mozilla
您的搜索结果

    NSS 工具 certutil

    证书数据库工具使用说明

    Newsgroup: mozilla.dev.tech.crypto

    证书数据库工具是基于命令行的工具,能创建和修改Netscape Communicator cerct8.db 和 key3.db 数据库文件。该工具也能列出,生成,修改或者删除cert8.db里的证书,并且可以创建或修改密码,生成新的公钥和私钥对,显示秘钥数据库的内容,或者删除key3.db的秘钥对。

    秘钥和证书管理流程一般由两部分组成:1) 在秘钥数据库里创建秘钥 2) 在证书数据库中生成并管理证书

    该文档主要描述了证书和秘钥数据库的管理。对于信息安全模块数据库管理,请看安全模块数据库工具使用

    可用性

    请查看 release notes 以了解该工具在哪些平台可用

    语法

    使用如下命令运行数据库工具

    certutil option [ arguments ]

    本例例举的Option 和 arguments是下述列表的option和arguments的结合 . 每个命令可以指定一个option.每个option可以携带0或多个arguments. 查看命令用法可以通过两种方式: 输入没有option的命令或者输入命令制定 option -H.

    Options 和 Arguments

    Options 是大写的字符,主要指定命令要完成的操作. Option arguments 是小写的字符,主要修改操作的细节. 证书数据库工具命令 options 和其的arguments定义如下:

     

    Options

    -N

    创建新的证书和秘钥数据库.

    -S

    创建单独的证书,并且将证书加入证书数据库.

    -R

    创建 一个 certificate-request 文件, 该证书可以提交到Certificate Authority(CA) 以生成完整证书. 如果不指定option -O output-file argument,输出默认到标准输出

    使用-a argument 以指定ASCII编码输出

    -C

    Create a new binary certificate file from a binary certificate-request file. Use the -i argument to specify the certificate-request file. If this argument is not used Certificate Database Tool prompts for a filename.

    -G

    Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default.

    Some smart cards (for example, the Litronic card) can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.

    -F

    Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the -d argument.

    Use the -k argument to specify explicitly whether to delete a DSA or an RSA key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname.

    When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D.

    Some smart cards (for example, the Litronic card) do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname .

    -K

    List the keyID of keys in the key database. A keyID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

    -A

    Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this option will initialize one by default.

    -D

    Delete a certificate from the certificate database.

    -L

    List all the certificates, or display information about a named certificate, in a certificate database.

    Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.

    -V

    Check the validity of a certificate and its attributes.

    -M

    Modify a certificate's trust attributes using the values of the -t argument.

    -H

    Display a list of the options and arguments used by the Certificate Database Tool.

    -W

    Change the password to a key database.

    -U

    List all available modules or print a single named module.

    Arguments

    -a

    Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC #1113. For certificate requests, ASCII output defaults to standard output unless redirected.

    -b validity-time

    Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the -V option. The format of the validity-time argument is "YYMMDDHHMMSS[+HHMM|-HHMM|Z]". Specifying seconds (SS) is optional. When specifying an explicit time, use "YYMMDDHHMMSSZ". When specifying an offset time, use "YYMMDDHHMMSS+HHMM" or "YYMMDDHHMMSS-HHMM". If this option is not used, the validity check defaults to the current system time.

    -c issuer

    Identify the certificate of the CA from which a new certificate will derive its authenticity. Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string with quotation marks if it contains spaces.

    -d directory

    Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory.

    The cert8.db and key3.db database files must reside in the same directory.

    -P dbprefix

    Specify the prefix used on the cert8.db and key3.db files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.

    -e

    Check a certificate's signature during the process of validating a certificate.

    -f password-file

    Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.

    -g keysize

    Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size that is a multiple of 8 between the minimum and maximum is allowed.

    -h tokenname

    Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot (specifically, internal slot 2). This slot can also be explicitly named with the string "internal". An internal slots is a virtual slot maintained in software, rather than a hardware device. Internal slot 2 is used by key and certificate services. Internal slot 1 is used by cryptographic services.

    -i cert|cert-request-file

    Specify a specific certificate, or a certificate-request file.

    -k rsa|dsa|all

    Specify the type of a key: RSA, DSA or both. The default value is rsa. By specifying the type of key you can avoid mistakes caused by duplicate nicknames.

    -l

    Display detailed information when validating a certificate with the -V option.

    -m serial-number

    Assign a unique serial number to a certificate being created. This operation should be performed by a CA. The default serial number is 0 (zero). Serial numbers are limited to integers.

    -n nickname

    Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

    -o output-file

    Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.

    -p phone

    Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

    -q pqgfile

    Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, the Key Database Tool generates its own PQG value. PQG files are created with a separate DSA utility.

    -r

    Display a certificate's binary DER encoding when listing information about that certificate with the -L option.

    -s subject

    Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.

    -t trustargs

    Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.

    There are three available trust categories for each certificate, expressed in this order: " SSL , email , object signing ". In each category position use zero or more of the following attribute codes:

    p    Valid peer
    P    Trusted peer (implies p)
    c    Valid CA
    T    Trusted CA to issue client certificates (implies c)
    C    Trusted CA to issue server certificates (SSL only)
          (implies c)
    u    Certificate can be used for authentication or signing
    w    Send warning (use with other attributes to include a warning when the certificate is used in that context)

    The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:

    -t "TCu,Cu,Tuw"

    Use the -L option to see a list of the current certificates and trust attributes in a certificate database.

    -u certusage

    Specify a usage context to apply when validating a certificate with the -V option. The contexts are the following:

    C (as an SSL client)
    V (as an SSL server)
    S (as an email signer)
    R (as an email recipient)

    -v valid-months

    Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the valid-month argument. For example, using this option to set a value of 3 would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of -2 would subtract 2 from the default and create a validity period of one month.

    -w offset-months

    Set an offset from the current system time, in months, for the beginning of a certificate's validity period. Use when creating the certificate or adding it to a database. Express the offset in integers, using a minus sign (-) to indicate a negative offset. If this argument is not used, the validity period begins at the current system time. The length of the validity period is set with the -v argument.

    -x

    Use the Certificate Database Tool to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

    -y exp

    Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

    -z noise-file

    Read a seed value from the specified binary file to use in generating a new RSA private and public key pair. This argument makes it possible to use hardware-generated seed values and unnecessary to manually create a value from the keyboard. The minimum file size is 20 bytes.

    -1

    Add a key usage extension to a certificate that is being created or added to a database. This extension allows a certificate's key to be dedicated to supporting specific operations such as SSL server or object signing. The Certificate Database Tool will prompt you to select a particular usage for the certificate's key. These usages are described under Standard X.509 v3 Certificate Extensions in Appendix A.3 of the Red Hat Certificate System Administration Guide.

    -2

    Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. The Certificate Database Tool will prompt you to select the certificate constraint extension. Constraint extensions are described in Standard X.509 v3 Certificate Extensions in Appendix A.3 of the Red Hat Certificate System Administration Guide.

    -3

    Add an authority keyID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority keyID extension. Authority key ID extensions are described under Standard X.509 v3 Certificate Extensions in Appendix A.3 of the Red Hat Certificate System Administration Guide.

    -4

    Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). The Certificate Database Tool prompts you to enter the URL. CRL distribution point extensions are described in Standard X.509 v3 Certificate Extensions in Appendix A.3 of the Red Hat Certificate System Administration Guide.

    -5

    Add a Netscape certificate type extension to a certificate that is being created or added to the database. Netscape certificate type extensions are described in Standard X.509 v3 Certificate Extensions in Appendix A.3 of the Red Hat Certificate System Administration Guide.

    -6

    Add an extended key usage extension to a certificate that is being created or added to the database. Extended key usage extensions are described in Standard X.509 v3 Certificate Extensions in Appendix A.3 of the Red Hat Certificate System Administration Guide.

    -7 emailAddrs

    Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.

    -8 dns-names

    Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.

     

     

    Usage

    The Certificate Database Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required.

     

     

    -N [-d certdir ]

     

    -S -k rsa|dsa -n certname -s subject
    [-c issuer |-x] -t trustargs [-h tokenname ]
    [-m
    serial-number ] [-v valid-months ] [-w offset-months ]
    [-d
    certdir ] [-p phone ] [-f password-file ] [-1] [-2] [-3] [-4]

     

    -R -k rsa|dsa -s subject [-h tokenname ]
    [-d
    certdir ] [-p phone ] [-o output-file ] [-f password-file ]

     

    -C -c issuer [-f password-file ]
    [-h
    tokenname ] -i cert-request-file -o output-file [-m serial-number ]
    [-v
    valid-months ] [-w offset-months ] [-d certdir ] [-1] [-2] [-3]
    [-4]

     

    -A -n certname -t trustargs [-h tokenname ] [-d certdir ] [-a]
    [-i
    cert-request-file ]

     

    -L [-n certname ] [-d certdir ] [-r] [-a]

     

    -V -n certname -b validity-time -u certusage [-e] [-l] [-d certdir ]

     

    -M -n certname -t trustargs [-d certdir ]

     

    -H

    Examples

    Creating a New Certificate Database
    Listing Certificates in a Database
    Creating a Certificate Request
    Creating a Certificate
    Adding a Certificate to the Database
    Validating a Certificate

     

    Creating a New Certificate Database

    This example creates a new certificate database (cert8.db file) in the specified directory:

     

    certutil -N -d certdir

     

    You must generate the associated key3.db and secmod.db files by using the Key Database Tool or other tools.

     

    Listing Certificates in a Database

    This example lists all the certificates in the cert8.db file in the specified directory:

     

    certutil -L -d certdir

     

    The Certificate Database Tool displays output similar to the following:

     

    Certificate Name              Trust Attributes
    Uptime Group Plc. Class 1 CA        C,C,
    VeriSign Class 1 Primary CA         ,C,
    VeriSign Class 2 Primary CA         C,C,C
    AT&T Certificate Services           C,C,
    GTE CyberTrust Secure Server CA     C,,
    Verisign/RSA Commercial CA          C,C,
    AT&T Directory Services             C,C,
    BelSign Secure Server CA            C,,
    Verisign/RSA Secure Server CA       C,C,
    GTE CyberTrust Root CA              C,C,
    Uptime Group Plc. Class 4 CA        ,C,
    VeriSign Class 3 Primary CA         C,C,C
    Canada Post Corporation CA          C,C,
    Integrion CA                        C,C,C
    IBM World Registry CA               C,C,C
    GTIS/PWGSC, Canada Gov. Web CA      C,C,
    GTIS/PWGSC, Canada Gov. Secure CA   C,C,C
    MCI Mall CA                         C,C,
    VeriSign Class 4 Primary CA         C,C,C
    KEYWITNESS, Canada CA               C,C,
    BelSign Object Publishing CA        ,,C
    BBN Certificate Services CA Root 1  C,C,
    p    Valid peer
    P    Trusted peer (implies p)
    c    Valid CA
    T    Trusted CA to issue client certs (implies c)
    C    Trusted CA to issue server certs(for ssl only) (implies c)
    u    User cert
    w    Send warning

     

    Creating a Certificate Request

    This example generates a binary certificate request file named e95c.req in the specified directory:
    certutil -R -s "CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US" -p "650-555-8888" -o mycert.req -d certdir
    Before it creates the request file, the Certificate Database Tool prompts you for a password:
    Enter Password or Pin for "Communicator Certificate DB":

     

    Creating a Certificate

    A valid certificate must be issued by a trusted CA. If a CA key pair is not available, you can create a self-signed certificate (for purposes of illustration) with the -x argument. This example creates a new binary, self-signed CA certificate named myissuer, in the specified directory.
    certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234 -f password-file -d certdir
    The following example creates a new binary certificate named mycert.crt, from a binary certificate request named mycert.req, in the specified directory. It is issued by the self-signed certificate created above, myissuer.
    certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d certdir

     

     

    Adding a Certificate to the Database

    This example adds a certificate to the certificate database:
    certutil -A -n jsmith@netscape.com -t "p,p,p" -i mycert.crt -d certdir
    You can see this certificate in the database with this command:
    certutil -L -n jsmith@netscape.com -d certdir
    The Certificate Database Tool displays output similar to the following:
    Certificate:
      Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US
        Validity:
            Not Before: Thu Mar 12 00:10:40 1998
            Not After: Sat Sep 12 00:10:40 1998
    Subject: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US

    Subject Public Key Info:
      Public Key Algorithm: PKCS #1 RSA Encryption
      RSA Public Key:
        Modulus:
            00:da:53:23:58:00:91:6a:d1:a2:39:26:2f:06:3a:
            38:eb:d4:c1:54:a3:62:00:b9:f0:7f:d6:00:76:aa:
            18:da:6b:79:71:5b:d9:8a:82:24:07:ed:49:5b:33:
            bf:c5:79:7c:f6:22:a7:18:66:9f:ab:2d:33:03:ec:
            63:eb:9d:0d:02:1b:da:32:ae:6c:d4:40:95:9f:b3:
            44:8b:8e:8e:a3:ae:ad:08:38:4f:2e:53:e9:e1:3f:
            8e:43:7f:51:61:b9:0f:f3:a6:25:1e:0b:93:74:8f:
            c6:13:a3:cd:51:40:84:0e:79:ea:b7:6b:d1:cc:6b:
            78:d0:5d:da:be:2b:57:c2:6f
        Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Signature:
      44:15:e5:ae:c4:30:2c:cd:60:89:f1:1d:22:ed:5e:5b:10:c8:
      7e:5f:56:8c:b4:00:12:ed:5f:a4:6a:12:c3:0d:01:03:09:f2:
      2f:e7:fd:95:25:47:80:ea:c1:25:5a:33:98:16:52:78:24:80:
      c9:53:11:40:99:f5:bd:b8:e9:35:0e:5d:3e:38:6a:5c:10:d1:
      c6:f9:54:af:28:56:62:f4:2f:b3:9b:50:e1:c3:a2:ba:27:ee:
      07:9f:89:2e:78:5c:6d:46:b6:5e:99:de:e6:9d:eb:d9:ff:b2:
      5f:c6:f6:c6:52:4a:d4:67:be:8d:fc:dd:52:51:8e:a2:d7:15:
      71:3e

    Certificate Trust Flags:
      SSL Flags:
        Valid CA
        Trusted CA
      Email Flags:
        Valid CA
        Trusted CA
      Object Signing Flags:
        Valid CA
        Trusted CA

     

     

    Validating a Certificate

    This example validates a certificate:
    certutil -V -n jsmith@netscape.com -b 9803201212Z -u SR -e -l -d certdir
    The Certificate Database Tool shows results similar to
    Certificate:'jsmith@netscape.com' is valid.
    or
    UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Expired certificate
    or
    UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Certificate not approved for this operation

     

     

     


     

    文档标签和贡献者

    此页面的贡献者有: coolfire
    最后编辑者: coolfire,