The “certutil” command-line tool is a versatile utility that allows users to manage keys and certificates in various cryptographic token databases, specifically focusing on the Network Security Services (NSS) database format. NSS is a security library used by various applications and systems, including web browsers, email clients, and other software that require cryptographic operations.
Here are the key features and functionalities provided by the “certutil” tool:
- Certificate Management: “certutil” enables users to manage digital certificates within NSS databases. It provides commands to import, export, view, and delete certificates. Users can import certificates from various formats, such as PEM, DER, or PKCS#12, into the NSS database. Similarly, certificates can be exported to different formats for sharing or backup purposes.
- Key Pair Generation: The tool allows users to generate key pairs within NSS databases. Key pairs are used for various cryptographic operations, such as encryption, decryption, and digital signing. “certutil” supports the generation of both symmetric and asymmetric key pairs, including RSA and Elliptic Curve Cryptography (ECC) keys.
- Certificate Revocation Management: “certutil” provides commands to manage certificate revocation within NSS databases. Users can import Certificate Revocation Lists (CRLs) to revoke certificates, generate CRLs, or check the revocation status of a specific certificate.
- Database Management: The tool allows users to create, initialize, and manage NSS databases. NSS databases are used to store keys, certificates, and other cryptographic objects securely. “certutil” provides commands to create new databases, change database passwords, and list the contents of a database.
- Token Management: In addition to NSS databases, “certutil” supports managing cryptographic tokens. A cryptographic token refers to a physical or virtual device that stores cryptographic keys and performs cryptographic operations. The tool allows users to interact with tokens such as smart cards, hardware security modules (HSMs), or software-based tokens.
- Troubleshooting and Diagnostics: “certutil” offers commands to troubleshoot and diagnose issues related to certificates and keys. Users can verify the integrity of certificates, check the validity of private keys, and perform various checks and tests to ensure the correct configuration and operation of the NSS database and tokens.
- Scripting and Automation: “certutil” can be integrated into scripts and automated workflows for batch operations or repeated tasks. Users can write scripts to perform complex operations, automate certificate management tasks, or integrate “certutil” with other tools and systems.
The “certutil” command-line tool is a powerful utility for managing keys and certificates within NSS databases and other NSS tokens. It provides a comprehensive set of commands and features for certificate management, key pair generation, database management, token interaction, troubleshooting, and automation. By utilizing “certutil,” users can effectively manage their cryptographic assets, ensure the security of their systems, and streamline certificate-related operations.
certutil Command Examples
1. Create a new certificate database:
# certutil -N -d .
2. List all certificates in a database:
# certutil -L -d .
3. List all private keys in a database:
# certutil -K -d . -f /path/to/password_file.txt
4. Import the signed certificate into the requesters database:
# certutil -A -n "server_certificate" -t ",," -i /path/to/file.crt -d .
5. Add subject alternative names to a given certificate:
# certutil -S -f /path/to/password_file.txt -d . -t ",," -c "server_certificate" -n "server_name" -g 2048 -s "CN=common_name,O=organization"