certutil

Create a [N]ew certificate database in the current [d]irectory

$ certutil -N -d .

$ certutil -L -d .

$ certutil -K -d . -f [path/to/password_file.txt]

$ certutil -A -n "[server_certificate]" -t ",," -i [path/to/file.crt] -d .

$ certutil -S -f [path/to/password_file.txt] -d . -t ",," -c "[server_certificate]" -n "[server_name]" -g [2048] -s "CN=[common_name],O=[organization]"

certutil [options] [arguments]

-d
    Specifies the database directory. If not specified, uses the default NSS database directory.

-N
    Creates a new certificate database.

-L
    Lists certificates in the database.

-K
    Lists key pairs in the database.

-A
    Adds a certificate to the database.

-D
    Deletes a certificate from the database.

-M
    Modifies a certificate in the database.

-i
    Specifies the input file containing the certificate.

-n
    Specifies the nickname for the certificate.

-t
    Specifies trust attributes for the certificate. (e.g., "CT,CT,CT" for trust as CA, CA, CA)

-f
    Specifies the file containing the password for the database.

-P
    Specifies the prefix of NSS database files

The `certutil` command is a command-line utility within the Network Security Services (NSS) tools. It is primarily used to create, modify, display, and delete certificates and key databases within the NSS framework.

`certutil` is often used to manage certificates for applications like web browsers (Mozilla Firefox, etc.) and mail clients that utilize NSS for secure communication. It allows users to interact with the NSS databases that store certificates, private keys, and other security-related data.

With `certutil` you can perform operations such as listing certificates stored in a database, adding new certificates, deleting existing certificates, and viewing the details of a specific certificate. It's a powerful tool for system administrators and security professionals to manage certificate-based security infrastructure. Its versatility extends to tasks such as generating certificate requests and verifying certificate chains.

Using `certutil` requires a good understanding of NSS databases and certificate management. Incorrect usage can lead to security vulnerabilities or loss of access to secure resources. Root privileges are often needed for certain operations, such as modifying system-wide NSS databases. Some options' behaviour depends on specific NSS configurations. The documentation can be sparse at times.

The default location for NSS databases varies depending on the system and application. For system-wide databases, it's often in `/etc/pki/nssdb` or `/usr/share/pki/nssdb`. For user-specific databases, it's usually within the user's home directory (e.g., `~/.mozilla/firefox//` for Firefox).

The trust flags set with the `-t` option control how the certificate is trusted by the application. Common trust flags include 'C' (trust as CA), 'T' (trust for TLS), and 'u' (trust for user authentication). Multiple flags can be combined (e.g., "CTu").

The `certutil` command is part of the Network Security Services (NSS) project, initially developed by Netscape and later open-sourced by Mozilla. Its primary purpose has always been managing certificates and key databases within the NSS environment.

It's been a core component for applications like Firefox, Thunderbird, and other software relying on NSS for security. Over time, it has been enhanced to support new certificate standards and cryptographic algorithms. The command is crucial to automate management tasks that would otherwise be cumbersome and error-prone if performed manually.

pk12util(1), modutil(1), nss(3)