PK12UTIL

Name

pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

Synopsis

pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.

Options and Arguments

Options

-i p12file: Import keys and certificates from a PKCS #12 file into a security database.
-l p12file: List the keys and certificates in PKCS #12 file.
-o p12file: Export keys and certificates from the security database to a PKCS #12 file.

Arguments

-c keyCipher

Specify the key encryption algorithm.

-C certCipher

Specify the certiticate encryption algorithm.

-d [sql:]directory

Specify the database directory into which to import to or export from certificates and keys.

pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

-h tokenname

Specify the name of the token to import into or export from.

-k slotPasswordFile

Specify the text file containing the slot's password.

-K slotPassword

Specify the slot's password.

-m | --key-len keyLength

Specify the desired length of the symmetric key to be used to encrypt the private key.

-n | --cert-key-len certKeyLength

Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

-n certname

Specify the nickname of the cert and private key to export.

-P prefix

Specify the prefix used on the certificate and key databases. This option is provided as a special case. +PK12UTIL

PK12UTIL

Name

pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

Synopsis

pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

Options and Arguments

Options

-i p12file: Import keys and certificates from a PKCS #12 file into a security database.
-l p12file: List the keys and certificates in PKCS #12 file.
-o p12file: Export keys and certificates from the security database to a PKCS #12 file.

Arguments

-c keyCipher

Specify the key encryption algorithm.

-C certCipher

Specify the certiticate encryption algorithm.

-d [sql:]directory

Specify the database directory into which to import to or export from certificates and keys.

-h tokenname

Specify the name of the token to import into or export from.

-k slotPasswordFile

Specify the text file containing the slot's password.

-K slotPassword

Specify the slot's password.

-m | --key-len keyLength

Specify the desired length of the symmetric key to be used to encrypt the private key.

-n | --cert-key-len certKeyLength

Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

-n certname

Specify the nickname of the cert and private key to export.

The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.

-P prefix

Specify the prefix used on the certificate and key databases. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.

-r

Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.

-v

Enable debug logging when importing.

-w p12filePasswordFile

Specify the text file containing the pkcs #12 file password.

-W p12filePassword

Specify the pkcs #12 file password.

Return Codes

0 - No error
1 - User Cancelled
2 - Usage error
6 - NLS init error
8 - Certificate DB open error
9 - Key DB open error
10 - File initialization error
11 - Unicode conversion error
12 - Temporary file creation error
13 - PKCS11 get slot error
14 - PKCS12 decoder start error
15 - error read from import file
16 - pkcs12 decode error
17 - pkcs12 decoder verify error
18 - pkcs12 decoder validate bags error
19 - pkcs12 decoder import bags error
20 - key db conversion version 3 to version 2 error
21 - cert db conversion version 7 to version 5 error
22 - cert and key dbs patch error
23 - get default cert db error
24 - find cert by nickname error
25 - create export context error
26 - PKCS12 add password itegrity error
27 - cert and key Safes creation error
28 - PKCS12 add cert and key error
29 - PKCS12 encode error

Examples

Importing Keys and Certificates

The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token).

pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -- cgit v1.2.3