Your Search Results

    NSS tools : certutil


       certutil — Manage keys and certificate in both NSS databases and other NSS tokens


       certutil [options] [[arguments]]


       The Certificate Database Tool, certutil, is a command-line utility
       that can create and modify certificate and key databases.
       It can specifically list, generate, modify, or delete certificates, create or
       change the password, generate new public and private key pairs,
       display the contents of the key database, or delete key pairs within  thekey database.

       Certificate issuance, part of the key and certificate management process, requires that
       keys and certificates be created in the key database. This document discusses certificate
       and key database management. For information on the  security module database management,
       see the modutil manpage.

    Options and Arguments

       Running certutil always requires one and only one command option to
       specify the type of certificate operation. Each option may take arguments,
       anywhere from none to multiple arguments. The command option -H will list
       all the command options available and their relevant arguments.

       Command Options

              Add an existing certificate to a certificate database.
              The certificate database should already exist; if one is
              not present, this command option will initialize one by default.

              Run a series of commands from the specified batch file.
              This requires the -i argument.

              Create a new binary certificate file from a binary
              certificate request file. Use the -i argument to specify
              the certificate request file. If this argument is not
              used, certutil prompts for a filename.

              Delete a certificate from the certificate database.

              Add an email certificate to the certificate database.

              Delete a private key from a key database. Specify the
              key to delete with the -n argument. Specify the database
              from which to delete the key with the -d argument. Use
              the -k argument to specify explicitly whether to delete
              a DSA, RSA, or ECC key. If you don't use the -k
              argument, the option looks for an RSA key matching the
              specified nickname.

              When you delete keys, be sure to also remove any
              certificates associated with those keys from the
              certificate database, by using -D. Some smart cards (for
              example, the Litronic card) do not let you remove a
              public key you have generated. In such a case, only the
              private key is deleted from the key pair. You can
              display the public key with the command certutil -K -h

              Generate a new public and private key pair within a key
              database. The key database should already exist; if one
              is not present, this option will initialize one by
              default. Some smart cards (for example, the Litronic
              card) can store only one key pair. If you create a new
              key pair for such a card, the previous pair is

              Display a list of the options and arguments used by the
              Certificate Database Tool.

              List the key ID of keys in the key database. A key ID is
              the modulus of the RSA key or the publicValue of the DSA
              key. IDs are displayed in hexadecimal ("0x" is not

              List all the certificates, or display information about
              a named certificate, in a certificate database. Use the
              -h tokenname argument to specify the certificate
              database on a particular hardware or software token.

              Modify a certificate's trust attributes using the values
              of the -t argument.

              Create new certificate and key databases.

              Print the certificate chain.

              Create a certificate request file that can be submitted
              to a Certificate Authority (CA) for processing into a
              finished certificate. Output defaults to standard out
              unless you use -o output-file argument. Use the -a
              argument to specify ASCII output.

              Create an individual certificate and add it to a
              certificate database.

              Reset the key database or token.

              List all available modules or print a single named

              Check the validity of a certificate and its attributes.

              Change the password to a key database.

              Merge a source database into the target database. This
              is used to merge legacy NSS databases (cert8.db and
              key3.db) into the newer SQLite databases (cert9.db and

              Upgrade an old database and merge it into a new
              database. This is used to migrate legacy NSS databases
              (cert8.db and key3.db) into the newer SQLite databases
              (cert9.db and key4.db).


       Option arguments modify an action and are lowercase.

              Use ASCII format or allow the use of ASCII format for
              input or output. This formatting follows RFC 1113. For
              certificate requests, ASCII output defaults to standard
              output unless redirected.

       -b validity-time
              Specify a time at which a certificate is required to be
              valid. Use when checking certificate validity with the
              -V option. The format of the validity-time argument is
              YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be
              set relative to the validity end time. Specifying
              seconds (SS) is optional. When specifying an explicit
              time, use a Z at the end of the term, YYMMDDHHMMSSZ, to
              close it. When specifying an offset time, use
              YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or
              subtracting time, respectively.

              If this option is not used, the validity check defaults
              to the current system time.

       -c issuer
              Identify the certificate of the CA from which a new
              certificate will derive its authenticity. Use the exact
              nickname or alias of the CA certificate, or use the CA's
              email address. Bracket the issuer string with quotation
              marks if it contains spaces.

       -d [sql:]directory
              Specify the database directory containing the
              certificate and key database files.

              certutil supports two types of databases: the legacy
              security databases (cert8.db, key3.db, and secmod.db)
              and new SQLite databases (cert9.db, key4.db, and
              pkcs11.txt). If the prefix sql: is not used, then the
              tool assumes that the given databases are in the old

              Check a certificate's signature during the process of
              validating a certificate.

       -f password-file
              Specify a file that will automatically supply the
              password to include in a certificate or to access a
              certificate database. This is a plain-text file
              containing one password. Be sure to prevent unauthorized
              access to this file.

       -g keysize
              Set a key size to use when generating new public and
              private key pairs. The minimum is 512 bits and the
              maximum is 8192 bits. The default is 1024 bits. Any size
              between the minimum and maximum is allowed.

       -h tokenname
              Specify the name of a token to use or act on. Unless
              specified otherwise the default token is an internal
              slot (specifically, internal slot 2). This slot can also
              be explicitly named with the string "internal". An
              internal slots is a virtual slot maintained in software,
              rather than a hardware device. Internal slot 2 is used
              by key and certificate services. Internal slot 1 is used
              by cryptographic services.

       -i input_file
              Pass an input file to the command. Depending on the
              command option, an input file can be a specific
              certificate, a certificate request file, or a batch file
              of commands.

       -k rsa|dsa|ec|all
              Specify the type of a key. The valid options are RSA,
              DSA, ECC, or all. The default value is rsa. Specifying
              the type of key can avoid mistakes caused by duplicate

       -k key-type-or-id
              Specify the type or specific ID of a key. Giving a key
              type generates a new key pair; giving the ID of an
              existing key reuses that key pair (which is required to
              renew certificates).

              Display detailed information when validating a
              certificate with the -V option.

       -m serial-number
              Assign a unique serial number to a certificate being
              created. This operation should be performed by a CA. The
              default serial number is 0 (zero). Serial numbers are
              limited to integers.

       -n nickname
              Specify the nickname of a certificate or key to list,
              create, add to a database, modify, or validate. Bracket
              the nickname string with quotation marks if it contains

       -o output-file
              Specify the output file name for new certificates or
              binary certificate requests. Bracket the output-file
              string with quotation marks if it contains spaces. If
              this argument is not used the output destination
              defaults to standard output.

       -P dbPrefix
              Specify the prefix used on the certificate and key
              database file. This option is provided as a special
              case. Changing the names of the certificate and key
              databases is not recommended.

       -p phone
              Specify a contact telephone number to include in new
              certificates or certificate requests. Bracket this
              string with quotation marks if it contains spaces.

       -q pqgfile
              Read an alternate PQG value from the specified file when
              generating DSA key pairs. If this argument is not used,
              certutil generates its own PQG value. PQG files are
              created with a separate DSA utility.

       -q curve-name
              Set the elliptic curve name to use when generating ECC
              key pairs. A complete list of ECC curves is given in the
              help (-H).

              Display a certificate's binary DER encoding when listing
              information about that certificate with the -L option.

       -s subject
              Identify a particular certificate owner for new
              certificates or certificate requests. Bracket this
              string with quotation marks if it contains spaces. The
              subject identification format follows RFC #1485.

       -t trustargs
              Specify the trust attributes to modify in an existing
              certificate or to apply to a certificate when creating
              it or adding it to a database. There are three available
              trust categories for each certificate, expressed in the
              order SSL, email, object signing for each trust setting.
              In each category position, use none, any, or all of the
              attribute codes:

              + p - Valid peer
              + P - Trusted peer (implies p)
              + c - Valid CA
              + T - Trusted CA to issue client certificates (implies
              + C - Trusted CA to issue server certificates (SSL only)
                (implies c)
              + u - Certificate can be used for authentication or
              + w - Send warning (use with other attributes to include
                a warning when the certificate is used in that

              The attribute codes for the categories are separated by
              commas, and the entire set of attributes enclosed by
              quotation marks. For example:

              -t "TCu,Cu,Tuw"

              Use the -L option to see a list of the current
              certificates and trust attributes in a certificate

       -u certusage
              Specify a usage context to apply when validating a
              certificate with the -V option.

              The contexts are the following:

              + C (as an SSL client)
              + V (as an SSL server)
              + S (as an email signer)
              + R (as an email recipient)
              + O (as an OCSP status responder)
              + J (as an object signer)

       -v valid-months
              Set the number of months a new certificate will be
              valid. The validity period begins at the current system
              time unless an offset is added or subtracted with the -w
              option. If this argument is not used, the default
              validity period is three months. When this argument is
              used, the default three-month period is automatically
              added to any value given in the valid-month argument.
              For example, using this option to set a value of 3 would
              cause 3 to be added to the three-month default, creating
              a validity period of six months. You can use negative
              values to reduce the default period. For example,
              setting a value of -2 would subtract 2 from the default
              and create a validity period of one month.

       -w offset-months
              Set an offset from the current system time, in months,
              for the beginning of a certificate's validity period.
              Use when creating the certificate or adding it to a
              database. Express the offset in integers, using a minus
              sign (-) to indicate a negative offset. If this argument
              is not used, the validity period begins at the current
              system time. The length of the validity period is set
              with the -v argument.

              Force the key and certificate database to open in
              read-write mode. This is used with the -U and -L command

              Use certutil to generate the signature for a certificate
              being created or added to a database, rather than
              obtaining a signature from a separate CA.

       -y exp
              Set an alternate exponent value to use in generating a
              new RSA public key for the database, instead of the
              default value of 65537. The available alternate values
              are 3 and 17.

       -z noise-file
              Read a seed value from the specified file to generate a
              new private and public key pair. This argument makes it
              possible to use hardware-generated seed values or
              manually create a value from the keyboard. The minimum
              file size is 20 bytes.

       -0 SSO_password
              Set a site security officer password on a token.

       -1 | --keyUsage keyword,keyword
              Set a Netscape Certificate Type Extension in the
              certificate. There are several available keywords:

              + digital signature
              + nonRepudiation
              + keyEncipherment
              + dataEncipherment
              + keyAgreement
              + certSigning
              + crlSigning
              + critical

              Add a basic constraint extension to a certificate that
              is being created or added to a database. This extension
              supports the certificate chain verification process.
              certutil prompts for the certificate constraint
              extension to select.

              X.509 certificate extensions are described in RFC 5280.

              Add an authority key ID extension to a certificate that
              is being created or added to a database. This extension
              supports the identification of a particular certificate,
              from among multiple certificates associated with one
              subject name, as the correct issuer of a certificate.
              The Certificate Database Tool will prompt you to select
              the authority key ID extension.

              X.509 certificate extensions are described in RFC 5280.

              Add a CRL distribution point extension to a certificate
              that is being created or added to a database. This
              extension identifies the URL of a certificate's
              associated certificate revocation list (CRL). certutil
              prompts for the URL.

              X.509 certificate extensions are described in RFC 5280.

       -5 | --nsCertType keyword,keyword
              Add a Netscape certificate type extension to a
              certificate that is being created or added to the
              database. There are several available keywords:

              + sslClient
              + sslServer
              + smime
              + objectSigning
              + sslCA
              + smimeCA
              + objectSigningCA
              + critical

              X.509 certificate extensions are described in RFC 5280.

       -6 | --extKeyUsage keyword,keyword
              Add an extended key usage extension to a certificate
              that is being created or added to the database. Several
              keywords are available:

              + serverAuth
              + clientAuth
              + codeSigning
              + emailProtection
              + timeStamp
              + ocspResponder
              + stepUp
              + critical

              X.509 certificate extensions are described in RFC 5280.

       -7 emailAddrs
              Add a comma-separated list of email addresses to the
              subject alternative name extension of a certificate or
              certificate request that is being created or added to
              the database. Subject alternative name extensions are
              described in Section of RFC 3280.

       -8 dns-names
              Add a comma-separated list of DNS names to the subject
              alternative name extension of a certificate or
              certificate request that is being created or added to
              the database. Subject alternative name extensions are
              described in Section of RFC 3280.

              Add the Authority Information Access extension to the
              certificate. X.509 certificate extensions are described
              in RFC 5280.

              Add the Subject Information Access extension to the
              certificate. X.509 certificate extensions are described
              in RFC 5280.

              Add the Certificate Policies extension to the
              certificate. X.509 certificate extensions are described
              in RFC 5280.

              Add the Policy Mappings extension to the certificate.
              X.509 certificate extensions are described in RFC 5280.

              Add the Policy Constraints extension to the certificate.
              X.509 certificate extensions are described in RFC 5280.

              Add the Inhibit Any Policy Access extension to the
              certificate. X.509 certificate extensions are described
              in RFC 5280.

              Add the Subject Key ID extension to the certificate.
              X.509 certificate extensions are described in RFC 5280.

       --source-dir certdir
              Identify the certificate database directory to upgrade.

       --source-prefix certdir
              Give the prefix of the certificate and key databases to

       --upgrade-id uniqueID
              Give the unique ID of the database to upgrade.

       --upgrade-token-name name
              Set the name of the token to use while it is being

       -@ pwfile
              Give the name of a password file to use for the database
              being upgraded.

    Usage and Examples

       Most of the command options in the examples listed here have
       more arguments available. The arguments included in these
       examples are the most common ones or are used to illustrate a
       specific scenario. Use the -H option to show the complete list
       of arguments for each command option.

       Creating New Security Databases

       Certificates, keys, and security modules related to managing
       certificates are stored in three related databases:
         * cert8.db or cert9.db
         * key3.db or key4.db
         * secmod.db or pkcs11.txt

       These databases must be created before certificates or keys can
       be generated.
    certutil -N -d [sql:]directory

       Creating a Certificate Request

       A certificate request contains most or all of the information
       that is used to generate the final certificate. This request is
       submitted separately to a certificate authority and is then
       approved by some mechanism (automatically or by human review).
       Once the request is approved, then the certificate is
    $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s s
    ubject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a

       The -R command options requires four arguments:
         * -k to specify either the key type to generate or, when
           renewing a certificate, the existing key pair to use
         * -g to set the keysize of the key to generate
         * -s to set the subject name of the certificate
         * -d to give the security database directory

       The new certificate request can be output in ASCII format (-a)
       or can be written to a specified file (-o).

       For example:
    $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,
    L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-5
    55-0123 -a -o cert.cer

    Generating key.  This may take a few moments...

    Certificate request generated by Netscape
    Phone: 650-555-0123
    Common Name: John Smith
    Email: (not ed)
    Organization: Example Corp
    State: California
    Country: US


       Creating a Certificate

       A valid certificate must be issued by a trusted CA. This can be
       done by specifying a CA certificate (-c) that is stored in the
       certificate database. If a CA key pair is not available, you
       can create a self-signed certificate using the -x argument with
       the -S command option.
    $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t tr
    ustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offs
    et-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7
    emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [
    --extPC] [--extIA] [--extSKID]

       The series of numbers and --ext* options set certificate
       extensions that can be added to the certificate when it is
       generated by the CA.

       For example, this creates a self-signed certificate:
    $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m

       From there, new certificates can reference the self-signed
    $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -
    t "u,u,u" -1 -5 -6 -8 -m 730

       Generating a Certificate from a Certificate Request

       When a certificate request is created, a certificate can be
       generated by using the request and then referencing a
       certificate authority signing certificate (the issuer specified
       in the -c argument). The issuing certificate must be in the
       certificate database in the specified directory.
    certutil -C -c issuer -i cert-request-file -o output-file [-m serial-num
    ber] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [
    -3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]

       For example:
    $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010
     -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherme
    nt -5 sslClient -6 clientAuth -7

       Generating Key Pairs

       Key pairs are generated automatically with a certificate
       request or certificate, but they can also be generated
       independently using the -G command option.
    certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-
    y exponent-value] -q pqgfile|curve-name

       For example:
    $ certutil -G -h lunasa -k ec -g 256 -q sect193r2

       Listing Certificates

       The -L command option lists all of the certificates listed in
       the certificate database. The path to the directory (-d) is
    $ certutil -L -d sql:/home/my/sharednssdb

    Certificate Nickname                                         Trust Attri

    CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
    TPS Administrator's Example Domain ID                        u,u,u
    Google Internet Authority                                    ,,
    Certificate Authority - Example Domain                       CT,C,C

       Using additional arguments with -L can return and print the
       information for a single, specific certificate. For example,
       the -n argument passes the certificate name, while the -a
       argument prints the certificate in ASCII format:
    $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority -
     Example Domain"

    -----END CERTIFICATE-----

       Listing Keys

       Keys are the original material used to encrypt certificate
       data. The keys generated for certificates are stored
       separately, in the key database.

       To list all keys in the database, use the -K command option and
       the (required) -d argument to give the path to the directory.
    $ certutil -K -d sql:/home/my/sharednssdb
    certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
    Key and Certificate Services                  "
    < 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail
     Member's Thawte Consulting (Pty) Ltd. ID
    < 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain
    Administrator Cert
    < 2> rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user

       There are ways to narrow the keys listed in the search results:
         * To return a specific key, use the -n name argument with the
           name of the key.
         * If there are multiple security devices loaded, then the -h
           tokenname argument can search a specific token or all
         * If there are multiple key types available, then the -k
           key-type argument can search a specific type of key, like
           RSA, DSA, or ECC.

       Listing Security Modules

       The devices that can be used to store certificates -- both
       internal databases and external devices like smart cards -- are
       recognized and used by loading security modules. The -U command
       option lists all of the security modules listed in the
       secmod.db database. The path to the directory (-d) is required.
    $ certutil -U -d sql:/home/my/sharednssdb

        slot: NSS User Private Key and Certificate Services

       token: NSS Certificate DB

        slot: NSS Internal Cryptographic Services

       token: NSS Generic Crypto Services

       Adding Certificates to the Database

       Existing certificates or certificate requests can be added
       manually to the certificate database, even if they were
       generated elsewhere. This uses the -A command option.
    certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-f

       For example:
    $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/shar
    ednssdb -i /home/example-certs/cert.cer

       A related command option, -E, is used specifically to add email
       certificates to the certificate database. The -E command has
       the same arguments as the -A command. The trust arguments for
       certificates have the format SSL,S/MIME,Code-signing, so the
       middle trust settings relate most to email certificates (though
       the others can be set). For example:
    $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sh
    arednssdb -i /home/example-certs/email.cer

       Deleting Certificates to the Database

       Certificates can be deleted from a database using the -D
       option. The only required options are to give the security
       database directory and to identify the certificate nickname.
    certutil -D -d [sql:]directory -n "nickname"

       For example:
    $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"

       Validating Certificates

       A certificate contains an expiration date in itself, and
       expired certificates are easily rejected. However, certificates
       can also be revoked before they hit their expiration date.
       Checking whether a certificate has been revoked requires
       validating the certificate. Validation can also be used to
       ensure that the certificate is only used for the purposes it
       was initially issued for. Validation is carried out by the -V
       command option.
    certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]

       For example, to validate an email certificate:
    $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sha

       Modifying Certificate Trust Settings

       The trust settings (which relate to the operations that a
       certificate is allowed to be used for) can be changed after a
       certificate is created or added to the database. This is
       especially useful for CA certificates, but it can be performed
       for any type of certificate.
    certutil -M -n certificate-name -t trust-args -d [sql:]directory

       For example:
    $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu

       Printing the Certificate Chain

       Certificates can be issued in chains because every certificate
       authority itself has a certificate; when a CA issues a
       certificate, it essentially stamps that certificate with its
       own fingerprint. The -O prints the full chain of a certificate,
       going from the initial CA (the root CA) through ever
       intermediary CA to the actual certificate. For example, for an
       email certificate with two CAs in the chain:
    $ certutil -d sql:/home/my/sharednssdb -O -n ""
    "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@,CN=Thawte Personal Freemail CA,OU=Certification Services Divi
    sion,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]

      "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte P
    ersonal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]

        "(null)" [,CN=Thawte Freemail Member]

       Resetting a Token

       The device which stores certificates -- both external hardware
       devices and internal software databases -- can be blanked and
       reused. This operation is performed on the device which stores
       the data, not directly on the security databases, so the
       location must be referenced through the token name (-h) as well
       as any directory path. If there is no external token used, the
       default value is internal.
    certutil -T -d [sql:]directory -h token-name -0 security-officer-passwor

       Many networks have dedicated personnel who handle changes to
       security tokens (the security officer). This person must supply
       the password to access the specified token. For example:
    $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret

       Upgrading or Merging the Security Databases

       Many networks or applications may be using older BerkeleyDB
       versions of the certificate database (cert8.db). Databases can
       be upgraded to the new SQLite version of the database
       (cert9.db) using the --upgrade-merge command option or existing
       databases can be merged with the new cert9.db databases using
       the ---merge command.

       The --upgrade-merge command must give information about the
       original database and then use the standard arguments (like -d)
       to give the information about the new databases. The command
       also requires information that the tool uses for the process to
       upgrade and write over the original database.
    certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir d
    irectory --source-prefix dbprefix --upgrade-id id --upgrade-token-name n
    ame [-@ password-file]

       For example:
    $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt
    /my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token
    -name internal

       The --merge command only requires information about the
       location of the original database; since it doesn't change the
       format of the database, it can write over information without
       performing interim step.
    certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory
     --source-prefix dbprefix [-@ password-file]

       For example:
    $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/
    alias/ --source-prefix serverapp-

       Running certutil Commands from a Batch File

       A series of commands can be run sequentially from a text file
       with the -B command option. The only argument for this
       specifies the input file.
    $ certutil -B -i /path/to/batch-file

    NSS Database Types

       NSS originally used BerkeleyDB databases to store security
       information. The last versions of these legacy databases are:
         * cert8.db for certificates
         * key3.db for keys
         * secmod.db for PKCS #11 module information

       BerkeleyDB has performance limitations, though, which prevent
       it from being easily used by multiple applications
       simultaneously. NSS has some flexibility that allows
       applications to use their own, independent database engine
       while keeping a shared database and working around the access
       issues. Still, NSS requires more flexibility to provide a truly
       shared security database.

       In 2009, NSS introduced a new set of databases that are SQLite
       databases rather than BerkleyDB. These new databases provide
       more accessibility and performance:
         * cert9.db for certificates
         * key4.db for keys
         * pkcs11.txt, which is listing of all of the PKCS #11 modules
           contained in a new subdirectory in the security databases

       Because the SQLite databases are designed to be shared, these
       are the shared database type. The shared database type is
       preferred; the legacy format is included for backward

       By default, the tools (certutil, pk12util, modutil) assume that
       the given security databases follow the more common legacy
       type. Using the SQLite databases must be manually specified by
       using the sql: prefix with the given security directory. For
    $ certutil -L -d sql:/home/my/sharednssdb

       To set the shared database type as the default type for the
       tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:
    export NSS_DEFAULT_DB_TYPE="sql"

       This line can be set added to the ~/.bashrc file to make the
       change permanent.

       Most applications do not use the shared database by default,
       but they can be configured to use them. For example, this
       how-to article covers how to configure Firefox and Thunderbird
       to use the new shared NSS databases:

       For an engineering draft on the changes in the shared NSS
       databases, see the NSS project wiki:

    See Also

       pk12util (1)

       modutil (1)

       certutil has arguments or operations that use features defined
       in several IETF RFCs.

       The NSS wiki has information on the new database design and how
       to configure applications to use it.

    Additional Resources

       For information about NSS and other tools related to NSS (like
       JSS), check out the NSS project wiki at The NSS site
       relates directly to NSS code changes and releases.

       Mailing lists:

       IRC: Freenode at #dogtag-pki


       The NSS tools were written and maintained by developers with
       Netscape, Red Hat, and Sun.

       Authors: Elio Maldonado <>, Deon Lackey


       (c) 2010, Red Hat, Inc. Licensed under the GNU Public License
       version 2.

    Document Tags and Contributors

    Contributors to this page: Sheppy,
    Last updated by: Sheppy,