Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide:
Previous Next Contents Index Bookshelf


Appendix C Command-Line Utilities

Netscape Certificate Management System (CMS) is bundled with various command-line utilities. This appendix summarizes these utilities, explains a few of them, and provides pointers for the rest.

The appendix has the following sections:
Summary of Command-Line Utilities
Table C.1 summarizes the command-line utilities that are bundled with Certificate Management System.

Table C.1 Summary of command-line utilities

Utility/Tool
Function
Batch/Shell Scripts located under <server_root>/bin/cert/tools/ (require jre):
AtoB
(ASCII to Binary Tool)
Converts ASCII base-64 encoded data to binary base-64 encoded data. For details, see "ASCII to Binary Tool".
BtoA
(Binary to ASCII Tool)
Converts binary base-64 encoded data to ASCII base-64 encoded data. For details, see "Binary to ASCII Tool".
PasswordCache
(Password Cache Utility)
Manipulates the contents of the single sign-on password cache. For details, see "Password Cache Utility".
PrettyPrintCert
(Pretty Print Certificate Tool)
Prints the contents of a certificate stored as ASCII base-64 encoded data in a human-readable form. For details, see "Pretty Print Certificate Tool".
PrettyPrintCrl
(Pretty Print CRL Tool)
Prints the contents of a CRL stored as ASCII base-64 encoded data in a human-readable form. For details, see "Pretty Print CRL Tool".

Perl Scripts located under <server_root> (require_perl):
cmsbackup
Copies all of the pertinent data and configuration files for a CMS instance, the local Administration Server, and local Netscape Directory Servers that the instance uses into a compressed archive. For details, see "Backing Up Data".
cmsrestore
Opens a named archive, extracts the data, and uses it to restore the configuration of a CMS instance. For details, see "Restoring Data".

Executable tools located under <server_root>/shared/bin:
modutil
(Security Module Database Tool)
Used for managing the PKCS #11 module information within secmod.db files or within hardware tokens. For details, see "modutil" in Appendix B of Managing Servers with Netscape Console. To locate this document, open the <server_root>/manual/index.html file.

Executable tools located under <server_root>/bin/cert/tools:
certutil
(Certificate Database Tool)
View and manipulate the certificate database (cert7.db) contents. For details, see Appendix D, "Certificate Database Tool".
keyutil
(Key Database Tool)
View and manipulate the key database (key3.db) contents. For details, see Appendix E, "Key Database Tool".
killproc
Kills or terminates system processes in Windows NT. For details, see "Attending to an Unresponsive Server".
migrate/AIX/migrate
migrate/HP-UX/migrate
migrate/Solaris/migrate
migrate/WINNT/migrate
(Migration Tool)
Migrates data from a Certificate Server 1.x installation into a Certificate Management System installation. For details, see "Appendix A, Migrating from Certificate Server" in the Netscape Certificate Management System Installation and Deployment Guide.
setpin
(PIN Generator tool)
Generates PINs for end users for directory- and PIN-based authentication. For details, see "Using the PIN Generator Tool".
signtool
(Netscape Signing Tool)
Digitally signs any file, including log files. For details, see Appendix F, "Netscape Signing Tool".
sslstrength
(SSL Strength Tool)
Connects to an SSL server and reports back the type and strength of the encryption cipher that it's using. For details, see Appendix G, "SSL Strength Tool".
ssltap
(SSL Debugging Tool)
Used to debug SSL applications. For details, see Appendix H, "SSL Debugging Tool".

Third-party executable tools located under <server_root>/bin/cert/tools:
dumpasn1
Dumps the contents of binary base-64-encoded data. For details, see "dumpasn1 Tool".

Third-party support tools located under <server_root>:
bin/base/jre/bin/jre
bin/cert/jre/bin/jre
Java runtime executable for Netscape Console.
Java runtime executable for Certificate Management System.
Note: The CMS jre is invoked as cms_daemon during CMS installation and configuration, as cms_watchdog to monitor the status of the CMS server, and as cms_server to actually run the CMS server.
bin/cert/tools/unzip
Decompression utility executable.
bin/cert/tools/zip
Compression utility executable.
install/perl
perl scripting language executable.

The AtoB, BtoA, PrettyPrintCert, PrettyPrintCrl, and dumpasn1 tools are useful for converting back and forth between various encodings and formats you may encounter when dealing with keys and certificates. (These tools are explained in this appendix.)

 The Password Cache Utility can be used to manipulate the contents of an existing single sign-on password cache and to create a new cache.

 The Certificate Database Tool, Key Database Tool, and Security Module Database Tool are useful for a variety of administrative tasks that involve manipulating certificate and key databases. Note that the The Security Module Database Tool is explained in section entitled "modutil" in Appendix B of Managing Servers with Netscape Console. To locate this document, open the <server_root>/manual/index.html file.

The Migration tool is used to convert Certificate Server 1.x data for use with Certificate Management System, and the PIN Generator tool is used to create PINs for directory authentication. The killproc tool is used to terminate the Java virtual machines, called jre processes, when Certificate Management System becomes unresponsive.

 The Netscape Signing Tool can be used to associate a digital signature with any file, including CMS log files.

 The SSL Strength Tool and SSL Debugging Tool are useful for testing and debugging purposes.
ASCII to Binary Tool
You can use the ASCII to Binary tool to convert ASCII base-64 encoded data to binary base-64 encoded data.

 Availability

This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6),
Solaris 8, and Windows NT 4.0.

Syntax

To run the ASCII to Binary tool, type the following command:

AtoB[.bat] <input_file> <output_file>

 Example

AtoB.bat C:\test\data.in C:\test\data.out

The above command takes the base-64 encoded data (in ASCII format) in the file named data.in and writes the binary equivalent of the data to the file named data.out.
Binary to ASCII Tool
You can use the Binary to ASCII tool to convert binary base-64 encoded data to ASCII base-64 encoded data.

 Availability

This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6),
Solaris 8, and Windows NT 4.0.

Syntax

To run the Binary to ASCII tool, type the following command:

BtoA[.bat] <input-file> <output_file>

 Example

BtoA.bat C:\test\data.in C:\test\data.out

The above command takes the base-64 encoded data (in binary format) in the file named data.in and writes the ASCII equivalent of the data to the file named data.out.
Pretty Print Certificate Tool
You can use the Pretty Print Certificate tool to print the contents of a certificate stored as ASCII base-64 encoded data in a human-readable form.

 Availability

This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6),
Solaris 8, and Windows NT 4.0.

Syntax

To run the Pretty Print Certificate tool, type the following command:

PrettyPrintCert[.bat] <input_file> [<output_file>]

 Example

PrettyPrintCert.bat C:\test\cert.in C:\test\cert.out

The above command takes the base-64 encoded certificate in the cert.in file and writes the certificate in the pretty-print form to the output file named cert.out.

 The base-64 encoded certificate (content of the cert.in file) would look similar to this:

-----BEGIN CERTIFICATE-----

MIIC2DCCAkGgAwIBAgICEAwwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMxIzAhBgNVBAoTG lBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVcz EpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTkwMjE4MDM0MzM 5WhcNMDAwMjE4MDM0MzM5WjCBrjELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHU5ldHNjYXBlIENvbW11 bmljYXRpb25zIENvcnAuMRUwEwYDVQQLEwOZXRzY2FwZSBDTVMxGDAWBEBEwhtaGFybXNlbjEfMB0 GA1UEAxMWaW50ZGV2Y2EgQWRtaW5pcwp0frfJOObeiSsia3BuifRHBNw95ZZQR9NIXr1x5bEdYM1n 0nksKdflcQJ6mcA7718OZIRMfLKyRaHua24zAAMWjsH4F250gAPfZuiaTUYcBx8rhIvCwsac1Xb4X zPp1DZO8NX+9A6Zod0CAwEAAaM2MDQwEQYJYIZIAYb4QgEBBAQDAgCgMB8GA1UdIwQYaAFOu1EY8A mhqmblKUqXS8Zc8HiSojMA0GCgVIHT2xU+055U8omp0kjwHqDkegWhUtfMfeCdbNiXOpwSjCVIf1F ZvjrML/rCkV9pkn7574EBdaP

-----END CERTIFICATE-----

The certificate in pretty-print form (content of the cert.out file) would look similar to this:

Certificate:

Data:

Version: v3

Serial Number: 0x100C

Signature Algorithm: OID.1.2.840.113549.1.1.5 - 1.2.840.113549.1.1.5

Issuer: CN=Test Test CA,OU=Widget Makers 'R'Us,O=PalookaVille Widgets\, Inc.,C=US

Validity:

Not Before: Wednesday, February 17, 1999 7:43:39 PM

Not After: Thursday, February 17, 2000 7:43:39 PM

Subject: MAIL=admin@netscape.com,CN=testCA,Administrator UID=admin,OU=Netscape CMS,O=Netscape Comm Corp.,C=US

Subject Public Key Info:

Algorithm: RSA - 1.2.840.113549.1.1.1

Public Key:

30:81:89:02:81:81:00:DE:26:B3:C2:9D:3F:7F:FA:DF:

24:E3:9B:7A:24:AC:89:AD:C1:BA:27:D1:1C:13:70:F7:

96:59:41:1F:4D:21:7A:F5:C7:96:C4:75:83:35:9F:49:

E4:B0:A7:5F:95:C4:09:EA:67:00:EF:BD:7C:39:92:11:

31:F2:CA:C9:16:87:B9:AD:B8:39:69:18:CE:29:81:5F:

F3:4D:97:B9:DF:B7:60:B3:00:03:16:8E:C1:F8:17:6E:

7A:D2:00:0F:7D:9B:A2:69:35:18:70:1C:7C:AE:12:2F:

0B:0F:EC:69:CD:57:6F:85:F3:3E:9D:43:64:EF:0D:5F:

EF:40:FF:A6:68:FD:DD:02:03:01:00:01:

Extensions:

Identifier: 2.16.840.1.113730.1.1

Critical: no

Value:

03:02:00:A0:

Identifier: Authority Key Identifier - 2.5.29.35

Critical: no

Key Identifier:

EB:B5:11:8F:00:9A:1A:A6:6E:52:94:A9:74:BC:65:CF:

07:89:2A:23:

Signature:

Algorithm: OID.1.2.840.113549.1.1.5 - 1.2.840.113549.1.1.5

Signature:

3E:8A:A9:9B:D1:71:EE:37:0D:1F:A0:C1:00:17:53:26:

6F:EE:28:15:20:74:F6:C5:4F:B4:E7:95:3C:A2:6A:74:

92:3C:07:A8:39:12:1B:7E:C4:C7:AE:79:C8:D8:FF:1F:

D5:48:D8:2E:DD:87:88:69:D5:3A:06:CA:CA:9C:9A:55:

DA:A9:E8:BF:36:BC:68:6D:1F:2B:1C:26:62:7C:75:27:

E2:8D:24:4A:14:9C:92:C6:F0:7A:05:A1:52:D7:CC:7D:

E0:9D:6C:D8:97:3A:9C:12:8C:25:48:7F:51:59:BE:3C:

2B:30:BF:EB:0A:45:7D:A6:49:FB:E7:BE:04:05:D6:8F:


Pretty Print CRL Tool
You can use the Pretty Print CRL tool to print the contents of a CRL stored as ASCII base-64-encoded data in a human-readable form.

 Availability

This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6),
Solaris 8, and Windows NT 4.0.

Syntax

To run the Pretty Print CRL tool, type the following command:

PrettyPrintCrl[.bat] <input_file> [<output-file>]

 Example

PrettyPrintCrl.bat C:\test\crl.in C:\test\crl.out

The above command takes the base-64 encoded CRL in the crl.in file and writes the CRL in the pretty-print form to the output file named crl.out.

 The base-64 encoded CRL (content of the crl.in file) would look similar to this:

-----BEGIN CRL-----

MIIBkjCBAIBATANBgkqhkiG9w0BAQQFADAsMREwDwYDVQQKEwhOZXRzY2FwZTEXMBUGA1UEAxMOQ2 VydDQwIFRlc3QgQ0EXDTk4MTIxNzIyMzcyNFowgaowIAIBExcNOTgxMjE1MTMxODMyWjAMMAoGA1U dFQQDCgEBMCACARIXDTk4MTIxNTEzMjA0MlowDDAKBgNVHRUEAwoBAjAgAgERFw05ODEyMTYxMjUx NTRaMAwwCgYDVR0VBAMKAQEwIAIBEBcNOTgxMjE3MTAzNzI0WjAMMAoGA1UdFQQDCgEDMCACAQoXD Tk4MTEyNTEzMTExOFowDDAKBgNVHRUEAwoBATANBgkqhkiG9w0BAQQFAAOBgQBCN85O0GPTnHfImY PROvoorx7HyFz2ZsuKsVblTcemsX0NL7DtOa+MyY0pPrkXgm157JrkxEJ7GBOeogbAS6iFbmeSqPH j8+JBH5stJNnfTCuhaM6Wx63Wc9LwZXOXTPsvpGxq0YYI0+DPfBZlI3z4lCsNczxJV+9NkeMrheEg ==

-----END CRL-----

The CRL in pretty-print form (content of the crl.out file) would look similar to this:

Certificate Revocation List:

Data:

Version: v2

Signature Algorithm: MD5withRSA - 1.2.840.113549.1.1.4

Issuer: CN=Cert40 Test CA,O=Netscape

This Update: Thu Dec 17 14:37:24 PST 1998

Revoked Certificates:

Serial Number: 0x13

Revocation Date: Tuesday, December 15, 1998 5:18:32 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Key_Compromise

Serial Number: 0x12

Revocation Date: Tuesday, December 15, 1998 5:20:42 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: CA_Compromise

Serial Number: 0x11

Revocation Date: Wednesday, December 16, 1998 4:51:54 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Key_Compromise

Serial Number: 0x10

Revocation Date: Thursday, December 17, 1998 2:37:24 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Affiliation_Changed

Serial Number: 0xA

Revocation Date: Wednesday, November 25, 1998 5:11:18 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Key_Compromise

Signature:

Algorithm: MD5withRSA - 1.2.840.113549.1.1.4

Signature:

42:37:CE:4E:D0:63:D3:9C:77:C8:99:83:D1:3A:FA:28:

AF:1E:C7:C8:5C:F6:66:CB:8A:B1:56:E5:4D:C7:A6:B1:

7D:0D:2F:B0:ED:39:AF:8C:C9:8D:29:3E:B9:17:82:6D:

79:EC:9A:E4:C4:42:7B:18:13:9E:A2:06:C0:4B:A8:85:

6E:67:92:A8:F1:E3:F3:E2:41:1F:9B:2D:24:D9:DF:4C:

2B:A1:68:CE:96:C7:AF:F7:5B:F7:3D:2F:06:57:39:74:

CF:B2:FA:46:C6:AD:18:60:8D:3E:0C:F7:C1:66:52:37:

CF:89:42:B0:D7:33:C4:95:7E:F4:D9:1E:32:B8:5E:12:


dumpasn1 Tool
The dumpasn1 tool is freeware that is packaged with Certificate Management System for your convenience. You can use this tool to dump the contents of binary base-64 encoded data. For more information about this tool, see this URL:

 http://www.cs.auckland.ac.nz/~pgut001/
 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.