diff options
Diffstat (limited to 'certutil.xml')
| -rw-r--r-- | certutil.xml | 409 |
1 files changed, 307 insertions, 102 deletions
diff --git a/certutil.xml b/certutil.xml index d0e04e9..9c00cb9 100644 --- a/certutil.xml +++ b/certutil.xml @@ -1,18 +1,20 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> ---> <refentry> <refentryinfo> - <date>14 August, 2008</date> -<!-- this should be one word --> - <refentrytitle>certutil</refentrytitle> -<!-- end --> - <manvolnum>1</manvolnum> + <date>august 2010</date> + <title>NSS Security Tools</title> + <productname>nss-tools</productname> + <productnumber>8</productnumber> </refentryinfo> + <refmeta> + <refentrytitle>CERTUTIL</refentrytitle> + <manvolnum>1</manvolnum> + </refmeta> + <refnamediv> <refname>certutil</refname> <refpurpose>Manage keys and certificate in the the NSS database.</refpurpose> @@ -152,12 +154,12 @@ Use the -a argument to specify ASCII output.</para></listitem> <varlistentry> <term>--merge</term> - <listitem><para>Merge a source database into the target database.</para></listitem> + <listitem><para>Merge a source database into the target database. This is used to merge legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem> </varlistentry> <varlistentry> <term>--upgrade-merge</term> - <listitem><para>Upgrade an old database and merge it into a new database.</para></listitem> + <listitem><para>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem> </varlistentry> </variablelist> @@ -186,13 +188,9 @@ If this option is not used, the validity check defaults to the current system ti </varlistentry> <varlistentry> - <term>-d directory</term> - <listitem><para>Specify the database directory containing the certificate and key database files. -<!-- - On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). - On Windows NT the default is the current directory. ---> - The cert8.db and key3.db database files must reside in the same directory. </para></listitem> + <term>-d [sql:]directory</term> + <listitem><para>Specify the database directory containing the certificate and key database files.</para> + <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem> </varlistentry> <varlistentry> @@ -290,27 +288,43 @@ Changing the names of the certificate and key databases is not recommended.</par <listitem><para>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <emphasis>SSL, email, object signing</emphasis> for each trust setting. In each category position, use none, any, or all of the attribute codes: </para> + <itemizedlist> + <listitem> <para> - * <command>p</command> - Valid peer + <command>p</command> - Valid peer </para> + </listitem> + <listitem> <para> - * <command>P</command> - Trusted peer (implies p) + <command>P</command> - Trusted peer (implies p) </para> + </listitem> + <listitem> <para> - * <command>c</command> - Valid CA + <command>c</command> - Valid CA </para> + </listitem> + <listitem> <para> - * <command>T</command> - Trusted CA to issue client certificates (implies c) + <command>T</command> - Trusted CA to issue client certificates (implies c) </para> + </listitem> + <listitem> <para> - * <command>C</command> - Trusted CA to issue server certificates (SSL only) (implies c) + <command>C</command> - Trusted CA to issue server certificates (SSL only) (implies c) </para> + </listitem> + <listitem> <para> - * <command>u</command> - Certificate can be used for authentication or signing + <command>u</command> - Certificate can be used for authentication or signing </para> + </listitem> + <listitem> <para> - * <command>w</command> - Send warning (use with other attributes to include a warning when the certificate is used in that context) + <command>w</command> - Send warning (use with other attributes to include a warning when the certificate is used in that context) </para> + </listitem> + </itemizedlist> <para> The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: </para> @@ -322,12 +336,26 @@ of the attribute codes: <varlistentry> <term>-u certusage</term> <listitem><para>Specify a usage context to apply when validating a certificate with the -V option.</para><para>The contexts are the following:</para> -<para>* <command>C</command> (as an SSL client)</para> -<para>* <command>V</command> (as an SSL server)</para> -<para>* <command>S</command> (as an email signer)</para> -<para>* <command>R</command> (as an email recipient)</para> -<para>* <command>O</command> (as an OCSP status responder)</para> -<para>* <command>J</command> (as an object signer)</para></listitem> + <itemizedlist> + <listitem> +<para><command>C</command> (as an SSL client)</para> + </listitem> + <listitem> +<para><command>V</command> (as an SSL server)</para> + </listitem> + <listitem> +<para><command>S</command> (as an email signer)</para> + </listitem> + <listitem> +<para><command>R</command> (as an email recipient)</para> + </listitem> + <listitem> +<para><command>O</command> (as an OCSP status responder)</para> + </listitem> + <listitem> +<para><command>J</command> (as an object signer)</para> + </listitem> + </itemizedlist></listitem> </varlistentry> <varlistentry> @@ -379,30 +407,48 @@ the default and create a validity period of one month.</para></listitem> <varlistentry> <term>-1 | --keyUsage keyword,keyword</term> <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para> + <itemizedlist> + <listitem> <para> - * digital signature + digital signature </para> + </listitem> + <listitem> <para> - * nonRepudiation + nonRepudiation </para> + </listitem> + <listitem> <para> - * keyEncipherment + keyEncipherment </para> + </listitem> + <listitem> <para> - * dataEncipherment + dataEncipherment </para> + </listitem> + <listitem> <para> - * keyAgreement + keyAgreement </para> + </listitem> + <listitem> <para> - * certSigning + certSigning </para> + </listitem> + <listitem> <para> - * crlSigning + crlSigning </para> + </listitem> + <listitem> <para> - * critical + critical </para> + </listitem> + </itemizedlist> </listitem> </varlistentry> @@ -427,60 +473,97 @@ the default and create a validity period of one month.</para></listitem> <varlistentry> <term>-5 | --nsCertType keyword,keyword</term> <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para> + <itemizedlist> + <listitem> <para> - * sslClient + sslClient </para> + </listitem> + <listitem> <para> - * sslServer + sslServer </para> + </listitem> + <listitem> <para> - * smime + smime </para> + </listitem> + <listitem> <para> - * objectSigning + objectSigning </para> + </listitem> + <listitem> <para> - * sslCA + sslCA </para> + </listitem> + <listitem> <para> - * smimeCA + smimeCA </para> + </listitem> + <listitem> <para> - * objectSigningCA + objectSigningCA </para> + </listitem> + <listitem> <para> - * critical + critical </para> + </listitem> + </itemizedlist> + <para>X.509 certificate extensions are described in RFC 5280.</para></listitem> </varlistentry> <varlistentry> <term>-6 | --extKeyUsage keyword,keyword</term> <listitem><para>Add an extended key usage extension to a certificate that is being created or added to the database. Several keywords are available:</para> + <itemizedlist> + <listitem> <para> - * serverAuth + serverAuth </para> + </listitem> + <listitem> <para> - * clientAuth + clientAuth </para> + </listitem> + <listitem> <para> - * codeSigning + codeSigning </para> + </listitem> + <listitem> <para> - * emailProtection + emailProtection </para> + </listitem> + <listitem> <para> - * timeStamp + timeStamp </para> + </listitem> + <listitem> <para> - * ocspResponder + ocspResponder </para> + </listitem> + <listitem> <para> - * stepUp + stepUp </para> + </listitem> + <listitem> <para> - * critical + critical </para> + </listitem> + </itemizedlist> <para>X.509 certificate extensions are described in RFC 5280.</para></listitem> </varlistentry> @@ -566,47 +649,65 @@ the default and create a validity period of one month.</para></listitem> <para> Certificates, keys, and security modules related to managing certificates are stored in three related databases: </para> + <itemizedlist> + <listitem> <para> - * cert8.db + cert8.db or cert9.db </para> + </listitem> + <listitem> <para> - * key3.db + key3.db or key4.db </para> + </listitem> + <listitem> <para> - * secmod.db + secmod.db or pkcs11.txt </para> + </listitem> + </itemizedlist> <para> These databases must be created before certificates or keys can be generated. </para> -<programlisting>certutil -N -d <directory></programlisting> +<programlisting>certutil -N -d [sql:]directory</programlisting> <para><command>Creating a Certificate Request</command></para> <para> A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated. </para> -<programlisting language="Bash">$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d certdir [-p phone] [-o output-file] [-a]</programlisting> +<programlisting>$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a]</programlisting> <para> The <option>-R</option> command options requires four arguments: </para> + <itemizedlist> + <listitem> <para> - * <option>-k</option> to specify either the key type to generate or, when renewing a certificate, the existing key pair to use + <option>-k</option> to specify either the key type to generate or, when renewing a certificate, the existing key pair to use </para> + </listitem> + <listitem> <para> - * <option>-g</option> to set the keysize of the key to generate + <option>-g</option> to set the keysize of the key to generate </para> + </listitem> + <listitem> <para> - * <option>-s</option> to set the subject name of the certificate + <option>-s</option> to set the subject name of the certificate </para> + </listitem> + <listitem> <para> - * <option>-d</option> to give the security database directory + <option>-d</option> to give the security database directory </para> + </listitem> + </itemizedlist> <para> The new certificate request can be output in ASCII format (<option>-a</option>) or can be written to a specified file (<option>-o</option>). </para> <para> For example: </para> -<programlisting language="Bash">$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d . -p 650-555-0123 -a -o cert. +<programlisting>$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer Generating key. This may take a few moments... @@ -633,45 +734,45 @@ qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB <para> A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (<option>-c</option>) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the <option>-x</option> argument with the <option>-S</option> command option. </para> -<programlisting language="Bash">$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</programlisting> +<programlisting>$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</programlisting> <para> The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA. </para> <para> For example, this creates a self-signed certificate: </para> -<programlisting language="Bash">$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</programlisting> +<programlisting>$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</programlisting> <para> From there, new certificates can reference the self-signed certificate: </para> -<programlisting language="Bash">$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</programlisting> +<programlisting>$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</programlisting> <para><command>Generating a Certificate from a Certificate Request</command></para> <para> When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the <emphasis>issuer</emphasis> specified in the <option>-c</option> argument). The issuing certificate must be in the <filename>cert8.db</filename> database in the specified directory. </para> -<programlisting language="Bash">certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d certdir [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]</programlisting> +<programlisting>certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d . -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting> +<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting> <para><command>Generating Key Pairs</command></para> <para> Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the <option>-G</option> command option. </para> -<programlisting language="Bash">certutil -G -d directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</programlisting> +<programlisting>certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</programlisting> +<programlisting>$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</programlisting> <para><command>Listing Certificates</command></para> <para> The <option>-L</option> command option lists all of the certificates listed in the <filename>cert8.db</filename> database. The path to the directory (<option>-d</option>) is required. </para> -<programlisting language="Bash">$ certutil -L -d . +<programlisting>$ certutil -L -d sql:/home/my/sharednssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI @@ -683,7 +784,7 @@ Certificate Authority - Example Domain CT,C,C</programlist <para> Using additional arguments with <option>-L</option> can return and print the information for a single, specific certificate. For example, the <option>-n</option> argument passes the certificate name, while the <option>-a</option> argument prints the certificate in ASCII format: </para> -<programlisting language="Bash">$ certutil -L -d . -a -n "Certificate Authority - Example Domain" +<programlisting>$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain" -----BEGIN CERTIFICATE----- MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt @@ -715,7 +816,7 @@ nI7q5n1USM3eWQlVXw== <para> To list all keys in the database, use the <option>-K</option> command option and the (required) <option>-d</option> argument to give the path to the directory. </para> -<programlisting language="Bash">$ certutil -K -d . +<programlisting>$ certutil -K -d sql:/home/my/sharednssdb certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert @@ -723,21 +824,29 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and <para> There are ways to narrow the keys listed in the search results: </para> + <itemizedlist> + <listitem> <para> - * To return a specific key, use the <option>-n</option> <emphasis>name</emphasis> argument with the name of the key. + To return a specific key, use the <option>-n</option> <emphasis>name</emphasis> argument with the name of the key. </para> + </listitem> + <listitem> <para> - * If there are multiple security devices loaded, then the <option>-h</option> <emphasis>tokenname</emphasis> argument can search a specific token or all tokens. + If there are multiple security devices loaded, then the <option>-h</option> <emphasis>tokenname</emphasis> argument can search a specific token or all tokens. </para> + </listitem> + <listitem> <para> - * If there are multiple key types available, then the <option>-k</option> <emphasis>key-type</emphasis> argument can search a specific type of key, like RSA, DSA, or ECC. + If there are multiple key types available, then the <option>-k</option> <emphasis>key-type</emphasis> argument can search a specific type of key, like RSA, DSA, or ECC. </para> + </listitem> + </itemizedlist> <para><command>Listing Security Modules</command></para> <para> The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The <option>-U</option> command option lists all of the security modules listed in the <filename>secmod.db</filename> database. The path to the directory (<option>-d</option>) is required. </para> -<programlisting language="Bash">$ certutil -U -d . +<programlisting>$ certutil -U -d sql:/home/my/sharednssdb slot: NSS User Private Key and Certificate Services token: NSS Certificate DB @@ -749,51 +858,51 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and <para> Existing certificates or certificate requests can be added manually to the <filename>cert8.db</filename> database, even if they were generated elsewhere. This uses the <option>-A</option> command option. </para> -<programlisting language="Bash">certutil -A -n certname -t trustargs -d certdir [-a] [-i input-file]</programlisting> +<programlisting>certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d . -i /home/example-certs/cert.cer</programlisting> +<programlisting>$ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer</programlisting> <para> A related command option, <option>-E</option>, is used specifically to add email certificates to the certificate database. The <option>-E</option> command has the same arguments as the <option>-A</option> command. The trust arguments for certificates have the format <emphasis>SSL,S/MIME,Code-signing</emphasis>, so the middle trust settings relate most to email certificates (though the others can be set). For example: </para> -<programlisting language="Bash">$ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d . -i /home/example-certs/email.cer</programlisting> +<programlisting>$ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer</programlisting> <para><command>Deleting Certificates to the Database</command></para> <para> Certificates can be deleted from a database using the <option>-D</option> option. The only required options are to give the security database directory and to identify the certificate nickname. </para> -<programlisting language="Bash">certutil -D -d directory -n "nickname"</programlisting> +<programlisting>certutil -D -d [sql:]directory -n "nickname"</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil -D -d . -n "my-ssl-cert"</programlisting> +<programlisting>$ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"</programlisting> <para><command>Validating Certificates</command></para> <para> A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the <option>-V</option> command option. </para> -<programlisting language="Bash">certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d directory</programlisting> +<programlisting>certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory</programlisting> <para> For example, to validate an email certificate: </para> -<programlisting language="Bash">$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d .</programlisting> +<programlisting>$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb</programlisting> <para><command>Modifying Certificate Trust Settings</command></para> <para> The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate. </para> -<programlisting language="Bash">certutil -M -n certificate-name -t trust-args -d directory</programlisting> +<programlisting>certutil -M -n certificate-name -t trust-args -d [sql:]directory</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil -M -n "My CA Certificate" -d . -t "CTu,CTu,CTu"</programlisting> +<programlisting>$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu"</programlisting> <para><command>Printing the Certificate Chain</command></para> <para> Certificates can be issued in <emphasis>chains</emphasis> because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The <option>-O</option> prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain: </para> -<programlisting language="Bash">$ certutil -d . -O -n "jsmith@example.com" +<programlisting>$ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] @@ -804,68 +913,164 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and <para> The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (<option>-h</option>) as well as any directory path. If there is no external token used, the default value is internal. </para> -<programlisting language="Bash">certutil -T -d directory -h token-name -0 security-officer-password</programlisting> +<programlisting>certutil -T -d [sql:]directory -h token-name -0 security-officer-password</programlisting> <para> Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example: </para> -<programlisting language="Bash">$ certutil -T -d . -h nethsm -0 secret</programlisting> +<programlisting>$ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret</programlisting> <para><command>Upgrading or Merging the Security Databases</command></para> <para> - Some networks or applications may be using older versions of the certificate database, like a <filename>cert7.db</filename> database, or there may be multiple certificate databases in use. Databases can be upgraded to a new version using the <option>--upgrade-merge</option> command option or merged with other databases using the <option>---merge</option> command. + Many networks or applications may be using older BerkeleyDB versions of the certificate database (<filename>cert8.db</filename>). Databases can be upgraded to the new SQLite version of the database (<filename>cert9.db</filename>) using the <option>--upgrade-merge</option> command option or existing databases can be merged with the new <filename>cert9.db</filename> databases using the <option>---merge</option> command. </para> <para> The <option>--upgrade-merge</option> command must give information about the original database and then use the standard arguments (like <option>-d</option>) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database. </para> -<programlisting language="Bash">certutil --upgrade-merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]</programlisting> +<programlisting>certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil --upgrade-merge -d . --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal</programlisting> +<programlisting>$ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal</programlisting> <para> The <option>--merge</option> command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step. </para> -<programlisting language="Bash">certutil --merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]</programlisting> +<programlisting>certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]</programlisting> <para> For example: </para> -<programlisting language="Bash">$ certutil --merge -d . --source-dir /opt/my-app/alias/ --source-prefix serverapp-</programlisting> +<programlisting>$ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp-</programlisting> <para><command>Running certutil Commands from a Batch File</command></para> <para> A series of commands can be run sequentially from a text file with the <option>-B</option> command option. The only argument for this specifies the input file. </para> -<programlisting language="Bash">$ certutil -B -i /path/to/batch-file</programlisting> +<programlisting>$ certutil -B -i /path/to/batch-file</programlisting> </refsection> +<refsection id="databases"><title>NSS Database Types</title> +<para>NSS originally used BerkeleyDB databases to store security information. +The last versions of these <emphasis>legacy</emphasis> databases are:</para> +<itemizedlist> + <listitem> + <para> + cert8.db for certificates + </para> + </listitem> + <listitem> + <para> + key3.db for keys + </para> + </listitem> + <listitem> + <para> + secmod.db for PKCS #11 module information + </para> + </listitem> +</itemizedlist> + +<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.</para> + +<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance:</para> +<itemizedlist> + <listitem> + <para> + cert9.db for certificates + </para> + </listitem> + <listitem> + <para> + key4.db for keys + </para> + </listitem> + <listitem> + <para> + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + </para> + </listitem> +</itemizedlist> + +<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para> + +<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type. +Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para> + +<programlisting>$ certutil -L -d sql:/home/my/sharednssdb</programlisting> + +<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> +<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> + +<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> + +<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> +<itemizedlist> + <listitem> + <para> + https://wiki.mozilla.org/NSS_Shared_DB_Howto</para> + </listitem> +</itemizedlist> +<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para> +<itemizedlist> + <listitem> + <para> + https://wiki.mozilla.org/NSS_Shared_DB + </para> + </listitem> +</itemizedlist> +</refsection> + <refsection id="seealso"> <title>See Also</title> + <para>pk12util (1)</para> + <para>modutil (1)</para> <para><command>certutil</command> has arguments or operations that use features defined in several IETF RFCs.</para> + <itemizedlist> + <listitem> <para> - * http://tools.ietf.org/html/rfc5280 + http://tools.ietf.org/html/rfc5280 </para> + </listitem> + <listitem> <para> - * http://tools.ietf.org/html/rfc1113 + http://tools.ietf.org/html/rfc1113 </para> + </listitem> + <listitem> <para> - * http://tools.ietf.org/html/rfc1485 + http://tools.ietf.org/html/rfc1485 </para> + </listitem> + </itemizedlist> + + <para>The NSS wiki has information on the new database design and how to configure applications to use it.</para> +<itemizedlist> + <listitem> + <para> + https://wiki.mozilla.org/NSS_Shared_DB_Howto</para> + </listitem> + <listitem> + <para> + https://wiki.mozilla.org/NSS_Shared_DB + </para> + </listitem> +</itemizedlist> </refsection> <!-- don't change --> <refsection id="resources"> <title>Additional Resources</title> - <para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">http://pki.fedoraproject.org/wiki/</ulink>. </para> - <para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para> - <para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para> + <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para> + <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para> <para>IRC: Freenode at #dogtag-pki</para> </refsection> <!-- fill in your name first; keep the other names for reference --> <refsection id="authors"> <title>Authors</title> - <para>The NSS tools were written and maintained by developers with Netscape and now with Red Hat.</para> + <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para> <para> Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. </para> |