certutil

Create a [N]ew certificate database in the current [d]irectory

$ certutil -N -d .

$ certutil -L -d .

$ certutil -K -d . -f [path/to/password_file.txt]

$ certutil -A -n "[server_certificate]" -t ",," -i [path/to/file.crt] -d .

$ certutil -S -f [path/to/password_file.txt] -d . -t ",," -c "[server_certificate]" -n "[server_name]" -g [2048] -s "CN=[common_name],O=[organization]"

certutil [global-options] command [command-options] [arguments]

Examples:
certutil -L -d /path/to/nssdb
certutil -A -n "My Cert" -t "C,," -d /path/to/nssdb -i cert.pem

-d <database_directory>
    Specifies the directory containing the NSS certificate and key database files. Common paths include ~/.pki/nssdb or /etc/pki/nssdb.

-P <database_prefix>
    Specifies the database type prefix, typically sql: for SQLite-based NSS databases.

-N
    Prompts to set a new password for the NSS database, or change an existing one.

-W <password>
    Specifies the password for the NSS database directly on the command line. Use with caution as it can expose the password in shell history.

-L
    List Certificates: Displays certificates and their trust attributes stored in the specified NSS database.

-A
    Add Certificate: Adds a new certificate to the database. Often used with -n (nickname), -t (trust attributes), and -i (input file).

-D
    Delete Certificate: Removes a certificate from the database. Requires the certificate's nickname via -n.

-S
    Generate Key Pair / CSR: Generates a new RSA or ECC key pair and optionally a Certificate Signing Request (CSR).

-V
    Verify Certificate: Verifies the validity, signature, and trust chain of a certificate. Can operate on certificates in the database (with -n) or from a file (with -i).

-M
    Modify Trust Attributes: Changes the trust attributes of an existing certificate in the database. Requires -n and -t.

-E
    Export Certificate/Key: Exports a certificate, key, or entire PKCS#12 bundle from the database to a file.

-I
    Import Certificate/Key: Imports a certificate or key into the database from a file.

-K
    List Keys: Displays private keys stored in the database, along with their associated nicknames.

certutil is a command-line utility provided by the Network Security Services (NSS) cryptographic library. On Linux, it's typically found within the nss-tools package. Its primary purpose is to manage certificates, key pairs, and Certificate Revocation Lists (CRLs) stored in NSS databases. These databases are often used by applications like web browsers (e.g., Firefox), email clients, and servers (e.g., Apache with mod_nss) to store cryptographic objects.

certutil allows users to perform various operations, including listing, adding, deleting, and modifying certificates, generating new key pairs and certificate requests (CSRs), verifying certificate chains, managing trust settings, and importing/exporting cryptographic objects in various formats (e.g., PEM, DER, PKCS#12). It's a powerful tool for administrators and developers working with Public Key Infrastructure (PKI) and secure communications based on NSS.

Complexity: certutil has a large number of options and subcommands, making it complex to master. Refer to the manual page for comprehensive usage.
NSS Database Specific: It primarily manages NSS databases, not generic system-wide certificate stores (like those used by OpenSSL).
Password Security: Directly providing passwords on the command line using -W is insecure as it can be stored in shell history or visible in process listings.
Package Dependency: On Linux, certutil is typically provided by the nss-tools or a similar package and may not be installed by default.

NSS databases are typically stored in specific directories. For user-specific applications like Firefox, they might be in ~/.pki/nssdb or within the application's profile directory (e.g., ~/.mozilla/firefox/<profile>/). System-wide NSS databases might be found in locations like /etc/pki/nssdb, depending on the distribution and configuration.

When adding or modifying certificates, the -t option specifies trust attributes. It's a string of three characters, each representing trust for SSL client, SSL server, and email. The order is SSL-client, SSL-server, email. Common attributes include:
C,C,C: Trust for SSL client, SSL server, and email (Certificate Authority for all uses).
C,C,T: Trust for SSL client and SSL server, and trusted for email signing.
,,C: Trusted for email signing only (not for client/server authentication).
p,p,p: Default trust (e.g., for self-signed certificates, if policy permits).

certutil is an integral part of the Network Security Services (NSS) cryptographic library, which was originally developed by Netscape Communications Corporation. NSS was made open source in 1999, becoming a foundational component for various open-source projects, most notably Mozilla Firefox and other Mozilla-based applications. Its development has been continuous under the NSS project, adapting to evolving cryptographic standards and security requirements. On Linux, it's typically distributed as part of the nss-tools package, making it available for system administrators and developers managing NSS-based certificate stores.

pk12util(1), modutil(1), openssl(1SSL), keytool(1)