CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +CERTUTIL

CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the -d argument. Use the -k argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname.

@@ -20,26 +20,25 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their duplicate nicknames. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates). -

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

-o output-file

Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, certutil generates its own PQG value. PQG files are created with a separate DSA utility.

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

- If a token is available that supports more curves, the foolowing curves are supported as well: - sect163k1, nistk163, sect163r1, sect163r2, - nistb163, sect193r1, sect193r2, sect233k1, nistk233, - sect233r1, nistb233, sect239k1, sect283k1, nistk283, - sect283r1, nistb283, sect409k1, nistk409, sect409r1, - nistb409, sect571k1, nistk571, sect571r1, nistb571, - secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, - nistp192, secp224k1, secp224r1, nistp224, secp256k1, - secp256r1, secp384r1, secp521r1, - prime192v1, prime192v2, prime192v3, - prime239v1, prime239v2, prime239v3, c2pnb163v1, - c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, - c2tnb191v2, c2tnb191v3, - c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, - c2pnb272w1, c2pnb304w1, - c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, - secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, - sect131r1, sect131r2 -

-r

Display a certificate's binary DER encoding when listing information about that certificate with the -L option.

-s subject

Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.

-t trustargs

Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all +

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

-o output-file

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

If a token is available that supports more curves, the foolowing curves are supported as well: + sect163k1, nistk163, sect163r1, sect163r2, + nistb163, sect193r1, sect193r2, sect233k1, nistk233, + sect233r1, nistb233, sect239k1, sect283k1, nistk283, + sect283r1, nistb283, sect409k1, nistk409, sect409r1, + nistb409, sect571k1, nistk571, sect571r1, nistb571, + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, + nistp192, secp224k1, secp224r1, nistp224, secp256k1, + secp256r1, secp384r1, secp521r1, + prime192v1, prime192v2, prime192v3, + prime239v1, prime239v2, prime239v3, c2pnb163v1, + c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, + c2tnb191v2, c2tnb191v3, + c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, + c2pnb272w1, c2pnb304w1, + c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, + secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, + sect131r1, sect131r2

-r

Display a certificate's binary DER encoding when listing information about that certificate with the -L option.

-s subject

-t trustargs

p - Valid peer @@ -60,7 +59,7 @@ of the attribute codes: the certificate or adding it to a database. Express the offset in integers, using a minus sign (-) to indicate a negative offset. If this argument is not used, the validity period begins at the current system time. The length - of the validity period is set with the -v argument.

-X

Force the key and certificate database to open in read-write mode. This is used with the -U and -L command options.

-x

Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

-y exp

Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

--pss

Restrict the generated certificate (with the -S option) or certificate request (with the -R option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.

--pss-sign

Sign the generated certificate with the RSA-PSS signature scheme (with the -C or -S option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.

-z noise-file

Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.

-Z hashAlg

Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:

MD2
MD4
MD5
SHA1
SHA224
SHA256
SHA384
SHA512

-0 SSO_password

Set a site security officer password on a token.

-1 | --keyUsage keyword,keyword

Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:

+ of the validity period is set with the -v argument.

-X

Force the key and certificate database to open in read-write mode. This is used with the -U and -L command options.

-x

Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

-y exp

Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

-z noise-file

-Z hashAlg

Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:

MD2
MD4
MD5
SHA1
SHA224
SHA256
SHA384
SHA512

-0 SSO_password

Set a site security officer password on a token.

-1 | --keyUsage keyword,keyword

Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:

digitalSignature
nonRepudiation diff --git a/security/nss/doc/html/pk12util.html b/security/nss/doc/html/pk12util.html index 94dbf51e9..fe516dd83 100644 --- a/security/nss/doc/html/pk12util.html +++ b/security/nss/doc/html/pk12util.html @@ -1,6 +1,6 @@ -PK12UTIL
PK12UTIL
Name
pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database
Synopsis
pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
STATUS
This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -
Description
The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.
Options and Arguments
Options
-i p12file
Import keys and certificates from a PKCS #12 file into a security database.
-l p12file
List the keys and certificates in PKCS #12 file.
-o p12file
Export keys and certificates from the security database to a PKCS #12 file.
Arguments
-c keyCipher
Specify the key encryption algorithm.
-C certCipher
Specify the certiticate encryption algorithm.
-d [sql:]directory
Specify the database directory into which to import to or export from certificates and keys.
pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.
-h tokenname
Specify the name of the token to import into or export from.
-k slotPasswordFile
Specify the text file containing the slot's password.
-K slotPassword
Specify the slot's password.
-m | --key-len keyLength
Specify the desired length of the symmetric key to be used to encrypt the private key.
-n | --cert-key-len certKeyLength
Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.
-n certname
Specify the nickname of the cert and private key to export.
-P prefix
Specify the prefix used on the certificate and key databases. This option is provided as a special case. - Changing the names of the certificate and key databases is not recommended.
-r
Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.
-v
Enable debug logging when importing.
-w p12filePasswordFile
Specify the text file containing the pkcs #12 file password.
-W p12filePassword
Specify the pkcs #12 file password.
Return Codes
- 0 - No error
- 1 - User Cancelled
- 2 - Usage error
- 6 - NLS init error
- 8 - Certificate DB open error
- 9 - Key DB open error
- 10 - File initialization error
- 11 - Unicode conversion error
- 12 - Temporary file creation error
- 13 - PKCS11 get slot error
- 14 - PKCS12 decoder start error
- 15 - error read from import file
- 16 - pkcs12 decode error
- 17 - pkcs12 decoder verify error
- 18 - pkcs12 decoder validate bags error
- 19 - pkcs12 decoder import bags error
- 20 - key db conversion version 3 to version 2 error
- 21 - cert db conversion version 7 to version 5 error
- 22 - cert and key dbs patch error
- 23 - get default cert db error
- 24 - find cert by nickname error
- 25 - create export context error
- 26 - PKCS12 add password itegrity error
- 27 - cert and key Safes creation error
- 28 - PKCS12 add cert and key error
- 29 - PKCS12 encode error
Examples
Importing Keys and Certificates
The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token). +PK12UTIL
PK12UTIL
Name
pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database
Synopsis
pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
STATUS
This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +
Description
The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.
Options and Arguments
Options
-i p12file
Import keys and certificates from a PKCS#12 file into a security database.
-l p12file
List the keys and certificates in PKCS#12 file.
-o p12file
Export keys and certificates from the security database to a PKCS#12 file.
Arguments
-c keyCipher
Specify the key encryption algorithm.
-C certCipher
Specify the key cert (overall package) encryption algorithm.
-d [sql:]directory
Specify the database directory into which to import to or export from certificates and keys.
pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.
-h tokenname
Specify the name of the token to import into or export from.
-k slotPasswordFile
Specify the text file containing the slot's password.
-K slotPassword
Specify the slot's password.
-m | --key-len keyLength
Specify the desired length of the symmetric key to be used to encrypt the private key.
-n | --cert-key-len certKeyLength
Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.
-n certname
Specify the nickname of the cert and private key to export.
-P prefix
Specify the prefix used on the certificate and key databases. This option is provided as a special case. + Changing the names of the certificate and key databases is not recommended.
-r
Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.
-v
Enable debug logging when importing.
-w p12filePasswordFile
Specify the text file containing the pkcs #12 file password.
-W p12filePassword
Specify the pkcs #12 file password.
Return Codes
0 - No error
1 - User Cancelled
2 - Usage error
6 - NLS init error
8 - Certificate DB open error
9 - Key DB open error
10 - File initialization error
11 - Unicode conversion error
12 - Temporary file creation error
13 - PKCS11 get slot error
14 - PKCS12 decoder start error
15 - error read from import file
16 - pkcs12 decode error
17 - pkcs12 decoder verify error
18 - pkcs12 decoder validate bags error
19 - pkcs12 decoder import bags error
20 - key db conversion version 3 to version 2 error
21 - cert db conversion version 7 to version 5 error
22 - cert and key dbs patch error
23 - get default cert db error
24 - find cert by nickname error
25 - create export context error
26 - PKCS12 add password itegrity error
27 - cert and key Safes creation error
28 - PKCS12 add cert and key error
29 - PKCS12 encode error
Examples
Importing Keys and Certificates
The most basic usage of pk12util for importing a certificate or key is the PKCS#12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token).
pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
For example:

# pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb @@ -12,7 +12,7 @@ and should contain at least one non-alphabetic character. Enter new password: Re-enter password: Enter password for PKCS12 file: -pk12util: PKCS12 IMPORT SUCCESSFUL
Exporting Keys and Certificates
Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database (-n) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. +pk12util: PKCS12 IMPORT SUCCESSFUL
Exporting Keys and Certificates
Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database (-n) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
For example:
# pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb Enter password for PKCS12 file: Re-enter password:
Listing Keys and Certificates
The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file. @@ -48,7 +48,7 @@ Key(shrouded): Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID -
Password Encryption
PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the -C option.
The private key is always protected with strong encryption by default.
Several types of ciphers are supported.
PKCS #5 password-based encryption
PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC")
PKCS #12 password-based encryption
SHA-1 and 128-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" or "RC4")
SHA-1 and 40-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4") (used by default for certificate encryption in non-FIPS mode)
SHA-1 and 3-key triple-DES ("PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" or "DES-EDE3-CBC")
SHA-1 and 128-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" or "RC2-CBC")
SHA-1 and 40-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC")
With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation.
NSS Database Types
NSS originally used BerkeleyDB databases to store security information. +
Password Encryption
PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.
The private key is always protected with strong encryption by default.
Several types of ciphers are supported.
Symmetric CBC ciphers for PKCS#5 V2
DES-CBC
RC2-CBC
RC5-CBCPad
DES-EDE3-CBC (the default for key encryption)
AES-128-CBC
AES-192-CBC
AES-256-CBC
CAMELLIA-128-CBC
CAMELLIA-192-CBC
CAMELLIA-256-CBC
PKCS#12 PBE ciphers
PKCS #12 PBE with Sha1 and 128 Bit RC4
PKCS #12 PBE with Sha1 and 40 Bit RC4
PKCS #12 PBE with Sha1 and Triple DES CBC
PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC
PKCS12 V2 PBE with SHA1 and 128 Bit RC4
PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)
PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc
PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc
PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC
PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
PKCS#5 PBE ciphers
PKCS #5 Password Based Encryption with MD2 and DES CBC
PKCS #5 Password Based Encryption with MD5 and DES CBC
PKCS #5 Password Based Encryption with SHA1 and DES CBC
With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation.
NSS Database Types
NSS originally used BerkeleyDB databases to store security information. The last versions of these legacy databases are:
cert8.db for certificates
@@ -68,7 +68,7 @@ BerkleyDB. These new databases provide more accessibility and performance:
sql: prefix with the given security directory. For example:
# pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:
export NSS_DEFAULT_DB_TYPE="sql"
This line can be set added to the ~/.bashrc file to make the change permanent.
Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
https://wiki.mozilla.org/NSS_Shared_DB_Howto
For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
https://wiki.mozilla.org/NSS_Shared_DB -
Compatibility Notes
The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported.
Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.
Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme.
For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools.
See Also
certutil (1)
modutil (1)
The NSS wiki has information on the new database design and how to configure applications to use it.
+
See Also
certutil (1)
modutil (1)
The NSS wiki has information on the new database design and how to configure applications to use it.
https://wiki.mozilla.org/NSS_Shared_DB_Howto
https://wiki.mozilla.org/NSS_Shared_DB
Additional Resources
For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.
Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
IRC: Freenode at #dogtag-pki
Authors
The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1 index 80a02fc27..b2a8bd2bb 100644 --- a/security/nss/doc/nroff/certutil.1 +++ b/security/nss/doc/nroff/certutil.1 @@ -1,13 +1,13 @@ '\" t .\" Title: CERTUTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets vsnapshot -.\" Date: 27 October 2017 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 8 September 2016 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools" +.TH "CERTUTIL" "1" "8 September 2016" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -371,9 +371,9 @@ Read an alternate PQG value from the specified file when generating DSA key pair \fBcertutil\fR generates its own PQG value\&. PQG files are created with a separate DSA utility\&. .sp -Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519\&. +Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519. .sp -If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 +If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 .RE .PP \-r @@ -609,24 +609,6 @@ to generate the signature for a certificate being created or added to a database Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&. .RE .PP -\-\-pss -.RS 4 -Restrict the generated certificate (with the -\fB\-S\fR -option) or certificate request (with the -\fB\-R\fR -option) to be used with the RSA\-PSS signature scheme\&. This only works when the private key of the certificate or certificate request is RSA\&. -.RE -.PP -\-\-pss\-sign -.RS 4 -Sign the generated certificate with the RSA\-PSS signature scheme (with the -\fB\-C\fR -or -\fB\-S\fR -option)\&. This only works when the private key of the signer\*(Aqs certificate is RSA\&. If the signer\*(Aqs certificate is restricted to RSA\-PSS, it is not necessary to specify this option\&. -.RE -.PP \-z noise\-file .RS 4 Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&. @@ -1530,8 +1512,7 @@ There are ways to narrow the keys listed in the search results: .IP \(bu 2.3 .\} To return a specific key, use the -\fB\-n\fR -\fIname\fR +\fB\-n\fR\fIname\fR argument with the name of the key\&. .RE .sp @@ -1544,8 +1525,7 @@ argument with the name of the key\&. .IP \(bu 2.3 .\} If there are multiple security devices loaded, then the -\fB\-h\fR -\fItokenname\fR +\fB\-h\fR\fItokenname\fR argument can search a specific token or all tokens\&. .RE .sp @@ -1558,8 +1538,7 @@ argument can search a specific token or all tokens\&. .IP \(bu 2.3 .\} If there are multiple key types available, then the -\fB\-k\fR -\fIkey\-type\fR +\fB\-k\fR\fIkey\-type\fR argument can search a specific type of key, like RSA, DSA, or ECC\&. .RE .PP diff --git a/security/nss/doc/nroff/pk12util.1 b/security/nss/doc/nroff/pk12util.1 index e0a8da833..c4fa972c0 100644 --- a/security/nss/doc/nroff/pk12util.1 +++ b/security/nss/doc/nroff/pk12util.1 @@ -1,13 +1,13 @@ '\" t .\" Title: PK12UTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets vsnapshot -.\" Date: 27 October 2017 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools" +.TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,24 +39,24 @@ This documentation is still work in progress\&. Please contribute to the initial .SH "DESCRIPTION" .PP The PKCS #12 utility, -\fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&. +\fBpk12util\fR, enables sharing certificates among any server that supports PKCS#12\&. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys\&. .SH "OPTIONS AND ARGUMENTS" .PP \fBOptions\fR .PP \-i p12file .RS 4 -Import keys and certificates from a PKCS #12 file into a security database\&. +Import keys and certificates from a PKCS#12 file into a security database\&. .RE .PP \-l p12file .RS 4 -List the keys and certificates in PKCS #12 file\&. +List the keys and certificates in PKCS#12 file\&. .RE .PP \-o p12file .RS 4 -Export keys and certificates from the security database to a PKCS #12 file\&. +Export keys and certificates from the security database to a PKCS#12 file\&. .RE .PP \fBArguments\fR @@ -68,7 +68,7 @@ Specify the key encryption algorithm\&. .PP \-C certCipher .RS 4 -Specify the certiticate encryption algorithm\&. +Specify the key cert (overall package) encryption algorithm\&. .RE .PP \-d [sql:]directory @@ -432,7 +432,7 @@ Specify the pkcs #12 file password\&. .PP The most basic usage of \fBpk12util\fR -for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either +for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either \fB\-d\fR for a directory or \fB\-h\fR @@ -467,7 +467,7 @@ pk12util: PKCS12 IMPORT SUCCESSFUL .PP Using the \fBpk12util\fR -command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. +command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. .PP pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] .PP @@ -559,17 +559,17 @@ Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pt .\} .SH "PASSWORD ENCRYPTION" .PP -PKCS #12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates\&. If no algorithm is specified, the tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used for certificate encryption\&. When in FIPS mode, there is no certificate encryption\&. If certificate encryption is not wanted, specify -\fB"NONE"\fR -as the argument of the -\fB\-C\fR -option\&. +PKCS#12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package\&. If no algorithm is specified, the tool defaults to using +\fBPKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc\fR +for private key encryption\&. +\fBPKCS12 V2 PBE with SHA1 and 40 Bit RC4\fR +is the default for the overall package encryption when not in FIPS mode\&. When in FIPS mode, there is no package encryption\&. .PP The private key is always protected with strong encryption by default\&. .PP Several types of ciphers are supported\&. .PP -PKCS #5 password\-based encryption +Symmetric CBC ciphers for PKCS#5 V2 .RS 4 .sp .RS 4 @@ -580,13 +580,110 @@ PKCS #5 password\-based encryption .sp -1 .IP \(bu 2.3 .\} -PBES2 with AES\-CBC\-Pad as underlying encryption scheme (\fB"AES\-128\-CBC"\fR, -\fB"AES\-192\-CBC"\fR, and -\fB"AES\-256\-CBC"\fR) +DES\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +RC2\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +RC5\-CBCPad +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +DES\-EDE3\-CBC (the default for key encryption) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +AES\-128\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +AES\-192\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +AES\-256\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +CAMELLIA\-128\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +CAMELLIA\-192\-CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +CAMELLIA\-256\-CBC .RE .RE .PP -PKCS #12 password\-based encryption +PKCS#12 PBE ciphers .RS 4 .sp .RS 4 @@ -597,9 +694,7 @@ PKCS #12 password\-based encryption .sp -1 .IP \(bu 2.3 .\} -SHA\-1 and 128\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC4"\fR -or -\fB"RC4"\fR) +PKCS #12 PBE with Sha1 and 128 Bit RC4 .RE .sp .RS 4 @@ -610,7 +705,7 @@ or .sp -1 .IP \(bu 2.3 .\} -SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode) +PKCS #12 PBE with Sha1 and 40 Bit RC4 .RE .sp .RS 4 @@ -621,9 +716,7 @@ SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (use .sp -1 .IP \(bu 2.3 .\} -SHA\-1 and 3\-key triple\-DES (\fB"PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC"\fR -or -\fB"DES\-EDE3\-CBC"\fR) +PKCS #12 PBE with Sha1 and Triple DES CBC .RE .sp .RS 4 @@ -634,9 +727,7 @@ or .sp -1 .IP \(bu 2.3 .\} -SHA\-1 and 128\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC2 CBC"\fR -or -\fB"RC2\-CBC"\fR) +PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC .RE .sp .RS 4 @@ -647,11 +738,114 @@ or .sp -1 .IP \(bu 2.3 .\} -SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC2 CBC"\fR) +PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS12 V2 PBE with SHA1 and 128 Bit RC4 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non\-FIPS mode) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS12 V2 PBE with SHA1 and 2KEY Triple DES\-cbc +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC .RE .RE .PP -With PKCS #12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error +PKCS#5 PBE ciphers +.RS 4 +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS #5 Password Based Encryption with MD2 and DES CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS #5 Password Based Encryption with MD5 and DES CBC +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PKCS #5 Password Based Encryption with SHA1 and DES CBC +.RE +.RE +.PP +With PKCS#12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error \fIno security module can perform the requested operation\fR\&. .SH "NSS DATABASE TYPES" .PP @@ -793,27 +987,6 @@ For an engineering draft on the changes in the shared NSS databases, see the NSS .\} https://wiki\&.mozilla\&.org/NSS_Shared_DB .RE -.SH "COMPATIBILITY NOTES" -.PP -The exporting behavior of -\fBpk12util\fR -has changed over time, while importing files exported with older versions of NSS is still supported\&. -.PP -Until the 3\&.30 release, -\fBpk12util\fR -used the UTF\-16 encoding for the PKCS #5 password\-based encryption schemes, while the recommendation is to encode passwords in UTF\-8 if the used encryption scheme is defined outside of the PKCS #12 standard\&. -.PP -Until the 3\&.31 release, even when -\fB"AES\-128\-CBC"\fR -or -\fB"AES\-192\-CBC"\fR -is given from the command line, -\fBpk12util\fR -always used 256\-bit AES as the underlying encryption scheme\&. -.PP -For historical reasons, -\fBpk12util\fR -accepts password\-based encryption schemes not listed in this document\&. However, those schemes are not officially supported and may have issues in interoperability with other tools\&. .SH "SEE ALSO" .PP certutil (1) diff --git a/security/nss/doc/pk12util.xml b/security/nss/doc/pk12util.xml index c26794965..03ee356e6 100644 --- a/security/nss/doc/pk12util.xml +++ b/security/nss/doc/pk12util.xml @@ -46,7 +46,7 @@ Description - The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys. + The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys. @@ -55,17 +55,17 @@ -i p12file - Import keys and certificates from a PKCS #12 file into a security database. + Import keys and certificates from a PKCS#12 file into a security database. -l p12file - List the keys and certificates in PKCS #12 file. + List the keys and certificates in PKCS#12 file. -o p12file - Export keys and certificates from the security database to a PKCS #12 file. + Export keys and certificates from the security database to a PKCS#12 file. @@ -78,7 +78,7 @@ -C certCipher - Specify the certiticate encryption algorithm. + Specify the key cert (overall package) encryption algorithm. @@ -233,7 +233,7 @@ Examples Importing Keys and Certificates - The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file () and some way to specify the security database being accessed (either for a directory or for a token). + The most basic usage of pk12util for importing a certificate or key is the PKCS#12 input file () and some way to specify the security database being accessed (either for a directory or for a token). pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] @@ -252,7 +252,7 @@ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL Exporting Keys and Certificates - Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. + Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] For example: @@ -304,34 +304,58 @@ Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L Password Encryption - PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption. The private key is always protected with strong encryption by default. Several types of ciphers are supported. - PKCS #5 password-based encryption + Symmetric CBC ciphers for PKCS#5 V2 - - PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") - + + DES-CBC + RC2-CBC + RC5-CBCPad + DES-EDE3-CBC (the default for key encryption) + AES-128-CBC + AES-192-CBC + AES-256-CBC + CAMELLIA-128-CBC + CAMELLIA-192-CBC + CAMELLIA-256-CBC + - PKCS #12 password-based encryption + PKCS#12 PBE ciphers - - SHA-1 and 128-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" or "RC4") - SHA-1 and 40-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4") (used by default for certificate encryption in non-FIPS mode) - SHA-1 and 3-key triple-DES ("PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" or "DES-EDE3-CBC") - SHA-1 and 128-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" or "RC2-CBC") - SHA-1 and 40-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC") - + + PKCS #12 PBE with Sha1 and 128 Bit RC4 + PKCS #12 PBE with Sha1 and 40 Bit RC4 + PKCS #12 PBE with Sha1 and Triple DES CBC + PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC + PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC + PKCS12 V2 PBE with SHA1 and 128 Bit RC4 + PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode) + PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc + PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc + PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC + PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC + + + + PKCS#5 PBE ciphers + + + PKCS #5 Password Based Encryption with MD2 and DES CBC + PKCS #5 Password Based Encryption with MD5 and DES CBC + PKCS #5 Password Based Encryption with SHA1 and DES CBC + - With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation. + With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation. NSS Database Types @@ -408,14 +432,6 @@ Using the SQLite databases must be manually specified by using the sql: - - Compatibility Notes - The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported. - Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard. - Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme. - For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools. - - See Also certutil (1) -- cgit v1.2.3

Name

Synopsis

STATUS

Name

Synopsis

STATUS

Description

Command Options and Arguments

Name

Synopsis

STATUS

Description

Options and Arguments

Return Codes

Examples

Name

Synopsis

STATUS

Description

Options and Arguments

Return Codes

Examples

Password Encryption

NSS Database Types

Password Encryption

NSS Database Types

Compatibility Notes

See Also

See Also

Additional Resources

Authors