CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the --d argument. Use the -k argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname. +CERTUTIL

CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

Command Options and Arguments

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the +-d argument.

-When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname.

-G

Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.

-H

Display a list of the command options and arguments.

-K

List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

-L

List all the certificates, or display information about a named certificate, in a certificate database. +Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.

-G

-H

Display a list of the command options and arguments.

-K

List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

-L

List all the certificates, or display information about a named certificate, in a certificate database. Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.

-M

Modify a certificate's trust attributes using the values of the -t argument.

-N

Create new certificate and key databases.

-O

Print the certificate chain.

-R

Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. Use the -a argument to specify ASCII output.

-S

Create an individual certificate and add it to a certificate database.

-T

Reset the key database or token.

-U

List all available modules or print a single named module.

-V

Check the validity of a certificate and its attributes.

-W

Change the password to a key database.

--merge

Merge two databases into one.

--upgrade-merge

Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (cert8.db and key3.db) into the newer SQLite databases (cert9.db and key4.db).

Arguments

Arguments modify a command option and are usually lower case, numbers, or symbols.

-a

Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. @@ -14,13 +14,13 @@ If this option is not used, the validity check defaults to the current system ti Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.

OID (example): 1.2.3.4
critical-flag: critical or not-critical
filename: full path to a file containing an encoded extension

-f password-file

Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent - unauthorized access to this file.

-g keysize

Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.

-h tokenname

Specify the name of a token to use or act on. If not specified the default token is the internal database slot.

-i input_file

Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.

-k key-type-or-id

Specify the type or specific ID of a key.

+ unauthorized access to this file.

-g keysize

-h tokenname

Specify the name of a token to use or act on. If not specified the default token is the internal database slot.

The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.

-i input_file

Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.

-k key-type-or-id

Specify the type or specific ID of a key.

The valid key type options are rsa, dsa, ec, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates). -

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

-o output-file

Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, certutil generates its own PQG value. PQG files are created with a separate DSA utility.

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.

-o output-file

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, @@ -277,9 +277,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and slot: NSS User Private Key and Certificate Services token: NSS Certificate DB + uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS Internal Cryptographic Services - token: NSS Generic Crypto Services

Adding Certificates to the Database

+ token: NSS Generic Crypto Services + uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

Adding Certificates to the Database

Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the -A command option.

certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]

For example: -- cgit v1.2.3