certutil
Manage certificates and related services
TLDR
Create a [N]ew certificate database in the current [d]irectory
List all certificates in a database
List all private [K]eys in a database specifying the password [f]ile
[A]dd the signed certificate to the requesters database specifying a [n]ickname, [t]rust attributes and an [i]nput CRT file
Add subject alternative names to a given [c]ertificate with a specific key size ([g])
SYNOPSIS
certutil [options] [arguments]
PARAMETERS
-d
Specifies the database directory. If not specified, uses the default NSS database directory.
-N
Creates a new certificate database.
-L
Lists certificates in the database.
-K
Lists key pairs in the database.
-A
Adds a certificate to the database.
-D
Deletes a certificate from the database.
-M
Modifies a certificate in the database.
-i
Specifies the input file containing the certificate.
-n
Specifies the nickname for the certificate.
-t
Specifies trust attributes for the certificate. (e.g., "CT,CT,CT" for trust as CA, CA, CA)
-f
Specifies the file containing the password for the database.
-P
Specifies the prefix of NSS database files
DESCRIPTION
The `certutil` command is a command-line utility within the Network Security Services (NSS) tools. It is primarily used to create, modify, display, and delete certificates and key databases within the NSS framework.
`certutil` is often used to manage certificates for applications like web browsers (Mozilla Firefox, etc.) and mail clients that utilize NSS for secure communication. It allows users to interact with the NSS databases that store certificates, private keys, and other security-related data.
With `certutil` you can perform operations such as listing certificates stored in a database, adding new certificates, deleting existing certificates, and viewing the details of a specific certificate. It's a powerful tool for system administrators and security professionals to manage certificate-based security infrastructure. Its versatility extends to tasks such as generating certificate requests and verifying certificate chains.
CAVEATS
Using `certutil` requires a good understanding of NSS databases and certificate management. Incorrect usage can lead to security vulnerabilities or loss of access to secure resources. Root privileges are often needed for certain operations, such as modifying system-wide NSS databases. Some options' behaviour depends on specific NSS configurations. The documentation can be sparse at times.
DATABASE LOCATIONS
The default location for NSS databases varies depending on the system and application. For system-wide databases, it's often in `/etc/pki/nssdb` or `/usr/share/pki/nssdb`. For user-specific databases, it's usually within the user's home directory (e.g., `~/.mozilla/firefox/
TRUST FLAGS
The trust flags set with the `-t` option control how the certificate is trusted by the application. Common trust flags include 'C' (trust as CA), 'T' (trust for TLS), and 'u' (trust for user authentication). Multiple flags can be combined (e.g., "CTu").
HISTORY
The `certutil` command is part of the Network Security Services (NSS) project, initially developed by Netscape and later open-sourced by Mozilla. Its primary purpose has always been managing certificates and key databases within the NSS environment.
It's been a core component for applications like Firefox, Thunderbird, and other software relying on NSS for security. Over time, it has been enhanced to support new certificate standards and cryptographic algorithms. The command is crucial to automate management tasks that would otherwise be cumbersome and error-prone if performed manually.
SEE ALSO
pk12util(1), modutil(1), nss(3)