v2, prime192v3, + prime239v1, prime239v2, prime239v3, c2pnb163v1, + c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, + c2tnb191v2, c2tnb191v3, + c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, + c2pnb272w1, c2pnb304w1, + c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, + secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, + sect131r1, sect131r2 </para> - </listitem> </varlistentry> @@ -373,26 +372,23 @@ of the attribute codes: </listitem> <listitem> <para> - <command>T</command> - Trusted CA (implies c) - </para> - </listitem> - <listitem> - <para> - <command>C</command> - trusted CA for client authentication (ssl server only) + <command>C</command> - Trusted CA (implies c) </para> </listitem> <listitem> <para> - <command>u</command> - user + <command>T</command> - trusted CA for client authentication (ssl server only) </para> </listitem> </itemizedlist> <para> The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: </para> -<para><command>-t "TCu,Cu,Tu"</command></para> +<para><command>-t "TC,C,T"</command></para> + <para> + Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </para> <para> - Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </para></listitem> + Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil. </para></listitem> </varlistentry> <varlistentry> @@ -860,7 +856,7 @@ The interative prompts for key usage and whether any extensions are critical and <para> From there, new certificates can reference the self-signed certificate: </para> -<programlisting>$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</programlisting> +<programlisting>$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t ",," -1 -5 -6 -8 -m 730</programlisting> <para><command>Generating a Certificate from a Certificate Request</command></para> <para> @@ -1023,11 +1019,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and <para> For example: </para> -<programlisting>$ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer</programlisting> +<programlisting>$ certutil -A -n "CN=My SSL Certificate" -t ",," -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer</programlisting> <para> A related command option, <option>-E</option>, is used specifically to add email certificates to the certificate database. The <option>-E</option> command has the same arguments as the <option>-A</option> command. The trust arguments for certificates have the format <emphasis>SSL,S/MIME,Code-signing</emphasis>, so the middle trust settings relate most to email certificates (though the others can be set). For example: </para> -<programlisting>$ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer</programlisting> +<programlisting>$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer</programlisting> <para><command>Deleting Certificates to the Database</command></para> <para> @@ -1057,7 +1053,7 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and <para> For example: </para> -<programlisting>$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu"</programlisting> +<programlisting>$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CT,CT,CT"</programlisting> <para><command>Printing the Certificate Chain</command></para> <para> |