dbwrap_tool

dbwrap_tool [global-options] subcommand [subcommand-options] [arguments]

--dbpath <path>
    Specifies the absolute path to the NSS database directory. This option is crucial for most operations.

--pwdfile <file>
    Specifies the path to a file containing the database password.

--password <password>
    Specifies the database password directly on the command line. Use with caution as it's less secure than a password file.

-h, --help
    Displays a brief help message for the command or the specified subcommand.

-v, --verbose
    Enables verbose output, providing more detailed information about the operation.

The dbwrap_tool is a specialized command-line utility used within the Dogtag Certificate System (PKI) to interact with its internal database. This database, often referred to as the 'dbwrap' database, is an abstraction layer built on top of an NSS (Network Security Services) database.

It is primarily used by administrators of PKI instances (like those found in FreeIPA deployments) to manage cryptographic objects such as certificates, private keys, and trust anchors directly within the PKI's security module database. Common operations include listing, importing, exporting, and deleting certificates or keys, as well as managing their trust settings. Unlike generic database tools, dbwrap_tool is tailored specifically for the structure and requirements of the Dogtag PKI's cryptographic store, making it a critical tool for PKI maintenance and troubleshooting.

dbwrap_tool is not a general-purpose database management tool. It is specifically designed for the Dogtag Certificate System's internal NSS database.

Direct manipulation of the PKI database using this tool should only be performed by experienced administrators, as incorrect operations can compromise the integrity and security of the PKI instance. Ensure proper backups are in place before making significant changes.

While general options exist, dbwrap_tool primarily operates through subcommands, each with its own specific options and arguments. Common subcommands include:
status (check database status),
list (enumerate certificates, keys, or objects),
import (add new cryptographic material),
export (retrieve existing material),
delete (remove entries), and
modify (change properties like trust flags).

To get help on a specific subcommand, use dbwrap_tool subcommand --help.

The dbwrap_tool is an integral part of the Dogtag Certificate System, an open-source PKI solution that has been under development for many years, evolving from the Mozilla NSS libraries. Its usage is tightly coupled with deployments of Dogtag PKI, notably as the underlying PKI component in FreeIPA, where it manages the cryptographic material for certificates, keys, and trust policies.

certutil(1), pk12util(1), modutil(1), ipa(1), pki-server(8)