How to Use the Command 'certutil' (with Examples)
Certutil is a versatile command-line utility used for managing keys and certificates primarily within Network Security Services (NSS) databases and NSS tokens. It allows administrators and system engineers to create, list, and manipulate certificates and their associated attributes. This utility is essential for maintaining secure communication channels in computer networks, providing robust certificate handling and management capabilities.
Use Case 1: Create a New Certificate Database in the Current Directory
Code:
certutil -N -d .
Motivation:
Creating a new certificate database is a foundational step when setting up a secure environment for handling private keys and certificates. This action is crucial for new installations or when initiating a certificate authority’s infrastructure. A dedicated database ensures organized and isolated storage, thereby enhancing security and manageability.
Explanation:
-N: This argument prompts certutil to create a new certificate database. It’s the defining attribute of this use case.-d .: This argument specifies the directory where the new certificate database should be created. Here, the current directory is denoted by the dot (.), meaning the database will be initialized in the location where the command is executed.
Example Output:
Upon execution, the command prompts the user to enter a password for the new database, creating the database upon successful password entry. The output may also confirm the creation of the database files: cert8.db, key3.db, and secmod.db.
Use Case 2: List All Certificates in a Database
Code:
certutil -L -d .
Motivation:
Listing all certificates in a database is an essential step for auditing, inventory management, and troubleshooting. By examining all certificates, administrators can verify their presence, expiration, or potential issues that might require attention.
Explanation:
-L: This flag tells certutil to list all certificates in the specified database.-d .: Similar to the previous use case, this points to the current directory as the location of the certificate database.
Example Output:
The output will include a structured list of all certificates stored in the database. Each entry may include details such as the nickname, expiration date, and trust attributes.
Use Case 3: List All Private Keys in a Database Specifying the Password File
Code:
certutil -K -d . -f path/to/password_file.txt
Motivation:
Listing private keys is necessary for an in-depth review of stored cryptographic materials, ensuring that all necessary keys are available and secure. Using a password file automates the process and facilitates scripted or bulk operations by providing the necessary authentication non-interactively.
Explanation:
-K: This argument instructs certutil to list the private keys in the specified database.-d .: Specifies the current directory as the database location.-f path/to/password_file.txt: This option points to a file containing the password for the database, enabling automated and secure access without manual password entry.
Example Output:
The output will display all private keys in the database, typically showing the nickname, key type, and storage location.
Use Case 4: Add the Signed Certificate to the Requester’s Database
Code:
certutil -A -n "server_certificate" -t ",," -i path/to/file.crt -d .
Motivation:
This use case involves adding a signed certificate to the database, a necessary step after obtaining a signed certificate from a certificate authority (CA). It is crucial for completing the certificate lifecycle and making it available for secure communications.
Explanation:
-A: Directs certutil to add a certificate.-n "server_certificate": Sets a nickname for the certificate for easy reference.-t ",,": Specifies trust attributes for the certificate, defining its intended usages.-i path/to/file.crt: Points to the input file containing the signed certificate.-d .: Indicates the database location as the current directory.
Example Output:
The system will confirm the addition of the certificate to the database, often without a detailed output. However, the success message implies that the certificate is now part of the specified database.
Use Case 5: Add Subject Alternative Names to a Certificate with a Specific Key Size
Code:
certutil -S -f path/to/password_file.txt -d . -t ",," -c "server_certificate" -n "server_name" -g 2048 -s "CN=common_name,O=organization"
Motivation:
Adding subject alternative names (SANs) is vital for certificates used in multi-domain environments, ensuring that the certificate can be legitimately used for multiple hosts or services. Specifying a key size ensures that security standards are met, enhancing cryptographic strength.
Explanation:
-S: Indicates that a new certificate or a certificate request should be created, crucial for SANs.-f path/to/password_file.txt: Provides the necessary authentication through a password file.-d .: Points to the directory housing the NSS database.-t ",,": Sets trust attributes.-c "server_certificate": Specifies the certificate authority for signing.-n "server_name": Assigns a nickname to the new certificate or request.-g 2048: Determines the key size in bits, with larger sizes offering more security.-s "CN=common_name,O=organization": Details the subject name, forming the identity of the certificate holder.
Example Output:
The output includes confirmation of SAN additions and possibly detailed certificate information, indicating successful updates.
Conclusion:
The certutil command is a powerful tool for managing certificates and keys, offering various capabilities to create databases, list certificates and keys, add signed certificates, and handle subject alternative names. By harnessing these use cases, administrators can maintain a robust public key infrastructure (PKI) and adapt to evolving security needs.
