Previous     Contents     Index     Next     
iPlanet Certificate Management System Command-Line Tools Guide



Chapter 11   Certificate Database Tool


Certificate Database Tool is a command-line utility that can create the certificate database file (cert7.db) for Certificate Management System. The utility can also list, generate, modify, or delete certificates within the file.

Certificate database management tasks are part of a process that typically also involves managing key databases (key3.db files). The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database.

This chapter discusses certificate database management:

For information on key database and security module database management, see Chapter 12 "Key Database Tool" and Chapter 16 "Security Module Database Tool."



Availability


This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6),
Solaris 8, and Windows NT 4.0.



Syntax


To run Certificate Database Tool, type the following command:

certutil option [arguments]

where options and arguments are combinations of the options and arguments listed in the following section. Each command takes one option. Each option may take zero or more arguments. To see a usage string, issue the command without options, or with the -H option.


Options and Arguments

Options specify an action and are uppercase. Option arguments modify an action and are lowercase. Certificate Database Tool command options and their arguments are defined as follows:


Table 11-1    Command options and their arguments

Option  

Description  

-N  

Create a new certificate database.  

-S  

Create an individual certificate and add it to a certificate database.  

-R  

Create a certificate-request file that can be submitted to a certificate authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.

Use the -a argument to specify ASCII output.  

-C  

Create a new binary certificate file from a binary certificate-request file. Use the -i argument to specify the certificate-request file. If this argument is not used Certificate Database Tool prompts for a filename.  

-A  

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this option will initialize one by default.  

-L  

List all the certificates, or display information about a named certificate, in a certificate database.

Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.  

-V  

Check the validity of a certificate and its attributes.  

-M  

Modify a certificate's trust attributes using the values of the -t argument.  

-H  

Display a list of the options and arguments used by Certificate Database Tool.  

Argument  

 

-a  

Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC #1113. For certificate requests, ASCII output defaults to standard output unless redirected.  

-b validity-time  

Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the -V option. The format of the validity-time argument is "YYMMDDHHMMSS[+HHMM|-HHMM|Z]". Specifying seconds (SS) is optional. When specifying an explicit time, use "YYMMDDHHMMSSZ". When specifying an offset time, use "YYMMDDHHMMSS+HHMM" or "YYMMDDHHMMSS-HHMM". If this option is not used, the validity check defaults to the current system time.  

-c issuer  

Identify the certificate of the CA from which a new certificate will derive its authenticity. Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string with quotation marks if it contains spaces.  

-d certdir  

Specify a directory containing a certificate database file. On Unix Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory.

The cert7.db and key3.db database files must reside in the same directory.  

-e  

Check a certificate's signature during the process of validating a certificate.  

-f password-file  

Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.  

-h tokenname  

Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot (specifically, internal slot 2). This slot can also be explicitly named with the string "internal". An internal slots is a virtual slot maintained in software, rather than a hardware device. Internal slot 2 is used by key and certificate services. Internal slot 1 is used by cryptographic services.  

-i cert|cert-request-file  

Specify a specific certificate, or a certificate-request file.  

-k shortkeyID  

Specify the public key to use when creating a certificate or certificate request. The shortkeyID is the first few bytes of the keyID (as shown by the keyutil -L command), starting from the second byte, with a length sufficient to identify it uniquely.  

-l  

Display detailed information when validating a certificate with the -V option.  

-m serial-number  

Assign a unique serial number to a certificate being created. This operation should be performed by a CA. The default serial number is 0 (zero). Serial numbers are limited to integers.  

-n certname  

Specify the nickname of a certificate to list, create, add to a database, modify, or validate. Bracket the certname string with quotation marks if it contains spaces.  

-o output-file  

Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.  

-p phone  

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.  

-r  

Display a certificate's binary DER encoding when listing information about that certificate with the -L option.  

-s subject  

Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.  

-t trustargs  

Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.

There are three available trust categories for each certificate, expressed in this order: "SSL, email, object signing". In each category position use zero or more of the following attribute codes:

p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certificates (implies c)
C    Trusted CA to issue server certificates (SSL only)
      (implies c)
u    Certificate can be used for authentication or signing
w    Send warning (use with other attributes to include a warning when the certificate is used in that context)

The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:

-t "TCu,Cu,Tuw"

Use the -L option to see a list of the current certificates and trust attributes in a certificate database.  

-u certusage  

Specify a usage context to apply when validating a certificate with the -V option. The contexts are the following:

C (as an SSL client)
V (as an SSL server)
S (as an email signer)
R (as an email recipient)  

-v valid-months  

Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the valid-month argument. For example, using this option to set a value of 3 would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of -2 would subtract 2 from the default and create a validity period of one month.  

-w offset-months  

Set an offset from the current system time, in months, for the beginning of a certificate's validity period. Use when creating the certificate or adding it to a database. Express the offset in integers, using a minus sign (-) to indicate a negative offset. If this argument is not used, the validity period begins at the current system time. The length of the validity period is set with the -v argument.  

-x  

Use Certificate Database Tool to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.  

-y rsa|dsa  

Specify the type of key used to generate a new certificate, either RSA or DSA. The default is rsa.  

-1  

Add a key usage extension to a certificate that is being created or added to a database. This extension allows a certificate's key to be dedicated to supporting specific operations such as SSL server or object signing. Certificate Database Tool will prompt you to select a particular usage for the certificate's key. These usages are described under "Standard X.509 v3 Certifiate Extensions' in Appendix C of CMS Plug-Ins Guide  

-2  

Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. Certificate Database Tool will prompt you to select the certificate constraint extension. Constraint extensions are described in "Standard X.509 v3 Certifiate Extensions' in Appendix C of CMS Plug-Ins Guide.  

-3  

Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. Certificate Database Tool will prompt you to select the authority key ID extension. Authority key ID extensions are described under "Standard X.509 v3 Certifiate Extensions' in Appendix C of CMS Plug-Ins Guide.  

-4  

Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). Certificate Database Tool prompts you to enter the URL.  



Usage


Certificate Database Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required.

  • Creating a new cert7.db file:

    -N [-d certdir]

  • Creating a new certificate and adding it to the database with one command:

    -S -k shortkeyID -y rsa|dsa -n certname -s subject
    [-c     issuer |-x] -t trustargs [-h tokenname]
    [-m     serial-number] [-v valid-months] [-w offset-months]
    [-d     certdir] [-p phone] [-f password-file] [-1] [-2] [-3] [-4]

  • Making a separate certificate request:

    -R -k shortkeyID -y rsa|dsa -s subject [-h tokenname]
    [-d     certdir] [-p phone] [-o output-file] [-f password-file]

  • Creating a new binary certificate from a binary certificate request:

    -C [-c issuer |-k shortkeyID -y rsa|dsa -x] [-f password-file]
    [-h     tokenname] -i cert-request-file -o output-file [-m serial-number]
    [-v     valid-months] [-w offset-months] [-d certdir] [-1] [-2] [-3]
    [-4]

  • Adding a certificate to an existing database:

    -A -n certname -t trustargs [-h tokenname] [-d certdir] [-a]
    [-i     cert-request-file]

  • Listing all certificates or a named certificate:

    -L [-n certname] [-d certdir] [-r] [-a]

  • Validating a certificate:

    -V -n certname -b validity-time -u certusage [-e] [-l] [-d certdir]

  • Modifying a certificate's trust attribute:

    -M -n certname -t trustargs [-d certdir]

  • Displaying a list of the options and arguments used by Certificate Database Tool:

    -H



Examples

This section contains examples for the following tasks:


Creating a New Certificate Database

This example creates a new certificate database (cert7.db file) in the specified directory:

certutil -N -d certdir

You must generate the associated key3.db and secmod.db files by using the Key Database Tool or other tools.


Listing Certificates in a Database

This example lists all the certificates in the cert7.db file in the specified directory:

certutil -L -d certdir

Certificate Database Tool displays output similar to the following:

Certificate Name              Trust Attributes

Uptime Group Plc. Class 1 CA        C,C,
VeriSign Class 1 Primary CA         ,C,
VeriSign Class 2 Primary CA         C,C,C
AT&T Certificate Services           C,C,
GTE CyberTrust Secure Server CA     C,,
Verisign/RSA Commercial CA          C,C,
AT&T Directory Services             C,C,
BelSign Secure Server CA            C,,
Verisign/RSA Secure Server CA       C,C,
GTE CyberTrust Root CA              C,C,
Uptime Group Plc. Class 4 CA        ,C,
VeriSign Class 3 Primary CA         C,C,C
Canada Post Corporation CA          C,C,
Integrion CA                        C,C,C
IBM World Registry CA               C,C,C
GTIS/PWGSC, Canada Gov. Web CA      C,C,
GTIS/PWGSC, Canada Gov. Secure CA   C,C,C
MCI Mall CA                         C,C,
VeriSign Class 4 Primary CA         C,C,C
KEYWITNESS, Canada CA               C,C,
BelSign Object Publishing CA        ,,C
BBN Certificate Services CA Root 1  C,C,
p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certs (implies c)
C    Trusted CA to issue server certs(for ssl only) (implies c)
u    User cert
w    Send warning


Creating a Certificate Request

This example generates a binary certificate request file named e95c.req in the specified directory:

certutil -R -s "CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US" -p "650-555-8888" -k e95c -o e95c.req -d certdir

Before it creates the request file, Certificate Database Tool prompts you for a password:

Enter Password or Pin for "Communicator Certificate DB":


Creating a Certificate

A valid certificate must be issued by a trusted CA. If a CA key pair is not available, you can create a self-signed certificate (for purposes of illustration) with the -x argument. This example creates a new, self-signed binary certificate named e95c.crt, from a binary certificate request named e95c.req, in the specified directory.

certutil -C -i e95c.req -o e95c.crt -k e95c -m 1234
-f password-file -x -d certdir

The following example creates a new binary certificate named one.crt, from a binary certificate request named one.req, in the specified directory. It is issued by the self-signed certificate created above, e95c.crt.

certutil -C -m 2345 -i one.req -o one.crt -c e95c.crt -d certdir


Adding a Certificate to the Database

This example adds a certificate to the certificate database:

certutil -A -n jsmith@netscape.com -t "C,C,C" -i e95c.crt
-d certdir

You can see this certificate in the database with this command:

certutil -L -n jsmith@netscape.com -d certdir

Certificate Database Tool displays output similar to the following:

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 0 (0x0)
    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Issuer: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US
    Validity:
        Not Before: Thu Mar 12 00:10:40 1998
        Not After: Sat Sep 12 00:10:40 1998
Subject: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US

Subject Public Key Info:
  Public Key Algorithm: PKCS #1 RSA Encryption
  RSA Public Key:
    Modulus:
        00:da:53:23:58:00:91:6a:d1:a2:39:26:2f:06:3a:
        38:eb:d4:c1:54:a3:62:00:b9:f0:7f:d6:00:76:aa:
        18:da:6b:79:71:5b:d9:8a:82:24:07:ed:49:5b:33:
        bf:c5:79:7c:f6:22:a7:18:66:9f:ab:2d:33:03:ec:
        63:eb:9d:0d:02:1b:da:32:ae:6c:d4:40:95:9f:b3:
        44:8b:8e:8e:a3:ae:ad:08:38:4f:2e:53:e9:e1:3f:
        8e:43:7f:51:61:b9:0f:f3:a6:25:1e:0b:93:74:8f:
        c6:13:a3:cd:51:40:84:0e:79:ea:b7:6b:d1:cc:6b:
        78:d0:5d:da:be:2b:57:c2:6f
    Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
  44:15:e5:ae:c4:30:2c:cd:60:89:f1:1d:22:ed:5e:5b:10:c8:
  7e:5f:56:8c:b4:00:12:ed:5f:a4:6a:12:c3:0d:01:03:09:f2:
  2f:e7:fd:95:25:47:80:ea:c1:25:5a:33:98:16:52:78:24:80:
  c9:53:11:40:99:f5:bd:b8:e9:35:0e:5d:3e:38:6a:5c:10:d1:
  c6:f9:54:af:28:56:62:f4:2f:b3:9b:50:e1:c3:a2:ba:27:ee:
  07:9f:89:2e:78:5c:6d:46:b6:5e:99:de:e6:9d:eb:d9:ff:b2:
  5f:c6:f6:c6:52:4a:d4:67:be:8d:fc:dd:52:51:8e:a2:d7:15:
  71:3e

Certificate Trust Flags:
  SSL Flags:
    Valid CA
    Trusted CA
  Email Flags:
    Valid CA
    Trusted CA
  Object Signing Flags:
    Valid CA
    Trusted CA


Validating a Certificate

This example validates a certificate:

certutil -V -n jsmith@netscape.com -b 9803201212Z -u SR -e -l
-d certdir

Certificate Database Tool shows results similar to

Certificate:'jsmith@netscape.com' is valid.

or

UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Expired certificate

or

UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Certificate not approved for this operation


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002