NSS

This chapter describes the certutil Network Security Service (NSS) certificate tool available in Oracle Linux and how to use it to create Certificate Signing Requests (CSRs), self-signed certificates, and privately owned CA certificates with NSS database files which store certificates and private keys for applications.

NSS is a set of libraries designed to enable cross-platform development of security-enabled client and server applications. Applications built with NSS work with SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

Before you can use certutil to manage certificates, CSRs, and keys, you must have access to the NSS database files. You can use the legacy security databases files (cert8.db for certificates, key3.db for keys, and secmod.db for PKCS #11 module information) or the new SQLite database files (cert9.db for certificates, key4.db for keys, and pkcs11.txt for PKCS #11 modules). This section provides examples from the new database files.

You can also use the related pk12util command to export and import certificates and keys from a PKCS #12 file to an NSS database or the reverse.

To use certutil and pk12util, install the nss-tools package available in the Application Stream repository:
sudo dnf install nss-tools

The following examples show how to use the certutil and pk12util commands.

  • To create an NSS database, run the following command, where database_directory is the home directory where you want to create the cert9.db, key4.db, and pkcs11.txt NSS database files:
    certutil -N -d database_directory
    For example the following creates the database in a folder called nssdb in the user's home directory:
    certutil -N -d $HOME/nssdb
  • To generate a self-signed certificate, run the following command:
    certutil -d database_directory -S -s subject -n nickname -x -t trust_args -o file
    In this example:
    • -S Indicates that you want to create an individual certificate and add it to a certificate database.
    • -s Indicates that you want to specify a distinguished name where subject uses the distinguished name format defined in https://www.rfc-editor.org/rfc/rfc1485.html.
    • -n Indicates that you want to specify a nickname where nickname is the nickname for the entity you're creating.
    • -x Indicates you want to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.
    • -t Indicates you want to add trust arguments where trust_args are the trust attributes that you want to apply to the certificate. Each certificate has three trust categories, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all the attribute codes. Valid codes are:
      • p - Valid peer
      • P - Trusted peer (includes p)
      • c - Valid CA
      • C - Trusted CA (includes c)
      • T - Trusted CA for client authentication (SSL server only)
    For example, the following command creates a self-signed certificate for the www1.example.com common name with the nickname example_test. The trust attributes are C (Trusted CA) for each category.
    certutil -d $HOME/nssdb/ -S -s 'CN=www1.example.com, O=Example Organization, L=Ottawa, C=CA' -n example_test -x -t C,C,C
  • To add existing certificates or certificates generated elsewhere, run the following command:
    certutil -A -n nickname -t trust_args -d database_directory -i input-file

    Where:

    • -A Indicates that you want to add a certificate to a certificate database.
    • -i Indicates that you want to provide an input file, such as a certificate file, for example, a PEM file.
    For example:
    certutil -A -n "CN=My SSL Certificate" -t C,C,C -d $HOME/nssdb/ -i $HOME/tls-ca-bundle.pem
  • To list all certificates, run the following command:
    certutil -L -d database_directory

    For example:

    certutil -L -d $HOME/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

example_test                                                 Cu,Cu,Cu
CN=My SSL Certificate                                        C,C,C

    When listing certificates, the trust tags might include the u flag indicating that a private key is associated with the certificate.

  • To delete a certificate from the database, run the following command:
    certutil -D -d database_directory -n nickname

    In the previous example, -D indicates that you want to delete a specific certificate from the database.

  • To list all keys, run the following command:
    certutil certutil -K -d database_directory

    For example:

    certutil -K -d $HOME/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      35f4555f329c1490b3570c9d36e1ec56f2329f08   NSS Certificate DB:example_test
< 1> rsa      303936d20b3522e9293b75db3dc48f77c1871767   NSS Certificate DB:example_test2
  • To show a public key in PEM format, run the following command:
    certutil -L -d database_directory -a -n nickname

    For example:

    certutil -L -d $HOME/nssdb/ -a -n example_test
-----BEGIN CERTIFICATE-----
...[certificate text]
-----END CERTIFICATE-----
  • To export a certificate and key into a single PKCS #12 file, run the following command:
    pk12util -o certs.p12 -n example_test -d sql:database_directory
  • To change a certificate, use the -M option. For example, the following changes the trust arguments from C,C,C to P,P,P for the example_test certificate:
    $ certutil -d database_directory -M -t "P,P,P" -n example_test

For more information, see the certutil(1) and pk12util(1) manual pages and the NSS open source project at https://firefox-source-docs.mozilla.org/security/nss/index.html.