Before running certutil, make sure that LD_LIBRARY_PATH points to the location of the libraries required for this utility to run. This location can be identified from the value of AS_NSS_LIB in asenv.conf (product wide configuration file).
The certificate database tool, certutil, is an NSS command-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can also list, generate, modify, or delete certificates within the cert8.db file and create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.
The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database. The following document discusses certificate and key database management with NSS, including the syntax for the certutil utility: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Each of the items in the list below gives an example using NSS and JSSE security tools to create and/or manage certificates.
Generate a self-signed server and client certificate. In this example, the CN must be of the form hostname.domain.[com|org|net|...].
In this example, domain-dir/config. The serverseed.txt and clientseed.txt files can contain any random text. This random text will be used for generating the key pair.
certutil -S -n $SERVER_CERT_NAME -x -t "u,u,u" -s "CN=$HOSTNAME.$HOSTDOMAIN, OU=Java Software, O=Sun Microsystems Inc., L=Santa Clara, ST=CA, C=US" -m 25001 -o $CERT_DB_DIR/Server.crt -d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/serverseed.txt |
Generate the client certificate. This certificate is also a self-signed certificate.
certutil -S -n $CLIENT_CERT_NAME -x -t "u,u,u" -s "CN=MyClient, OU=Java Software, O=Sun Microsystems Inc., L=Santa Clara, ST=CA, C=US" -m 25002 -o $CERT_DB_DIR/Client.crt -d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/clientseed.txt |
Verify the certificates generated in the previous bullet.
certutil -V -u V -n $SERVER_CERT_NAME -d $CERT_DB_DIR certutil -V -u C -n $CLIENT_CERT_NAME -d $CERT_DB_DIR |
Display available certificates.
certutil -L -d $CERT_DB_DIR |
Import an RFC text-formatted certificate into an NSS certificate database.
certutil -A -a -n ${cert.nickname} -t ${cert.trust.options} -f ${pass.file} -i ${cert.rfc.file} -d ${admin.domain.dir}/${admin.domain}/config |
Export a certificate from an NSS certificate database in RFC format.
certutil -L -a -n ${cert.nickname} -f ${pass.file} -d ${admin.domain.dir}/${admin.domain}/config > cert.rfc |
Delete a certificate from an NSS certificate database.
certutil -D -n ${cert.nickname} -f ${pass.file} -d ${admin.domain.dir}/${admin.domain}/config |
Move a certificate from an NSS database to JKS format
certutil -L -a -n ${cert.nickname} -d ${admin.domain.dir}/${admin.domain}/config > cert.rfc keytool -import -noprompt -trustcacerts -keystore ${keystore.file} -storepass ${keystore.pass} -alias ${cert.alias} -file cert.rfc |