Package: libnss3-tools
Version: 2:3.106-1
Severity: minor
Tags: patch
* What led up to the situation?
Checking for defects with
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -b -z < "man page"
[Use "groff -e ' $' <file>" to find trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
troff:<stdin>:1480: warning: trailing space in the line
troff:<stdin>:1674: warning: trailing space in the line
troff:<stdin>:1678: warning: trailing space in the line
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.11.10-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libnss3-tools depends on:
ii libc6 2.40-3
ii libnspr4 2:4.36-1
ii libnss3 2:3.106-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
libnss3-tools recommends no packages.
libnss3-tools suggests no packages.
-- no debconf information
Input file is certutil.1
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
So any 'generator' should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
This is just a simple quality control measure.
The 'generator' may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Input text line longer than 80 bytes.
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
Not beginning each input sentence on a new line.
Lines should thus be shorter.
See man-pages(7), item 'semantic newline'.
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -u <out1> <out2>
and for groff, using
"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - "
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output of 'diff -u' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option "-warnings=w"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT="-ww -b -z"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-.
Output from "mandoc -T lint certutil.1 ": (shortened list)
115 input text line longer than 80 bytes
9 skipping paragraph macro
-.-.
Output from "test-groff -mandoc -t -ww -b -z certutil.1 ": (shortened list)
3 trailing space in the line
-.-.
Output from "mandoc -T lint certutil.1 ":
mandoc: certutil.1:31:82: STYLE: input text line longer than 80 bytes: certutil
\- Manage k...
mandoc: certutil.1:36:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:37:90: STYLE: input text line longer than 80 bytes: This
documentation i...
mandoc: certutil.1:40:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:44:278: STYLE: input text line longer than 80 bytes:
Certificate issuance...
mandoc: certutil.1:48:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:51:169: STYLE: input text line longer than 80 bytes: always
requires one ...
mandoc: certutil.1:59:180: STYLE: input text line longer than 80 bytes: Add an
existing cert...
mandoc: certutil.1:71:86: STYLE: input text line longer than 80 bytes: Create a
new binary ...
mandoc: certutil.1:73:81: STYLE: input text line longer than 80 bytes: argument
to specify ...
mandoc: certutil.1:95:200: STYLE: input text line longer than 80 bytes: Delete
a private key...
mandoc: certutil.1:99:142: STYLE: input text line longer than 80 bytes: Some
smart cards do ...
mandoc: certutil.1:104:313: STYLE: input text line longer than 80 bytes:
Generate a new publi...
mandoc: certutil.1:114:178: STYLE: input text line longer than 80 bytes: List
the key ID of k...
mandoc: certutil.1:119:218: STYLE: input text line longer than 80 bytes: List
all the certifi...
mandoc: certutil.1:124:83: STYLE: input text line longer than 80 bytes: Modify
a certificate...
mandoc: certutil.1:139:257: STYLE: input text line longer than 80 bytes: Create
a certificate...
mandoc: certutil.1:174:116: STYLE: input text line longer than 80 bytes:
Upgrade an old datab...
mandoc: certutil.1:183:84: STYLE: input text line longer than 80 bytes:
Arguments modify a c...
mandoc: certutil.1:187:196: STYLE: input text line longer than 80 bytes: Use
ASCII format or ...
mandoc: certutil.1:192:106: STYLE: input text line longer than 80 bytes: When
printing the ce...
mandoc: certutil.1:197:112: STYLE: input text line longer than 80 bytes:
Specify a time at wh...
mandoc: certutil.1:209:85: STYLE: input text line longer than 80 bytes: If this
option is no...
mandoc: certutil.1:214:259: STYLE: input text line longer than 80 bytes:
Identify the certifi...
mandoc: certutil.1:219:83: STYLE: input text line longer than 80 bytes: Specify
the database...
mandoc: certutil.1:254:122: STYLE: input text line longer than 80 bytes: If no
prefix is spec...
mandoc: certutil.1:266:85: STYLE: input text line longer than 80 bytes: Check a
certificate\...
mandoc: certutil.1:271:89: STYLE: input text line longer than 80 bytes: Specify
the email ad...
mandoc: certutil.1:276:113: STYLE: input text line longer than 80 bytes: Add
one or multiple ...
mandoc: certutil.1:314:234: STYLE: input text line longer than 80 bytes:
Specify a file that ...
mandoc: certutil.1:319:213: STYLE: input text line longer than 80 bytes: Set a
key size to us...
mandoc: certutil.1:324:115: STYLE: input text line longer than 80 bytes:
Specify the name of ...
mandoc: certutil.1:326:207: STYLE: input text line longer than 80 bytes: The
name can also be...
mandoc: certutil.1:331:173: STYLE: input text line longer than 80 bytes: Pass
an input file t...
mandoc: certutil.1:338:304: STYLE: input text line longer than 80 bytes: The
valid key type o...
mandoc: certutil.1:343:81: STYLE: input text line longer than 80 bytes: Display
detailed inf...
mandoc: certutil.1:348:237: STYLE: input text line longer than 80 bytes: Assign
a unique seri...
mandoc: certutil.1:353:177: STYLE: input text line longer than 80 bytes:
Specify the nickname...
mandoc: certutil.1:355:289: STYLE: input text line longer than 80 bytes: The
nickname can als...
mandoc: certutil.1:360:244: STYLE: input text line longer than 80 bytes:
Specify the output f...
mandoc: certutil.1:365:172: STYLE: input text line longer than 80 bytes:
Specify the prefix u...
mandoc: certutil.1:370:158: STYLE: input text line longer than 80 bytes:
Specify a contact te...
mandoc: certutil.1:375:114: STYLE: input text line longer than 80 bytes: Read
an alternate PQ...
mandoc: certutil.1:377:83: STYLE: input text line longer than 80 bytes:
generates its own PQ...
mandoc: certutil.1:379:87: STYLE: input text line longer than 80 bytes:
Elliptic curve name ...
mandoc: certutil.1:381:840: STYLE: input text line longer than 80 bytes: If a
token is availa...
mandoc: certutil.1:386:118: STYLE: input text line longer than 80 bytes:
Display a certificat...
mandoc: certutil.1:391:208: STYLE: input text line longer than 80 bytes:
Identify a particula...
mandoc: certutil.1:396:229: STYLE: input text line longer than 80 bytes:
Specify the trust at...
mandoc: certutil.1:398:98: STYLE: input text line longer than 80 bytes: for
each trust setti...
mandoc: certutil.1:460:140: STYLE: input text line longer than 80 bytes: The
attribute codes ...
mandoc: certutil.1:464:110: STYLE: input text line longer than 80 bytes: Use
the \-L option t...
mandoc: certutil.1:466:195: STYLE: input text line longer than 80 bytes: Note
that the output...
mandoc: certutil.1:471:85: STYLE: input text line longer than 80 bytes: Specify
a usage cont...
mandoc: certutil.1:598:162: STYLE: input text line longer than 80 bytes: Set
the number of mo...
mandoc: certutil.1:600:86: STYLE: input text line longer than 80 bytes:
option\&. If this ar...
mandoc: certutil.1:605:420: STYLE: input text line longer than 80 bytes: Set an
offset from t...
mandoc: certutil.1:610:91: STYLE: input text line longer than 80 bytes: Force
the key and ce...
mandoc: certutil.1:621:137: STYLE: input text line longer than 80 bytes: to
generate the sign...
mandoc: certutil.1:626:179: STYLE: input text line longer than 80 bytes: Set an
alternate exp...
mandoc: certutil.1:635:145: STYLE: input text line longer than 80 bytes:
option) to be used w...
mandoc: certutil.1:644:194: STYLE: input text line longer than 80 bytes:
option)\&. This only...
mandoc: certutil.1:649:246: STYLE: input text line longer than 80 bytes: Read a
seed value fr...
mandoc: certutil.1:654:96: STYLE: input text line longer than 80 bytes: Specify
the hash alg...
mandoc: certutil.1:752:104: STYLE: input text line longer than 80 bytes: Set an
X\&.509 V3 Ce...
mandoc: certutil.1:845:167: STYLE: input text line longer than 80 bytes: Add a
basic constrai...
mandoc: certutil.1:854:369: STYLE: input text line longer than 80 bytes: Add an
authority key...
mandoc: certutil.1:861:208: STYLE: input text line longer than 80 bytes: Add a
CRL distributi...
mandoc: certutil.1:870:149: STYLE: input text line longer than 80 bytes: Add an
X\&.509 V3 ce...
mandoc: certutil.1:965:134: STYLE: input text line longer than 80 bytes: Add an
extended key ...
mandoc: certutil.1:1148:268: STYLE: input text line longer than 80 bytes: Add a
comma\-separat...
mandoc: certutil.1:1153:262: STYLE: input text line longer than 80 bytes: Add a
comma\-separat...
mandoc: certutil.1:1158:128: STYLE: input text line longer than 80 bytes: Add
the Authority In...
mandoc: certutil.1:1163:126: STYLE: input text line longer than 80 bytes: Add
the Subject Info...
mandoc: certutil.1:1168:120: STYLE: input text line longer than 80 bytes: Add
the Certificate ...
mandoc: certutil.1:1173:115: STYLE: input text line longer than 80 bytes: Add
the Policy Mappi...
mandoc: certutil.1:1178:118: STYLE: input text line longer than 80 bytes: Add
the Policy Const...
mandoc: certutil.1:1183:125: STYLE: input text line longer than 80 bytes: Add
the Inhibit Any ...
mandoc: certutil.1:1188:114: STYLE: input text line longer than 80 bytes: Add
the Subject Key ...
mandoc: certutil.1:1193:113: STYLE: input text line longer than 80 bytes: Add a
Name Constrain...
mandoc: certutil.1:1210:237: STYLE: input text line longer than 80 bytes: PKCS
#11 key Attribu...
mandoc: certutil.1:1215:206: STYLE: input text line longer than 80 bytes: PKCS
#11 key Operati...
mandoc: certutil.1:1248:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:1249:211: STYLE: input text line longer than 80 bytes: Most
of the command ...
mandoc: certutil.1:1255:112: STYLE: input text line longer than 80 bytes:
Certificates, keys, ...
mandoc: certutil.1:1304:319: STYLE: input text line longer than 80 bytes: A
certificate reques...
mandoc: certutil.1:1329:104: STYLE: input text line longer than 80 bytes: to
specify either th...
mandoc: certutil.1:1368:122: STYLE: input text line longer than 80 bytes: The
new certificate ...
mandoc: certutil.1:1387:246: STYLE: input text line longer than 80 bytes: A
valid certificate ...
mandoc: certutil.1:1405:140: STYLE: input text line longer than 80 bytes:
options set certific...
mandoc: certutil.1:1419:124: STYLE: input text line longer than 80 bytes: The
interative promp...
mandoc: certutil.1:1435:160: STYLE: input text line longer than 80 bytes: When
a certificate r...
mandoc: certutil.1:1439:102: STYLE: input text line longer than 80 bytes:
argument)\&. The iss...
mandoc: certutil.1:1467:135: STYLE: input text line longer than 80 bytes:
command option lists...
mandoc: certutil.1:1489:91: STYLE: input text line longer than 80 bytes: can
return and print...
mandoc: certutil.1:1594:148: STYLE: input text line longer than 80 bytes: Keys
are the origina...
mandoc: certutil.1:1662:181: STYLE: input text line longer than 80 bytes: The
devices that can...
mandoc: certutil.1:1688:151: STYLE: input text line longer than 80 bytes:
Existing certificate...
mandoc: certutil.1:1736:123: STYLE: input text line longer than 80 bytes:
option\&. The only r...
mandoc: certutil.1:1762:423: STYLE: input text line longer than 80 bytes: A
certificate contai...
mandoc: certutil.1:1790:272: STYLE: input text line longer than 80 bytes: The
trust settings (...
mandoc: certutil.1:1818:164: STYLE: input text line longer than 80 bytes:
because every certif...
mandoc: certutil.1:1820:202: STYLE: input text line longer than 80 bytes:
prints the full chai...
mandoc: certutil.1:1839:415: STYLE: input text line longer than 80 bytes: The
device which sto...
mandoc: certutil.1:1851:185: STYLE: input text line longer than 80 bytes: Many
networks have d...
mandoc: certutil.1:1865:203: STYLE: input text line longer than 80 bytes: Many
networks or app...
mandoc: certutil.1:1875:99: STYLE: input text line longer than 80 bytes:
command must give in...
mandoc: certutil.1:1902:199: STYLE: input text line longer than 80 bytes:
command only require...
mandoc: certutil.1:1942:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:1943:100: STYLE: input text line longer than 80 bytes: NSS
originally used ...
mandoc: certutil.1:1980:382: STYLE: input text line longer than 80 bytes:
BerkeleyDB has perfo...
mandoc: certutil.1:1982:162: STYLE: input text line longer than 80 bytes: In
2009, NSS introdu...
mandoc: certutil.1:2014:123: STYLE: input text line longer than 80 bytes:
pkcs11\&.txt, a list...
mandoc: certutil.1:2019:115: STYLE: input text line longer than 80 bytes:
database type\&. The...
mandoc: certutil.1:2067:94: STYLE: input text line longer than 80 bytes: For an
engineering d...
mandoc: certutil.1:2080:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:2121:102: STYLE: input text line longer than 80 bytes: The
NSS wiki has inf...
mandoc: certutil.1:2145:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:2146:102: STYLE: input text line longer than 80 bytes: For
information abou...
mandoc: certutil.1:2153:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:2154:115: STYLE: input text line longer than 80 bytes: The
NSS tools were w...
mandoc: certutil.1:2156:86: STYLE: input text line longer than 80 bytes:
Authors: Elio Maldon...
mandoc: certutil.1:2158:2: WARNING: skipping paragraph macro: PP after SH
mandoc: certutil.1:2159:170: STYLE: input text line longer than 80 bytes:
Licensed under the M...
-.-.
Remove space characters at the end of lines.
Use "git apply ... --whitespace=fix" to fix extra space issues, or use
global configuration "core.whitespace".
1480:Google Internet Authority ,,
1674: slot: NSS User Private Key and Certificate Services
1678: slot: NSS Internal Cryptographic Services
-.-.
Strings longer than 3/4 of a standard line length (80)
Use "\:" to split the string at the end of an output line, for example a
long URLs (web address)
274 \-\-extGeneric
OID:critical\-flag:filename[,OID:critical\-flag:filename]\&.\&.\&.
355 The nickname can also be a PKCS #11 URI\&. For example, if you have a
certificate named "my\-server\-cert" on the internal certificate store, it can
be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details
about the format, see RFC 7512\&.
1501 MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh
1502 bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV
1503 BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz
1504 JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x
1505 XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
1506 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
1507 AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
1508 AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
1509 XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
1676 uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
1680 uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2147 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;.
The NSS site relates directly to NSS code changes and releases\&.
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
N.B.
The number of lines affected can be too large to be in a patch.
37:This documentation is still work in progress\&. Please contribute to the
initial review in
42:\fBcertutil\fR, is a command\-line utility that can create and modify
certificate and key databases\&. It can specifically list, generate, modify, or
delete certificates, create or change the password, generate new public and
private key pairs, display the contents of the key database, or delete key
pairs within the key database\&.
44:Certificate issuance, part of the key and certificate management process,
requires that keys and certificates be created in the key database\&. This
document discusses certificate and key database management\&. For information
on the security module database management, see the
51:always requires one and only one command option to specify the type of
certificate operation\&. Each command option may take zero or more arguments\&.
The command option
59:Add an existing certificate to a certificate database\&. The certificate
database should already exist; if one is not present, this command option will
initialize one by default\&.
64:Run a series of commands from the specified batch file\&. This requires the
71:Create a new binary certificate file from a binary certificate request
file\&. Use the
73:argument to specify the certificate request file\&. If this argument is not
used,
95:Delete a private key and the associated certificate from a database\&.
Specify the key to delete with the \-n argument or the \-k argument\&. Specify
the database from which to delete the key with the
99:Some smart cards do not let you remove a public key you have generated\&. In
such a case, only the private key is deleted from the key pair\&.
104:Generate a new public and private key pair within a key database\&. The key
database should already exist; if one is not present, this command option will
initialize one by default\&. Some smart cards can store only one key pair\&. If
you create a new key pair for such a card, the previous pair is overwritten\&.
114:List the key ID of keys in the key database\&. A key ID is the modulus of
the RSA key or the publicValue of the DSA key\&. IDs are displayed in
hexadecimal ("0x" is not shown)\&.
119:List all the certificates, or display information about a named
certificate, in a certificate database\&. Use the \-h tokenname argument to
specify the certificate database on a particular hardware or software token\&.
139:Create a certificate request file that can be submitted to a Certificate
Authority (CA) for processing into a finished certificate\&. Output defaults to
standard out unless you use \-o output\-file argument\&. Use the \-a argument
to specify ASCII output\&.
174:Upgrade an old database and merge it into a new database\&. This is used to
migrate legacy NSS databases (cert8\&.db
187:Use ASCII format or allow the use of ASCII format for input or output\&.
This formatting follows RFC 1113\&. For certificate requests, ASCII output
defaults to standard output unless redirected\&.
197:Specify a time at which a certificate is required to be valid\&. Use when
checking certificate validity with the
199:option\&. The format of the
202:\fIYYMMDDHHMMSS[+HHMM|\-HHMM|Z]\fR, which allows offsets to be set relative
to the validity end time\&. Specifying seconds (\fISS\fR) is optional\&. When
specifying an explicit time, use a Z at the end of the term,
203:\fIYYMMDDHHMMSSZ\fR, to close it\&. When specifying an offset time, use
214:Identify the certificate of the CA from which a new certificate will derive
its authenticity\&. Use the exact nickname or alias of the CA certificate, or
use the CA\*(Aqs email address\&. Bracket the issuer string with quotation
marks if it contains spaces\&.
254:If no prefix is specified the default type is retrieved from
NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then
271:Specify the email address of a certificate to list\&. Used with the \-L
command option\&.
314:Specify a file that will automatically supply the password to include in a
certificate or to access a certificate database\&. This is a plain\-text file
containing one password\&. Be sure to prevent unauthorized access to this
file\&.
319:Set a key size to use when generating new public and private key pairs\&.
The minimum is 512 bits and the maximum is 16384 bits\&. The default is 2048
bits\&. Any size between the minimum and maximum is allowed\&.
324:Specify the name of a token to use or act on\&. If not specified the
default token is the internal database slot\&.
326:The name can also be a PKCS #11 URI\&. For example, the NSS internal
certificate store can be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC
7512\&.
331:Pass an input file to the command\&. Depending on the command option, an
input file can be a specific certificate, a certificate request file, or a
batch file of commands\&.
338:The valid key type options are rsa, dsa, ec, or all\&. The default value is
rsa\&. Specifying the type of key can avoid mistakes caused by duplicate
nicknames\&. Giving a key type generates a new key pair; giving the ID of an
existing key reuses that key pair (which is required to renew certificates)\&.
348:Assign a unique serial number to a certificate being created\&. This
operation should be performed by a CA\&. If no serial number is provided a
default serial number is made from the current time\&. Serial numbers are
limited to integers
353:Specify the nickname of a certificate or key to list, create, add to a
database, modify, or validate\&. Bracket the nickname string with quotation
marks if it contains spaces\&.
355:The nickname can also be a PKCS #11 URI\&. For example, if you have a
certificate named "my\-server\-cert" on the internal certificate store, it can
be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details
about the format, see RFC 7512\&.
360:Specify the output file name for new certificates or binary certificate
requests\&. Bracket the output\-file string with quotation marks if it contains
spaces\&. If this argument is not used the output destination defaults to
standard output\&.
365:Specify the prefix used on the certificate and key database file\&. This
argument is provided to support legacy servers\&. Most applications do not use
a database prefix\&.
370:Specify a contact telephone number to include in new certificates or
certificate requests\&. Bracket this string with quotation marks if it contains
spaces\&.
375:Read an alternate PQG value from the specified file when generating DSA key
pairs\&. If this argument is not used,
377:generates its own PQG value\&. PQG files are created with a separate DSA
utility\&.
391:Identify a particular certificate owner for new certificates or certificate
requests\&. Bracket this string with quotation marks if it contains spaces\&.
The subject identification format follows RFC #1485\&.
396:Specify the trust attributes to modify in an existing certificate or to
apply to a certificate when creating it or adding it to a database\&. There are
three available trust categories for each certificate, expressed in the order
398:for each trust setting\&. In each category position, use none, any, or all
of the attribute codes:
460:The attribute codes for the categories are separated by commas, and the
entire set of attributes enclosed by quotation marks\&. For example:
466:Note that the output of the \-L option may include "u" flag, which means
that there is a private key associated with the certificate\&. It is a dynamic
flag and you cannot set it with certutil\&.
598:Set the number of months a new certificate will be valid\&. The validity
period begins at the current system time unless an offset is added or
subtracted with the
600:option\&. If this argument is not used, the default validity period is
three months\&.
605:Set an offset from the current system time, in months, for the beginning of
a certificate\*(Aqs validity period\&. Use when creating the certificate or
adding it to a database\&. Express the offset in integers, using a minus sign
(\-) to indicate a negative offset\&. If this argument is not used, the
validity period begins at the current system time\&. The length of the validity
period is set with the \-v argument\&.
610:Force the key and certificate database to open in read\-write mode\&. This
is used with the
626:Set an alternate exponent value to use in generating a new RSA public key
for the database, instead of the default value of 65537\&. The available
alternate values are 3 and 17\&.
635:option) to be used with the RSA\-PSS signature scheme\&. This only works
when the private key of the certificate or certificate request is RSA\&.
644:option)\&. This only works when the private key of the signer\*(Aqs
certificate is RSA\&. If the signer\*(Aqs certificate is restricted to
RSA\-PSS, it is not necessary to specify this option\&.
649:Read a seed value from the specified file to generate a new private and
public key pair\&. This argument makes it possible to use hardware\-generated
seed values or manually create a value from the keyboard\&. The minimum file
size is 20 bytes\&.
654:Specify the hash algorithm to use with the \-C, \-S or \-R command
options\&. Possible keywords:
752:Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There
are several available keywords:
845:Add a basic constraint extension to a certificate that is being created or
added to a database\&. This extension supports the certificate chain
verification process\&.
854:Add an authority key ID extension to a certificate that is being created or
added to a database\&. This extension supports the identification of a
particular certificate, from among multiple certificates associated with one
subject name, as the correct issuer of a certificate\&. The Certificate
Database Tool will prompt you to select the authority key ID extension\&.
861:Add a CRL distribution point extension to a certificate that is being
created or added to a database\&. This extension identifies the URL of a
certificate\*(Aqs associated certificate revocation list (CRL)\&.
870:Add an X\&.509 V3 certificate type extension to a certificate that is being
created or added to the database\&. There are several available keywords:
965:Add an extended key usage extension to a certificate that is being created
or added to the database\&. Several keywords are available:
1148:Add a comma\-separated list of email addresses to the subject alternative
name extension of a certificate or certificate request that is being created or
added to the database\&. Subject alternative name extensions are described in
Section 4\&.2\&.1\&.7 of RFC 3280\&.
1153:Add a comma\-separated list of DNS names to the subject alternative name
extension of a certificate or certificate request that is being created or
added to the database\&. Subject alternative name extensions are described in
Section 4\&.2\&.1\&.7 of RFC 3280\&.
1158:Add the Authority Information Access extension to the certificate\&.
X\&.509 certificate extensions are described in RFC 5280\&.
1163:Add the Subject Information Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1168:Add the Certificate Policies extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1173:Add the Policy Mappings extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1178:Add the Policy Constraints extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1183:Add the Inhibit Any Policy Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1188:Add the Subject Key ID extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
1193:Add a Name Constraint extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
1210:PKCS #11 key Attributes\&. Comma separated list of key attribute flags,
selected from the following list of choices: {token | session} {public |
private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable |
unextractable}
1215:PKCS #11 key Operation Flags\&. Comma separated list of one or more of the
following: {token | session} {public | private} {sensitive | insensitive}
{modifiable | unmodifiable} {extractable | unextractable}
1249:Most of the command options in the examples listed here have more
arguments available\&. The arguments included in these examples are the most
common ones or are used to illustrate a specific scenario\&. Use the
1304:A certificate request contains most or all of the information that is used
to generate the final certificate\&. This request is submitted separately to a
certificate authority and is then approved by some mechanism (automatically or
by human review)\&. Once the request is approved, then the certificate is
generated\&.
1387:A valid certificate must be issued by a trusted CA\&. This can be done by
specifying a CA certificate (\fB\-c\fR) that is stored in the certificate
database\&. If a CA key pair is not available, you can create a self\-signed
certificate using the
1405:options set certificate extensions that can be added to the certificate
when it is generated by the CA\&. Interactive prompts will result\&.
1439:argument)\&. The issuing certificate must be in the certificate database
in the specified directory\&.
1467:command option lists all of the certificates listed in the certificate
database\&. The path to the directory (\fB\-d\fR) is required\&.
1489:can return and print the information for a single, specific certificate\&.
For example, the
1594:Keys are the original material used to encrypt certificate data\&. The
keys generated for certificates are stored separately, in the key database\&.
1608:< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail
Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
1662:The devices that can be used to store certificates \-\- both internal
databases and external devices like smart cards \-\- are recognized and used by
loading security modules\&. The
1666:database\&. The path to the directory (\fB\-d\fR) is required\&.
1688:Existing certificates or certificate requests can be added manually to the
certificate database, even if they were generated elsewhere\&. This uses the
1715:\fB\-E\fR, is used specifically to add email certificates to the
certificate database\&. The
1719:command\&. The trust arguments for certificates have the format
1720:\fISSL,S/MIME,Code\-signing\fR, so the middle trust settings relate most
to email certificates (though the others can be set)\&. For example:
1736:option\&. The only required options are to give the security database
directory and to identify the certificate nickname\&.
1762:A certificate contains an expiration date in itself, and expired
certificates are easily rejected\&. However, certificates can also be revoked
before they hit their expiration date\&. Checking whether a certificate has
been revoked requires validating the certificate\&. Validation can also be used
to ensure that the certificate is only used for the purposes it was initially
issued for\&. Validation is carried out by the
1790:The trust settings (which relate to the operations that a certificate is
allowed to be used for) can be changed after a certificate is created or added
to the database\&. This is especially useful for CA certificates, but it can be
performed for any type of certificate\&.
1818:because every certificate authority itself has a certificate; when a CA
issues a certificate, it essentially stamps that certificate with its own
fingerprint\&. The
1820:prints the full chain of a certificate, going from the initial CA (the
root CA) through ever intermediary CA to the actual certificate\&. For example,
for an email certificate with two CAs in the chain:
1839:The device which stores certificates \-\- both external hardware devices
and internal software databases \-\- can be blanked and reused\&. This
operation is performed on the device which stores the data, not directly on the
security databases, so the location must be referenced through the token name
(\fB\-h\fR) as well as any directory path\&. If there is no external token
used, the default value is internal\&.
1851:Many networks have dedicated personnel who handle changes to security
tokens (the security officer)\&. This person must supply the password to access
the specified token\&. For example:
1865:Many networks or applications may be using older BerkeleyDB versions of
the certificate database (cert8\&.db)\&. Databases can be upgraded to the new
SQLite version of the database (cert9\&.db) using the
1876:\fB\-d\fR) to give the information about the new databases\&. The command
also requires information that the tool uses for the process to upgrade and
write over the original database\&.
1930:command option\&. The only argument for this specifies the input file\&.
1943:NSS originally used BerkeleyDB databases to store security information\&.
The last versions of these
1980:BerkeleyDB has performance limitations, though, which prevent it from
being easily used by multiple applications simultaneously\&. NSS has some
flexibility that allows applications to use their own, independent database
engine while keeping a shared database and working around the access issues\&.
Still, NSS requires more flexibility to provide a truly shared security
database\&.
1982:In 2009, NSS introduced a new set of databases that are SQLite databases
rather than BerkeleyDB\&. These new databases provide more accessibility and
performance:
2019:database type\&. The shared database type is preferred; the legacy format
is included for backward compatibility\&.
2023:\fBmodutil\fR) assume that the given security databases use the SQLite
type\&. Using the legacy databases must be manually specified by using the
2025:prefix with the given security directory\&. For example:
2147:\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;.
The NSS site relates directly to NSS code changes and releases\&.
2159:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
N.B.
The number of lines affected can be too large to be in a patch.
Line 31, length 82
certutil \- Manage keys and certificate in both NSS databases and other NSS
tokens
Line 37, length 90
This documentation is still work in progress\&. Please contribute to the
initial review in
Line 42, length 333
\fBcertutil\fR, is a command\-line utility that can create and modify
certificate and key databases\&. It can specifically list, generate, modify, or
delete certificates, create or change the password, generate new public and
private key pairs, display the contents of the key database, or delete key
pairs within the key database\&.
Line 44, length 278
Certificate issuance, part of the key and certificate management process,
requires that keys and certificates be created in the key database\&. This
document discusses certificate and key database management\&. For information
on the security module database management, see the
Line 51, length 169
always requires one and only one command option to specify the type of
certificate operation\&. Each command option may take zero or more arguments\&.
The command option
Line 59, length 180
Add an existing certificate to a certificate database\&. The certificate
database should already exist; if one is not present, this command option will
initialize one by default\&.
Line 71, length 86
Create a new binary certificate file from a binary certificate request file\&.
Use the
Line 73, length 81
argument to specify the certificate request file\&. If this argument is not
used,
Line 95, length 200
Delete a private key and the associated certificate from a database\&. Specify
the key to delete with the \-n argument or the \-k argument\&. Specify the
database from which to delete the key with the
Line 99, length 142
Some smart cards do not let you remove a public key you have generated\&. In
such a case, only the private key is deleted from the key pair\&.
Line 104, length 313
Generate a new public and private key pair within a key database\&. The key
database should already exist; if one is not present, this command option will
initialize one by default\&. Some smart cards can store only one key pair\&. If
you create a new key pair for such a card, the previous pair is overwritten\&.
Line 114, length 178
List the key ID of keys in the key database\&. A key ID is the modulus of the
RSA key or the publicValue of the DSA key\&. IDs are displayed in hexadecimal
("0x" is not shown)\&.
Line 119, length 218
List all the certificates, or display information about a named certificate, in
a certificate database\&. Use the \-h tokenname argument to specify the
certificate database on a particular hardware or software token\&.
Line 124, length 83
Modify a certificate\*(Aqs trust attributes using the values of the \-t
argument\&.
Line 139, length 257
Create a certificate request file that can be submitted to a Certificate
Authority (CA) for processing into a finished certificate\&. Output defaults to
standard out unless you use \-o output\-file argument\&. Use the \-a argument
to specify ASCII output\&.
Line 174, length 116
Upgrade an old database and merge it into a new database\&. This is used to
migrate legacy NSS databases (cert8\&.db
Line 183, length 84
Arguments modify a command option and are usually lower case, numbers, or
symbols\&.
Line 187, length 196
Use ASCII format or allow the use of ASCII format for input or output\&. This
formatting follows RFC 1113\&. For certificate requests, ASCII output defaults
to standard output unless redirected\&.
Line 192, length 106
When printing the certificate chain, don\*(Aqt search for a chain if issuer
name equals to subject name\&.
Line 197, length 112
Specify a time at which a certificate is required to be valid\&. Use when
checking certificate validity with the
Line 202, length 214
\fIYYMMDDHHMMSS[+HHMM|\-HHMM|Z]\fR, which allows offsets to be set relative to
the validity end time\&. Specifying seconds (\fISS\fR) is optional\&. When
specifying an explicit time, use a Z at the end of the term,
Line 209, length 85
If this option is not used, the validity check defaults to the current system
time\&.
Line 214, length 259
Identify the certificate of the CA from which a new certificate will derive its
authenticity\&. Use the exact nickname or alias of the CA certificate, or use
the CA\*(Aqs email address\&. Bracket the issuer string with quotation marks if
it contains spaces\&.
Line 219, length 83
Specify the database directory containing the certificate and key database
files\&.
Line 254, length 122
If no prefix is specified the default type is retrieved from
NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then
Line 266, length 85
Check a certificate\*(Aqs signature during the process of validating a
certificate\&.
Line 271, length 89
Specify the email address of a certificate to list\&. Used with the \-L command
option\&.
Line 274, length 81
\-\-extGeneric
OID:critical\-flag:filename[,OID:critical\-flag:filename]\&.\&.\&.
Line 276, length 113
Add one or multiple extensions that certutil cannot encode yet, by loading
their encodings from external files\&.
Line 314, length 234
Specify a file that will automatically supply the password to include in a
certificate or to access a certificate database\&. This is a plain\-text file
containing one password\&. Be sure to prevent unauthorized access to this
file\&.
Line 319, length 213
Set a key size to use when generating new public and private key pairs\&. The
minimum is 512 bits and the maximum is 16384 bits\&. The default is 2048
bits\&. Any size between the minimum and maximum is allowed\&.
Line 324, length 115
Specify the name of a token to use or act on\&. If not specified the default
token is the internal database slot\&.
Line 326, length 207
The name can also be a PKCS #11 URI\&. For example, the NSS internal
certificate store can be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC
7512\&.
Line 331, length 173
Pass an input file to the command\&. Depending on the command option, an input
file can be a specific certificate, a certificate request file, or a batch file
of commands\&.
Line 338, length 304
The valid key type options are rsa, dsa, ec, or all\&. The default value is
rsa\&. Specifying the type of key can avoid mistakes caused by duplicate
nicknames\&. Giving a key type generates a new key pair; giving the ID of an
existing key reuses that key pair (which is required to renew certificates)\&.
Line 343, length 81
Display detailed information when validating a certificate with the \-V
option\&.
Line 348, length 237
Assign a unique serial number to a certificate being created\&. This operation
should be performed by a CA\&. If no serial number is provided a default serial
number is made from the current time\&. Serial numbers are limited to integers
Line 353, length 177
Specify the nickname of a certificate or key to list, create, add to a
database, modify, or validate\&. Bracket the nickname string with quotation
marks if it contains spaces\&.
Line 355, length 289
The nickname can also be a PKCS #11 URI\&. For example, if you have a
certificate named "my\-server\-cert" on the internal certificate store, it can
be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details
about the format, see RFC 7512\&.
Line 360, length 244
Specify the output file name for new certificates or binary certificate
requests\&. Bracket the output\-file string with quotation marks if it contains
spaces\&. If this argument is not used the output destination defaults to
standard output\&.
Line 365, length 172
Specify the prefix used on the certificate and key database file\&. This
argument is provided to support legacy servers\&. Most applications do not use
a database prefix\&.
Line 370, length 158
Specify a contact telephone number to include in new certificates or
certificate requests\&. Bracket this string with quotation marks if it contains
spaces\&.
Line 375, length 114
Read an alternate PQG value from the specified file when generating DSA key
pairs\&. If this argument is not used,
Line 377, length 83
generates its own PQG value\&. PQG files are created with a separate DSA
utility\&.
Line 379, length 87
Elliptic curve name is one of the ones from nistp256, nistp384, nistp521,
curve25519\&.
Line 381, length 840
If a token is available that supports more curves, the foolowing curves are
supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163,
sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1,
sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1,
secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224,
secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3,
c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1,
c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1,
c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
sect131r1, sect131r2
Line 386, length 118
Display a certificate\*(Aqs binary DER encoding when listing information about
that certificate with the \-L option\&.
Line 391, length 208
Identify a particular certificate owner for new certificates or certificate
requests\&. Bracket this string with quotation marks if it contains spaces\&.
The subject identification format follows RFC #1485\&.
Line 396, length 229
Specify the trust attributes to modify in an existing certificate or to apply
to a certificate when creating it or adding it to a database\&. There are three
available trust categories for each certificate, expressed in the order
Line 398, length 98
for each trust setting\&. In each category position, use none, any, or all of
the attribute codes:
Line 460, length 140
The attribute codes for the categories are separated by commas, and the entire
set of attributes enclosed by quotation marks\&. For example:
Line 464, length 110
Use the \-L option to see a list of the current certificates and trust
attributes in a certificate database\&.
Line 466, length 195
Note that the output of the \-L option may include "u" flag, which means that
there is a private key associated with the certificate\&. It is a dynamic flag
and you cannot set it with certutil\&.
Line 471, length 85
Specify a usage context to apply when validating a certificate with the \-V
option\&.
Line 598, length 162
Set the number of months a new certificate will be valid\&. The validity period
begins at the current system time unless an offset is added or subtracted with
the
Line 600, length 86
option\&. If this argument is not used, the default validity period is three
months\&.
Line 605, length 420
Set an offset from the current system time, in months, for the beginning of a
certificate\*(Aqs validity period\&. Use when creating the certificate or
adding it to a database\&. Express the offset in integers, using a minus sign
(\-) to indicate a negative offset\&. If this argument is not used, the
validity period begins at the current system time\&. The length of the validity
period is set with the \-v argument\&.
Line 610, length 91
Force the key and certificate database to open in read\-write mode\&. This is
used with the
Line 621, length 137
to generate the signature for a certificate being created or added to a
database, rather than obtaining a signature from a separate CA\&.
Line 626, length 179
Set an alternate exponent value to use in generating a new RSA public key for
the database, instead of the default value of 65537\&. The available alternate
values are 3 and 17\&.
Line 635, length 145
option) to be used with the RSA\-PSS signature scheme\&. This only works when
the private key of the certificate or certificate request is RSA\&.
Line 644, length 194
option)\&. This only works when the private key of the signer\*(Aqs certificate
is RSA\&. If the signer\*(Aqs certificate is restricted to RSA\-PSS, it is not
necessary to specify this option\&.
Line 649, length 246
Read a seed value from the specified file to generate a new private and public
key pair\&. This argument makes it possible to use hardware\-generated seed
values or manually create a value from the keyboard\&. The minimum file size is
20 bytes\&.
Line 654, length 96
Specify the hash algorithm to use with the \-C, \-S or \-R command options\&.
Possible keywords:
Line 752, length 104
Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There are
several available keywords:
Line 845, length 167
Add a basic constraint extension to a certificate that is being created or
added to a database\&. This extension supports the certificate chain
verification process\&.
Line 854, length 369
Add an authority key ID extension to a certificate that is being created or
added to a database\&. This extension supports the identification of a
particular certificate, from among multiple certificates associated with one
subject name, as the correct issuer of a certificate\&. The Certificate
Database Tool will prompt you to select the authority key ID extension\&.
Line 861, length 208
Add a CRL distribution point extension to a certificate that is being created
or added to a database\&. This extension identifies the URL of a
certificate\*(Aqs associated certificate revocation list (CRL)\&.
Line 870, length 149
Add an X\&.509 V3 certificate type extension to a certificate that is being
created or added to the database\&. There are several available keywords:
Line 965, length 134
Add an extended key usage extension to a certificate that is being created or
added to the database\&. Several keywords are available:
Line 1148, length 268
Add a comma\-separated list of email addresses to the subject alternative name
extension of a certificate or certificate request that is being created or
added to the database\&. Subject alternative name extensions are described in
Section 4\&.2\&.1\&.7 of RFC 3280\&.
Line 1153, length 262
Add a comma\-separated list of DNS names to the subject alternative name
extension of a certificate or certificate request that is being created or
added to the database\&. Subject alternative name extensions are described in
Section 4\&.2\&.1\&.7 of RFC 3280\&.
Line 1158, length 128
Add the Authority Information Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
Line 1163, length 126
Add the Subject Information Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
Line 1168, length 120
Add the Certificate Policies extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
Line 1173, length 115
Add the Policy Mappings extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
Line 1178, length 118
Add the Policy Constraints extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
Line 1183, length 125
Add the Inhibit Any Policy Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
Line 1188, length 114
Add the Subject Key ID extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
Line 1193, length 113
Add a Name Constraint extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
Line 1200, length 108
\-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other,
registerid, rfc822, uri, x400, x400addr
Line 1210, length 237
PKCS #11 key Attributes\&. Comma separated list of key attribute flags,
selected from the following list of choices: {token | session} {public |
private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable |
unextractable}
Line 1215, length 206
PKCS #11 key Operation Flags\&. Comma separated list of one or more of the
following: {token | session} {public | private} {sensitive | insensitive}
{modifiable | unmodifiable} {extractable | unextractable}
Line 1249, length 211
Most of the command options in the examples listed here have more arguments
available\&. The arguments included in these examples are the most common ones
or are used to illustrate a specific scenario\&. Use the
Line 1255, length 112
Certificates, keys, and security modules related to managing certificates are
stored in three related databases:
Line 1304, length 319
A certificate request contains most or all of the information that is used to
generate the final certificate\&. This request is submitted separately to a
certificate authority and is then approved by some mechanism (automatically or
by human review)\&. Once the request is approved, then the certificate is
generated\&.
Line 1310, length 155
$ certutil \-R \-k key\-type\-or\-id [\-q pqgfile|curve\-name] \-g key\-size
\-s subject [\-h tokenname] \-d directory [\-p phone] [\-o output\-file] [\-a]
Line 1329, length 104
to specify either the key type to generate or, when renewing a certificate, the
existing key pair to use
Line 1368, length 122
The new certificate request can be output in ASCII format (\fB\-a\fR) or can be
written to a specified file (\fB\-o\fR)\&.
Line 1376, length 155
$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain
View,ST=California,C=US" \-d $HOME/nssdb \-p 650\-555\-0123 \-a \-o cert\&.cer
Line 1387, length 246
A valid certificate must be issued by a trusted CA\&. This can be done by
specifying a CA certificate (\fB\-c\fR) that is stored in the certificate
database\&. If a CA key pair is not available, you can create a self\-signed
certificate using the
Line 1397, length 350
$ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t
trustargs \-d directory [\-m serial\-number] [\-v valid\-months] [\-w
offset\-months] [\-p phone] [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword]
[\-7 emailAddress] [\-8 dns\-names] [\-\-extAIA] [\-\-extSIA] [\-\-extCP]
[\-\-extPM] [\-\-extPC] [\-\-extIA] [\-\-extSKID]
Line 1405, length 140
options set certificate extensions that can be added to the certificate when it
is generated by the CA\&. Interactive prompts will result\&.
Line 1413, length 88
$ certutil \-S \-s "CN=Example CA" \-n my\-ca\-cert \-x \-t "C,C,C" \-1 \-2 \-5
\-m 3650
Line 1419, length 124
The interative prompts for key usage and whether any extensions are critical
and responses have been ommitted for brevity\&.
Line 1427, length 111
$ certutil \-S \-s "CN=My Server Cert" \-n my\-server\-cert \-c "my\-ca\-cert"
\-t ",," \-1 \-5 \-6 \-8 \-m 730
Line 1435, length 160
When a certificate request is created, a certificate can be generated by using
the request and then referencing a certificate authority signing certificate
(the
Line 1439, length 102
argument)\&. The issuing certificate must be in the certificate database in the
specified directory\&.
Line 1445, length 228
certutil \-C \-c issuer \-i cert\-request\-file \-o output\-file [\-m
serial\-number] [\-v valid\-months] [\-w offset\-months] \-d directory [\-1]
[\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8
dns\-names]
Line 1457, length 202
$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \-m
010 \-v 12 \-w 1 \-d $HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5
sslClient \-6 clientAuth \-7 jsmith@example\&.com
Line 1467, length 135
command option lists all of the certificates listed in the certificate
database\&. The path to the directory (\fB\-d\fR) is required\&.
Line 1489, length 91
can return and print the information for a single, specific certificate\&. For
example, the
Line 1594, length 148
Keys are the original material used to encrypt certificate data\&. The keys
generated for certificates are stored separately, in the key database\&.
Line 1607, length 119
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
Certificate Services "
Line 1608, length 119
< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail
Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
Line 1609, length 90
< 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain
Administrator Cert
Line 1662, length 181
The devices that can be used to store certificates \-\- both internal databases
and external devices like smart cards \-\- are recognized and used by loading
security modules\&. The
Line 1676, length 117
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
Line 1680, length 128
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
Line 1688, length 151
Existing certificates or certificate requests can be added manually to the
certificate database, even if they were generated elsewhere\&. This uses the
Line 1708, length 112
$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d /home/my/sharednssdb
\-i /home/example\-certs/cert\&.cer
Line 1715, length 92
\fB\-E\fR, is used specifically to add email certificates to the certificate
database\&. The
Line 1720, length 141
\fISSL,S/MIME,Code\-signing\fR, so the middle trust settings relate most to
email certificates (though the others can be set)\&. For example:
Line 1726, length 117
$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d
/home/my/sharednssdb \-i /home/example\-certs/email\&.cer
Line 1736, length 123
option\&. The only required options are to give the security database directory
and to identify the certificate nickname\&.
Line 1762, length 423
A certificate contains an expiration date in itself, and expired certificates
are easily rejected\&. However, certificates can also be revoked before they
hit their expiration date\&. Checking whether a certificate has been revoked
requires validating the certificate\&. Validation can also be used to ensure
that the certificate is only used for the purposes it was initially issued
for\&. Validation is carried out by the
Line 1770, length 83
certutil \-V \-n certificate\-name [\-b time] [\-e] [\-u cert\-usage] \-d
directory
Line 1782, length 85
$ certutil \-V \-n "John Smith\*(Aqs Email Cert" \-e \-u S,R \-d
/home/my/sharednssdb
Line 1790, length 272
The trust settings (which relate to the operations that a certificate is
allowed to be used for) can be changed after a certificate is created or added
to the database\&. This is especially useful for CA certificates, but it can be
performed for any type of certificate\&.
Line 1818, length 164
because every certificate authority itself has a certificate; when a CA issues
a certificate, it essentially stamps that certificate with its own
fingerprint\&. The
Line 1820, length 202
prints the full chain of a certificate, going from the initial CA (the root CA)
through ever intermediary CA to the actual certificate\&. For example, for an
email certificate with two CAs in the chain:
Line 1827, length 205
"Builtin Object Token:Thawte Personal Freemail CA"
[E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail
CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape
Town,ST=Western Cape,C=ZA]
Line 1829, length 139
"Thawte Personal Freemail Issuing CA \- Thawte Consulting" [CN=Thawte
Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd\&.,C=ZA]
Line 1839, length 415
The device which stores certificates \-\- both external hardware devices and
internal software databases \-\- can be blanked and reused\&. This operation is
performed on the device which stores the data, not directly on the security
databases, so the location must be referenced through the token name
(\fB\-h\fR) as well as any directory path\&. If there is no external token
used, the default value is internal\&.
Line 1851, length 185
Many networks have dedicated personnel who handle changes to security tokens
(the security officer)\&. This person must supply the password to access the
specified token\&. For example:
Line 1865, length 203
Many networks or applications may be using older BerkeleyDB versions of the
certificate database (cert8\&.db)\&. Databases can be upgraded to the new
SQLite version of the database (cert9\&.db) using the
Line 1875, length 99
command must give information about the original database and then use the
standard arguments (like
Line 1876, length 185
\fB\-d\fR) to give the information about the new databases\&. The command also
requires information that the tool uses for the process to upgrade and write
over the original database\&.
Line 1882, length 180
certutil \-\-upgrade\-merge \-d directory [\-P dbprefix] \-\-source\-dir
directory \-\-source\-prefix dbprefix \-\-upgrade\-id id
\-\-upgrade\-token\-name name [\-@ password\-file]
Line 1894, length 173
$ certutil \-\-upgrade\-merge \-d /home/my/sharednssdb \-\-source\-dir
/opt/my\-app/alias/ \-\-source\-prefix serverapp\- \-\-upgrade\-id 1
\-\-upgrade\-token\-name internal
Line 1902, length 199
command only requires information about the location of the original database;
since it doesn\*(Aqt change the format of the database, it can write over
information without performing interim step\&.
Line 1908, length 122
certutil \-\-merge \-d directory [\-P dbprefix] \-\-source\-dir directory
\-\-source\-prefix dbprefix [\-@ password\-file]
Line 1920, length 112
$ certutil \-\-merge \-d /home/my/sharednssdb \-\-source\-dir
/opt/my\-app/alias/ \-\-source\-prefix serverapp\-
Line 1943, length 100
NSS originally used BerkeleyDB databases to store security information\&. The
last versions of these
Line 1980, length 382
BerkeleyDB has performance limitations, though, which prevent it from being
easily used by multiple applications simultaneously\&. NSS has some flexibility
that allows applications to use their own, independent database engine while
keeping a shared database and working around the access issues\&. Still, NSS
requires more flexibility to provide a truly shared security database\&.
Line 1982, length 162
In 2009, NSS introduced a new set of databases that are SQLite databases rather
than BerkeleyDB\&. These new databases provide more accessibility and
performance:
Line 2014, length 123
pkcs11\&.txt, a listing of all of the PKCS #11 modules, contained in a new
subdirectory in the security databases directory
Line 2019, length 115
database type\&. The shared database type is preferred; the legacy format is
included for backward compatibility\&.
Line 2023, length 145
\fBmodutil\fR) assume that the given security databases use the SQLite type\&.
Using the legacy databases must be manually specified by using the
Line 2067, length 94
For an engineering draft on the changes in the shared NSS databases, see the
NSS project wiki:
Line 2121, length 102
The NSS wiki has information on the new database design and how to configure
applications to use it\&.
Line 2146, length 102
For information about NSS and other tools related to NSS (like JSS), check out
the NSS project wiki at
Line 2147, length 140
\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;. The
NSS site relates directly to NSS code changes and releases\&.
Line 2154, length 115
The NSS tools were written and maintained by developers with Netscape, Red Hat,
Sun, Oracle, Mozilla, and Google\&.
Line 2156, length 86
Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey
<dlackey@redhat\&.com>\&.
Line 2159, length 170
Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL
was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Use \(en (en-dash) for a dash at the beginning of a line
or between space characters,
not a minus (\-) or a hyphen (-), except in the NAME section.
certutil.1:409:\- Valid peer
certutil.1:421:\- Trusted peer (implies p)
certutil.1:433:\- Valid CA
certutil.1:445:\- Trusted CA (implies c)
certutil.1:457:\- trusted CA for client authentication (ssl server only)
-.-.
Show if docman-to-man created this
4:.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
certutil.1:114:List the key ID of keys in the key database\&. A key ID is the
modulus of the RSA key or the publicValue of the DSA key\&. IDs are displayed
in hexadecimal ("0x" is not shown)\&.
certutil.1:338:The valid key type options are rsa, dsa, ec, or all\&. The
default value is rsa\&. Specifying the type of key can avoid mistakes caused by
duplicate nicknames\&. Giving a key type generates a new key pair; giving the
ID of an existing key reuses that key pair (which is required to renew
certificates)\&.
certutil.1:457:\- trusted CA for client authentication (ssl server only)
certutil.1:605:Set an offset from the current system time, in months, for the
beginning of a certificate\*(Aqs validity period\&. Use when creating the
certificate or adding it to a database\&. Express the offset in integers, using
a minus sign (\-) to indicate a negative offset\&. If this argument is not
used, the validity period begins at the current system time\&. The length of
the validity period is set with the \-v argument\&.
certutil.1:861:Add a CRL distribution point extension to a certificate that is
being created or added to a database\&. This extension identifies the URL of a
certificate\*(Aqs associated certificate revocation list (CRL)\&.
certutil.1:1304:A certificate request contains most or all of the information
that is used to generate the final certificate\&. This request is submitted
separately to a certificate authority and is then approved by some mechanism
(automatically or by human review)\&. Once the request is approved, then the
certificate is generated\&.
certutil.1:1608:< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte
Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
certutil.1:1720:\fISSL,S/MIME,Code\-signing\fR, so the middle trust settings
relate most to email certificates (though the others can be set)\&. For example:
certutil.1:1790:The trust settings (which relate to the operations that a
certificate is allowed to be used for) can be changed after a certificate is
created or added to the database\&. This is especially useful for CA
certificates, but it can be performed for any type of certificate\&.
certutil.1:1851:Many networks have dedicated personnel who handle changes to
security tokens (the security officer)\&. This person must supply the password
to access the specified token\&. For example:
-.-.
Protect "^From " from forcing a mail software to use "quoted-printable"
encoding, by adding "\&" in front of it.
1421:From there, new certificates can reference the self\-signed certificate:
-.-.
No space is needed before a quote (") at the end of a line
1607:certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services "
-.-.
No need for "\&" to be in front of a period (.) if not at the beginning of
a line.
37:This documentation is still work in progress\&. Please contribute to the
initial review in
44:Certificate issuance, part of the key and certificate management process,
requires that keys and certificates be created in the key database\&. This
document discusses certificate and key database management\&. For information
on the security module database management, see the
51:always requires one and only one command option to specify the type of
certificate operation\&. Each command option may take zero or more arguments\&.
The command option
59:Add an existing certificate to a certificate database\&. The certificate
database should already exist; if one is not present, this command option will
initialize one by default\&.
64:Run a series of commands from the specified batch file\&. This requires the
71:Create a new binary certificate file from a binary certificate request
file\&. Use the
73:argument to specify the certificate request file\&. If this argument is not
used,
95:Delete a private key and the associated certificate from a database\&.
Specify the key to delete with the \-n argument or the \-k argument\&. Specify
the database from which to delete the key with the
99:Some smart cards do not let you remove a public key you have generated\&. In
such a case, only the private key is deleted from the key pair\&.
104:Generate a new public and private key pair within a key database\&. The key
database should already exist; if one is not present, this command option will
initialize one by default\&. Some smart cards can store only one key pair\&. If
you create a new key pair for such a card, the previous pair is overwritten\&.
114:List the key ID of keys in the key database\&. A key ID is the modulus of
the RSA key or the publicValue of the DSA key\&. IDs are displayed in
hexadecimal ("0x" is not shown)\&.
119:List all the certificates, or display information about a named
certificate, in a certificate database\&. Use the \-h tokenname argument to
specify the certificate database on a particular hardware or software token\&.
139:Create a certificate request file that can be submitted to a Certificate
Authority (CA) for processing into a finished certificate\&. Output defaults to
standard out unless you use \-o output\-file argument\&. Use the \-a argument
to specify ASCII output\&.
174:Upgrade an old database and merge it into a new database\&. This is used to
migrate legacy NSS databases (cert8\&.db
176:key3\&.db) into the newer SQLite databases (cert9\&.db
178:key4\&.db)\&.
187:Use ASCII format or allow the use of ASCII format for input or output\&.
This formatting follows RFC 1113\&. For certificate requests, ASCII output
defaults to standard output unless redirected\&.
197:Specify a time at which a certificate is required to be valid\&. Use when
checking certificate validity with the
199:option\&. The format of the
214:Identify the certificate of the CA from which a new certificate will derive
its authenticity\&. Use the exact nickname or alias of the CA certificate, or
use the CA\*(Aqs email address\&. Bracket the issuer string with quotation
marks if it contains spaces\&.
222:supports two types of databases: the legacy security databases (cert8\&.db,
223:key3\&.db, and
224:secmod\&.db) and new SQLite databases (cert9\&.db,
225:key4\&.db, and
226:pkcs11\&.txt)\&.
254:If no prefix is specified the default type is retrieved from
NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then
271:Specify the email address of a certificate to list\&. Used with the \-L
command option\&.
286:OID (example): 1\&.2\&.3\&.4
314:Specify a file that will automatically supply the password to include in a
certificate or to access a certificate database\&. This is a plain\-text file
containing one password\&. Be sure to prevent unauthorized access to this
file\&.
319:Set a key size to use when generating new public and private key pairs\&.
The minimum is 512 bits and the maximum is 16384 bits\&. The default is 2048
bits\&. Any size between the minimum and maximum is allowed\&.
324:Specify the name of a token to use or act on\&. If not specified the
default token is the internal database slot\&.
326:The name can also be a PKCS #11 URI\&. For example, the NSS internal
certificate store can be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC
7512\&.
331:Pass an input file to the command\&. Depending on the command option, an
input file can be a specific certificate, a certificate request file, or a
batch file of commands\&.
338:The valid key type options are rsa, dsa, ec, or all\&. The default value is
rsa\&. Specifying the type of key can avoid mistakes caused by duplicate
nicknames\&. Giving a key type generates a new key pair; giving the ID of an
existing key reuses that key pair (which is required to renew certificates)\&.
348:Assign a unique serial number to a certificate being created\&. This
operation should be performed by a CA\&. If no serial number is provided a
default serial number is made from the current time\&. Serial numbers are
limited to integers
353:Specify the nickname of a certificate or key to list, create, add to a
database, modify, or validate\&. Bracket the nickname string with quotation
marks if it contains spaces\&.
355:The nickname can also be a PKCS #11 URI\&. For example, if you have a
certificate named "my\-server\-cert" on the internal certificate store, it can
be unambiguously specified as
"pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details
about the format, see RFC 7512\&.
360:Specify the output file name for new certificates or binary certificate
requests\&. Bracket the output\-file string with quotation marks if it contains
spaces\&. If this argument is not used the output destination defaults to
standard output\&.
365:Specify the prefix used on the certificate and key database file\&. This
argument is provided to support legacy servers\&. Most applications do not use
a database prefix\&.
370:Specify a contact telephone number to include in new certificates or
certificate requests\&. Bracket this string with quotation marks if it contains
spaces\&.
375:Read an alternate PQG value from the specified file when generating DSA key
pairs\&. If this argument is not used,
377:generates its own PQG value\&. PQG files are created with a separate DSA
utility\&.
391:Identify a particular certificate owner for new certificates or certificate
requests\&. Bracket this string with quotation marks if it contains spaces\&.
The subject identification format follows RFC #1485\&.
396:Specify the trust attributes to modify in an existing certificate or to
apply to a certificate when creating it or adding it to a database\&. There are
three available trust categories for each certificate, expressed in the order
398:for each trust setting\&. In each category position, use none, any, or all
of the attribute codes:
460:The attribute codes for the categories are separated by commas, and the
entire set of attributes enclosed by quotation marks\&. For example:
466:Note that the output of the \-L option may include "u" flag, which means
that there is a private key associated with the certificate\&. It is a dynamic
flag and you cannot set it with certutil\&.
598:Set the number of months a new certificate will be valid\&. The validity
period begins at the current system time unless an offset is added or
subtracted with the
600:option\&. If this argument is not used, the default validity period is
three months\&.
605:Set an offset from the current system time, in months, for the beginning of
a certificate\*(Aqs validity period\&. Use when creating the certificate or
adding it to a database\&. Express the offset in integers, using a minus sign
(\-) to indicate a negative offset\&. If this argument is not used, the
validity period begins at the current system time\&. The length of the validity
period is set with the \-v argument\&.
610:Force the key and certificate database to open in read\-write mode\&. This
is used with the
626:Set an alternate exponent value to use in generating a new RSA public key
for the database, instead of the default value of 65537\&. The available
alternate values are 3 and 17\&.
635:option) to be used with the RSA\-PSS signature scheme\&. This only works
when the private key of the certificate or certificate request is RSA\&.
644:option)\&. This only works when the private key of the signer\*(Aqs
certificate is RSA\&. If the signer\*(Aqs certificate is restricted to
RSA\-PSS, it is not necessary to specify this option\&.
649:Read a seed value from the specified file to generate a new private and
public key pair\&. This argument makes it possible to use hardware\-generated
seed values or manually create a value from the keyboard\&. The minimum file
size is 20 bytes\&.
654:Specify the hash algorithm to use with the \-C, \-S or \-R command
options\&. Possible keywords:
752:Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There
are several available keywords:
845:Add a basic constraint extension to a certificate that is being created or
added to a database\&. This extension supports the certificate chain
verification process\&.
854:Add an authority key ID extension to a certificate that is being created or
added to a database\&. This extension supports the identification of a
particular certificate, from among multiple certificates associated with one
subject name, as the correct issuer of a certificate\&. The Certificate
Database Tool will prompt you to select the authority key ID extension\&.
861:Add a CRL distribution point extension to a certificate that is being
created or added to a database\&. This extension identifies the URL of a
certificate\*(Aqs associated certificate revocation list (CRL)\&.
870:Add an X\&.509 V3 certificate type extension to a certificate that is being
created or added to the database\&. There are several available keywords:
965:Add an extended key usage extension to a certificate that is being created
or added to the database\&. Several keywords are available:
1148:Add a comma\-separated list of email addresses to the subject alternative
name extension of a certificate or certificate request that is being created or
added to the database\&. Subject alternative name extensions are described in
Section 4\&.2\&.1\&.7 of RFC 3280\&.
1153:Add a comma\-separated list of DNS names to the subject alternative name
extension of a certificate or certificate request that is being created or
added to the database\&. Subject alternative name extensions are described in
Section 4\&.2\&.1\&.7 of RFC 3280\&.
1158:Add the Authority Information Access extension to the certificate\&.
X\&.509 certificate extensions are described in RFC 5280\&.
1163:Add the Subject Information Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1168:Add the Certificate Policies extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1173:Add the Policy Mappings extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1178:Add the Policy Constraints extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1183:Add the Inhibit Any Policy Access extension to the certificate\&. X\&.509
certificate extensions are described in RFC 5280\&.
1188:Add the Subject Key ID extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
1193:Add a Name Constraint extension to the certificate\&. X\&.509 certificate
extensions are described in RFC 5280\&.
1210:PKCS #11 key Attributes\&. Comma separated list of key attribute flags,
selected from the following list of choices: {token | session} {public |
private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable |
unextractable}
1215:PKCS #11 key Operation Flags\&. Comma separated list of one or more of the
following: {token | session} {public | private} {sensitive | insensitive}
{modifiable | unmodifiable} {extractable | unextractable}
1249:Most of the command options in the examples listed here have more
arguments available\&. The arguments included in these examples are the most
common ones or are used to illustrate a specific scenario\&. Use the
1265:cert8\&.db or cert9\&.db
1276:key3\&.db or key4\&.db
1287:secmod\&.db or pkcs11\&.txt
1304:A certificate request contains most or all of the information that is used
to generate the final certificate\&. This request is submitted separately to a
certificate authority and is then approved by some mechanism (automatically or
by human review)\&. Once the request is approved, then the certificate is
generated\&.
1376:$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example
Corp,L=Mountain View,ST=California,C=US" \-d $HOME/nssdb \-p 650\-555\-0123 \-a
\-o cert\&.cer
1378:Generating key\&. This may take a few moments\&.\&.\&.
1387:A valid certificate must be issued by a trusted CA\&. This can be done by
specifying a CA certificate (\fB\-c\fR) that is stored in the certificate
database\&. If a CA key pair is not available, you can create a self\-signed
certificate using the
1405:options set certificate extensions that can be added to the certificate
when it is generated by the CA\&. Interactive prompts will result\&.
1439:argument)\&. The issuing certificate must be in the certificate database
in the specified directory\&.
1457:$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o
cert\&.cer \-m 010 \-v 12 \-w 1 \-d $HOME/nssdb \-1
nonRepudiation,dataEncipherment \-5 sslClient \-6 clientAuth \-7
jsmith@example\&.com
1467:command option lists all of the certificates listed in the certificate
database\&. The path to the directory (\fB\-d\fR) is required\&.
1489:can return and print the information for a single, specific certificate\&.
For example, the
1594:Keys are the original material used to encrypt certificate data\&. The
keys generated for certificates are stored separately, in the key database\&.
1608:< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail
Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
1662:The devices that can be used to store certificates \-\- both internal
databases and external devices like smart cards \-\- are recognized and used by
loading security modules\&. The
1665:secmod\&.db
1666:database\&. The path to the directory (\fB\-d\fR) is required\&.
1688:Existing certificates or certificate requests can be added manually to the
certificate database, even if they were generated elsewhere\&. This uses the
1708:$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d
/home/my/sharednssdb \-i /home/example\-certs/cert\&.cer
1719:command\&. The trust arguments for certificates have the format
1726:$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d
/home/my/sharednssdb \-i /home/example\-certs/email\&.cer
1736:option\&. The only required options are to give the security database
directory and to identify the certificate nickname\&.
1762:A certificate contains an expiration date in itself, and expired
certificates are easily rejected\&. However, certificates can also be revoked
before they hit their expiration date\&. Checking whether a certificate has
been revoked requires validating the certificate\&. Validation can also be used
to ensure that the certificate is only used for the purposes it was initially
issued for\&. Validation is carried out by the
1790:The trust settings (which relate to the operations that a certificate is
allowed to be used for) can be changed after a certificate is created or added
to the database\&. This is especially useful for CA certificates, but it can be
performed for any type of certificate\&.
1818:because every certificate authority itself has a certificate; when a CA
issues a certificate, it essentially stamps that certificate with its own
fingerprint\&. The
1820:prints the full chain of a certificate, going from the initial CA (the
root CA) through ever intermediary CA to the actual certificate\&. For example,
for an email certificate with two CAs in the chain:
1826:$ certutil \-d /home/my/sharednssdb \-O \-n "jsmith@example\&.com"
1827:"Builtin Object Token:Thawte Personal Freemail CA"
[E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail
CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape
Town,ST=Western Cape,C=ZA]
1829: "Thawte Personal Freemail Issuing CA \- Thawte Consulting" [CN=Thawte
Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd\&.,C=ZA]
1831: "(null)" [E=jsmith@example\&.com,CN=Thawte Freemail Member]
1839:The device which stores certificates \-\- both external hardware devices
and internal software databases \-\- can be blanked and reused\&. This
operation is performed on the device which stores the data, not directly on the
security databases, so the location must be referenced through the token name
(\fB\-h\fR) as well as any directory path\&. If there is no external token
used, the default value is internal\&.
1851:Many networks have dedicated personnel who handle changes to security
tokens (the security officer)\&. This person must supply the password to access
the specified token\&. For example:
1865:Many networks or applications may be using older BerkeleyDB versions of
the certificate database (cert8\&.db)\&. Databases can be upgraded to the new
SQLite version of the database (cert9\&.db) using the
1868:cert9\&.db
1930:command option\&. The only argument for this specifies the input file\&.
1943:NSS originally used BerkeleyDB databases to store security information\&.
The last versions of these
1955:cert8\&.db for certificates
1966:key3\&.db for keys
1977:secmod\&.db for PKCS #11 module information
1980:BerkeleyDB has performance limitations, though, which prevent it from
being easily used by multiple applications simultaneously\&. NSS has some
flexibility that allows applications to use their own, independent database
engine while keeping a shared database and working around the access issues\&.
Still, NSS requires more flexibility to provide a truly shared security
database\&.
1982:In 2009, NSS introduced a new set of databases that are SQLite databases
rather than BerkeleyDB\&. These new databases provide more accessibility and
performance:
1992:cert9\&.db for certificates
2003:key4\&.db for keys
2014:pkcs11\&.txt, a listing of all of the PKCS #11 modules, contained in a new
subdirectory in the security databases directory
2019:database type\&. The shared database type is preferred; the legacy format
is included for backward compatibility\&.
2025:prefix with the given security directory\&. For example:
2053:~/\&.bashrc
2064:https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
2077:https://wiki\&.mozilla\&.org/NSS_Shared_DB
2096:http://tools\&.ietf\&.org/html/rfc5280
2107:http://tools\&.ietf\&.org/html/rfc1113
2118:http://tools\&.ietf\&.org/html/rfc1485
2131:https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
2142:https://wiki\&.mozilla\&.org/NSS_Shared_DB
2149:Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
2156:Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey
<dlackey@redhat\&.com>\&.
2159:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -z ":
troff:<stdin>:1480: warning: trailing space in the line
troff:<stdin>:1674: warning: trailing space in the line
troff:<stdin>:1678: warning: trailing space in the line
-.-.
Additional:
>From "codespell":
interative ==> interactive, iterative
ommitted ==> omitted
-.-
Wrong spelling: foolowing --> following
-,-
Shorten input lines in nofill mode, to fit them on a sheet.
-.-
Additionally (general):
There is no need to add a '\&' before a full stop (.) if it has a character
before it!
--- certutil.1 2024-12-05 23:07:20.340678736 +0000
+++ certutil.1.new 2024-12-06 00:10:16.277200979 +0000
@@ -378,7 +378,7 @@ generates its own PQG value\&. PQG files
.sp
Elliptic curve name is one of the ones from nistp256, nistp384, nistp521,
curve25519\&.
.sp
-If a token is available that supports more curves, the foolowing curves are
supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163,
sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1,
sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1,
secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224,
secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3,
c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1,
c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1,
c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
sect131r1, sect131r2
+If a token is available that supports more curves, the following curves are
supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163,
sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1,
sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1,
secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224,
secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3,
c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1,
c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1,
c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
sect131r1, sect131r2
.RE
.PP
\-r
@@ -406,7 +406,7 @@ for each trust setting\&. In each catego
.IP \(bu 2.3
.\}
\fBp\fR
-\- Valid peer
+\(en Valid peer
.RE
.sp
.RS 4
@@ -418,7 +418,7 @@ for each trust setting\&. In each catego
.IP \(bu 2.3
.\}
\fBP\fR
-\- Trusted peer (implies p)
+\(en Trusted peer (implies p)
.RE
.sp
.RS 4
@@ -430,7 +430,7 @@ for each trust setting\&. In each catego
.IP \(bu 2.3
.\}
\fBc\fR
-\- Valid CA
+\(en Valid CA
.RE
.sp
.RS 4
@@ -442,7 +442,7 @@ for each trust setting\&. In each catego
.IP \(bu 2.3
.\}
\fBC\fR
-\- Trusted CA (implies c)
+\(en Trusted CA (implies c)
.RE
.sp
.RS 4
@@ -454,7 +454,7 @@ for each trust setting\&. In each catego
.IP \(bu 2.3
.\}
\fBT\fR
-\- trusted CA for client authentication (ssl server only)
+\(en trusted CA for client authentication (ssl server only)
.RE
.sp
The attribute codes for the categories are separated by commas, and the entire
set of attributes enclosed by quotation marks\&. For example:
@@ -1307,7 +1307,8 @@ A certificate request contains most or a
.RS 4
.\}
.nf
-$ certutil \-R \-k key\-type\-or\-id [\-q pqgfile|curve\-name] \-g key\-size
\-s subject [\-h tokenname] \-d directory [\-p phone] [\-o output\-file] [\-a]
+$ certutil \-R \-k key\-type\-or\-id [\-q pqgfile|curve\-name] \-g key\-size \e
+\-s subject [\-h tokenname] \-d directory [\-p phone] [\-o output\-file] [\-a]
.fi
.if n \{\
.RE
@@ -1373,7 +1374,8 @@ For example:
.RS 4
.\}
.nf
-$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain
View,ST=California,C=US" \-d $HOME/nssdb \-p 650\-555\-0123 \-a \-o cert\&.cer
+$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain \e
+View,ST=California,C=US" \-d $HOME/nssdb \-p 650\-555\-0123 \-a \-o cert.cer
Generating key\&. This may take a few moments\&.\&.\&.
@@ -1394,7 +1396,11 @@ command option\&.
.RS 4
.\}
.nf
-$ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t
trustargs \-d directory [\-m serial\-number] [\-v valid\-months] [\-w
offset\-months] [\-p phone] [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword]
[\-7 emailAddress] [\-8 dns\-names] [\-\-extAIA] [\-\-extSIA] [\-\-extCP]
[\-\-extPM] [\-\-extPC] [\-\-extIA] [\-\-extSKID]
+$ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t \e
+trustargs \-d directory [\-m serial\-number] [\-v valid\-months] [\-w \e
+offset\-months] [\-p phone] [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 \e
+keyword] [\-7 emailAddress] [\-8 dns\-names] [\-\-extAIA] [\-\-extSIA] \e
+[\-\-extCP] [\-\-extPM] [\-\-extPC] [\-\-extIA] [\-\-extSKID]
.fi
.if n \{\
.RE
@@ -1416,15 +1422,16 @@ $ certutil \-S \-s "CN=Example CA" \-n m
.RE
.\}
.PP
-The interative prompts for key usage and whether any extensions are critical
and responses have been ommitted for brevity\&.
+The interactive prompts for key usage and whether any extensions are critical
and responses have been omitted for brevity\&.
.PP
-From there, new certificates can reference the self\-signed certificate:
+\&From there, new certificates can reference the self\-signed certificate:
.sp
.if n \{\
.RS 4
.\}
.nf
-$ certutil \-S \-s "CN=My Server Cert" \-n my\-server\-cert \-c "my\-ca\-cert"
\-t ",," \-1 \-5 \-6 \-8 \-m 730
+$ certutil \-S \-s "CN=My Server Cert" \-n my\-server\-cert \-c \e
+"my\-ca\-cert" \-t ",," \-1 \-5 \-6 \-8 \-m 730
.fi
.if n \{\
.RE
@@ -1454,7 +1461,9 @@ For example:
.RS 4
.\}
.nf
-$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer
\-m 010 \-v 12 \-w 1 \-d $HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5
sslClient \-6 clientAuth \-7 jsmith@example\&.com
+$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \e
+\-m 010 \-v 12 \-w 1 \-d $HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5 \e
+sslClient \-6 clientAuth \-7 jsmith@example\&.com
.fi
.if n \{\
.RE
@@ -1477,7 +1486,7 @@ Certificate Nickname
CA Administrator of Instance pki\-ca1\*(Aqs Example Domain ID u,u,u
TPS Administrator\*(Aqs Example Domain ID u,u,u
-Google Internet Authority ,,
+Google Internet Authority ,,
Certificate Authority \- Example Domain CT,C,C
.fi
.if n \{\
@@ -1604,7 +1613,7 @@ argument to give the path to the directo
.\}
.nf
$ certutil \-K \-d $HOME/nssdb
-certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services "
+certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail
Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
< 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain
Administrator Cert
< 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert
@@ -1671,11 +1680,11 @@ database\&. The path to the directory (\
.nf
$ certutil \-U \-d /home/my/sharednssdb
- slot: NSS User Private Key and Certificate Services
+ slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
- slot: NSS Internal Cryptographic Services
+ slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
.fi
@@ -1705,7 +1714,8 @@ For example:
.RS 4
.\}
.nf
-$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d /home/my/sharednssdb
\-i /home/example\-certs/cert\&.cer
+$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d /home/my/sharednssdb \e
+\-i /home/example\-certs/cert\&.cer
.fi
.if n \{\
.RE
@@ -1723,7 +1733,8 @@ command\&. The trust arguments for certi
.RS 4
.\}
.nf
-$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d
/home/my/sharednssdb \-i /home/example\-certs/email\&.cer
+$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d \e
+/home/my/sharednssdb \-i /home/example\-certs/email.cer
.fi
.if n \{\
.RE
@@ -1891,7 +1902,9 @@ For example:
.RS 4
.\}
.nf
-$ certutil \-\-upgrade\-merge \-d /home/my/sharednssdb \-\-source\-dir
/opt/my\-app/alias/ \-\-source\-prefix serverapp\- \-\-upgrade\-id 1
\-\-upgrade\-token\-name internal
+$ certutil \-\-upgrade\-merge \-d /home/my/sharednssdb \-\-source\-dir \e
+/opt/my\-app/alias/ \-\-source\-prefix serverapp\- \-\-upgrade\-id 1 \e
+\-\-upgrade\-token\-name internal
.fi
.if n \{\
.RE
@@ -1917,7 +1930,8 @@ For example:
.RS 4
.\}
.nf
-$ certutil \-\-merge \-d /home/my/sharednssdb \-\-source\-dir
/opt/my\-app/alias/ \-\-source\-prefix serverapp\-
+$ certutil \-\-merge \-d /home/my/sharednssdb \-\-source\-dir \e
+/opt/my\-app/alias/ \-\-source\-prefix serverapp\-
.fi
.if n \{\
.RE
