NSS

This chapter describes the certutil Network Security Service (NSS) certificate tool that is available in Oracle Linux and how to use it to create Certificate Signing Requests (CSRs), self-signed certificates, and privately owned CA certificates with NSS database files which store certificates and private keys for applications.

NSS is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

Before you can use certutil to manage certificates, CSRs, and keys, you must have access to the NSS database files. You can use the legacy security databases files (cert8.db for certificates, key3.db for keys, and secmod.db for PKCS #11 module information) or the new SQLite databases files (cert9.db for certificates, key4.db for keys, and pkcs11.txt for PKCS #11 modules). This section provides examples from the new database files.

You can also use the related pk12util command to export and import certificates and keys from a PKCS #12 file to an NSS database or the reverse.

To use certutil and pk12util, install the nss-tools package avaiable from the Application Stream repository. 
sudo dnf install nss-tools

The following examples show how to use the certutil and and pk12util commands.

  • To create an NSS database, do the following:
    certutil -N -d database_directory
    In the previous example, database_directory is the home directory where you want to create the the cert9.db, key4.db, and pkcs11.txt NSS database files. For example the following creates the database in a folder called nssdb in the home directory of the terminal's user account:
    certutil -N -d $HOME/nssdb

  • To generate a self-signed certificate, do the following:

    certutil -d database_directory -S -s subject -n nickname -x -t trust_args -o file
    In the previous example,
    • -S Indicates that you want to create an individual certificate and add it to a certificate database.
    • -s Indicates that you want to specify a distinguished name where subject uses the distinguished name format defined in https://www.rfc-editor.org/rfc/rfc1485.html.
    • -n Indicates that you want to specify a nickname where nickname is the nickname for the entity you are creating.
    • -x Indicates you want to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.
    • -t Indicates you want to add trust arguments where trust_args are the trust attributes that you want to apply to the certificate. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all of the attribute codes. Valid codes are:
      • p - Valid peer
      • P - Trusted peer (includes p)
      • c - Valid CA
      • C - Trusted CA (includes c)
      • T - Trusted CA for client authentication (ssl server only)
    For example, the following creates a self-signed certificate for the www1.example.com common name with the example_test nickname. The trust attributes are C (Trusted CA) for each category.
    certutil -d $HOME/nssdb/ -S -s 'CN=www1.example.com, O=Example Organization, L=Ottawa, C=CA' -n example_test -x -t C,C,C
  • To add existing certificates or certificates generated elsewhere, do the following:
    certutil -A -n nickname -t trust_args -d database_directory -i input-file

    In the previous example,

    • -A Indicates that you want to add a certificate to a certificate database.
    • -i Indicates that you want to provide an input file, such as a certificate file, for example, a PEM file.
    For example,
    certutil -A -n "CN=My SSL Certificate" -t C,C,C -d $HOME/nssdb/ -i $HOME/tls-ca-bundle.pem

  • To get list of all certificates, do the following: 

    certutil -L -d database_directory
    For example, 
    certutil -L -d $HOME/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

example_test                                                 Cu,Cu,Cu
CN=My SSL Certificate                                        C,C,C

    When listing certificates, the trust tags may include the u flag indicating that a private key is associated with the certificate.

  • To delete a certificate from your database, do the following:
    certutil -D -d database_directory -n nickname

    In the previous example, -D indicates that you want to delete a specific certificate from your database.

  • To get a list of all keys, do the following:

    certutil certutil -K -d database_directory
    For example, 
    certutil -K -d $HOME/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      35f4555f329c1490b3570c9d36e1ec56f2329f08   NSS Certificate DB:example_test
< 1> rsa      303936d20b3522e9293b75db3dc48f77c1871767   NSS Certificate DB:example_test2

  • To show a public key in PEM format, do the following:

    certutil -L -d database_directory -a -n nickname
    For example, 
    certutil -L -d $HOME/nssdb/ -a -n example_test
-----BEGIN CERTIFICATE-----
...[certificate text]
-----END CERTIFICATE-----
  • To export a certificate and key into a single PKCS #12 file, do the following:
    pk12util -o certs.p12 -n example_test -d sql:database_directory

  • To modify a certificate, use the -M option. For example, the following changes the trust arguments from C, C, C, to P,P,P for the example_test certificate: 

    $ certutil -d database_directory -M -t "P,P,P" -n example_test

For more information, see the certutil(1) and pk12util(1) manual pages and the NSS open source project at https://firefox-source-docs.mozilla.org/security/nss/index.html.