Using certutil (with examples)
Create a new certificate database
To create a new certificate database, you can use the following command:
certutil -N -d .
Motivation: Creating a new certificate database is necessary when starting a new project or when managing multiple certificates in different databases. The -N
option tells certutil
to create a new database, and the -d .
argument specifies the current directory as the location for the new database.
Explanation:
-N
: Creates a new certificate database.-d .
: Specifies the current directory as the location for the new database.
Example output: The command will create a new certificate database in the current directory.
List all certificates in a database
To list all certificates in a database, you can use the following command:
certutil -L -d .
Motivation: Listing all certificates in a database is helpful for reviewing and managing the certificates stored within it. This command allows you to easily view the details of each certificate.
Explanation:
-L
: Lists all certificates in the database.-d .
: Specifies the current directory as the location of the database.
Example output: The command will display a list of all certificates stored in the database, including their names and associated information.
List all private keys in a database
To list all private keys in a database, you can use the following command:
certutil -K -d . -f path/to/password_file.txt
Motivation: It is important to keep track of all private keys in a database, as they are critical for encrypting and decrypting data. This command allows you to quickly retrieve a list of all private keys stored in a specified database.
Explanation:
-K
: Lists all private keys in the database.-d .
: Specifies the current directory as the location of the database.-f path/to/password_file.txt
: Specifies the path to a file containing the password for accessing the database.
Example output: The command will display a list of all private keys stored in the database, including their names and associated information.
Import a signed certificate into the requesters database
To import a signed certificate into the requesters database, you can use the following command:
certutil -A -n "server_certificate" -t ",," -i path/to/file.crt -d .
Motivation: Importing a signed certificate is necessary when you have received a certificate from a trusted authority and need to add it to your database for secure communication. This command allows you to import the signed certificate into the requesters database.
Explanation:
-A
: Adds a certificate to the database.-n "server_certificate"
: Specifies the nickname for the certificate being imported.-t ",,"
: Specifies the trust attributes of the certificate.-i path/to/file.crt
: Specifies the path to the file containing the signed certificate.-d .
: Specifies the current directory as the location of the database.
Example output: The command will import the signed certificate into the requesters database, allowing it to be used for secure communication.
Add subject alternative names to a given certificate
To add subject alternative names to a given certificate, you can use the following command:
certutil -S -f path/to/password_file.txt -d . -t ",," -c "server_certificate" -n "server_name" -g 2048 -s "CN=common_name,O=organization"
Motivation: Adding subject alternative names to a certificate is necessary when you want to include additional hostnames or IP addresses for which the certificate should be valid. This command allows you to specify the subject alternative names for a given certificate.
Explanation:
-S
: Generates and adds a new certificate to the database.-f path/to/password_file.txt
: Specifies the path to a file containing the password for accessing the database.-d .
: Specifies the current directory as the location of the database.-t ",,"
: Specifies the trust attributes of the certificate.-c "server_certificate"
: Specifies the nickname of the certificate to be modified.-n "server_name"
: Specifies the common name (CN) for the new certificate.-g 2048
: Specifies the length of the new certificate’s public key.-s "CN=common_name,O=organization"
: Specifies the subject of the new certificate.
Example output: The command will generate a new certificate with the specified subject alternative names and add it to the database, making it valid for the specified hostnames or IP addresses.
Conclusion
In this article, we explored different use cases of the certutil
command. We learned how to create a new certificate database, list all certificates and private keys in a database, import signed certificates, and add subject alternative names to a certificate. These examples demonstrate the versatility of the certutil
command in managing keys and certificates in both NSS databases and other NSS tokens.