certutil

List certificates in database

$ certutil -L -d [~/.pki/nssdb]

$ certutil -A -n "[alias]" -t "CT,," -d [~/.pki/nssdb] -i [cert.pem]

$ certutil -G -d [~/.pki/nssdb] -n "[keyname]"

$ certutil -D -n "[alias]" -d [~/.pki/nssdb]

$ certutil -S -n "[alias]" -x -t "CT,," -d [~/.pki/nssdb] -s "CN=[hostname]"

$ certutil -L -d [~/.pki/nssdb] -n "[alias]"

certutil [options]

certutil manages keys and certificates in NSS (Network Security Services) databases. It creates, modifies, lists, and deletes certificates and key pairs used by applications built on the NSS library, including Firefox, Thunderbird, and Chromium-based browsers.
NSS databases store certificates in a directory-based format, with modern versions using SQLite (specified with the `sql:` prefix). The tool handles the full certificate lifecycle including generating key pairs, creating self-signed certificates, importing CA certificates, and managing trust flags that control how certificates are used for SSL, email signing, and code signing.
Trust flags follow the format "SSL,Email,Object Signing" where `C` marks a trusted CA and `T` marks a certificate trusted for client authentication.

-A

Add certificate to database

Delete certificate from database

List certificates

Generate new key pair

Create and add self-signed certificate

Generate certificate request

Create certificate from request

List keys in database

Database directory (use sql: prefix for SQLite)

Certificate nickname/alias

Trust flags (e.g., "CT,,")

Input file

Output file

Self-sign certificate

Subject DN string

Validity period in months

sql:dir: SQLite database (preferred)
dbm:dir: Legacy BerkeleyDB format

Format: "SSL,Email,Object Signing" (e.g., "CT,,")
C: Trusted CA
T: Trusted for client auth
p: Valid peer

Requires nss-tools package. Use sql: prefix for modern databases. Handles sensitive keys; run with minimal privileges.

openssl(1), pk12util(1), modutil(1)