Using Network Security Services (NSS) Tools

Using the certutil Utility

Before running certutil, make sure that LD_LIBRARY_PATH points to the location of the libraries required for this utility to run. This location can be identified from the value of AS_NSS_LIB in asenv.conf (product wide configuration file).

The certificate database tool, certutil, is an NSS command-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can also list, generate, modify, or delete certificates within the cert8.db file and create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.

The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database. The following document discusses certificate and key database management with NSS, including the syntax for the certutil utility: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

Each of the items in the list below gives an example using NSS and JSSE security tools to create and/or manage certificates.

Generate a self-signed server and client certificate. In this example, the CN must be of the form hostname.domain.[comorgnet...].

In this example, domain-dir/config. The serverseed.txt and clientseed.txt files can contain any random text. This random text will be used for generating the key pair.

certutil -S -n $SERVER_CERT_NAME -x -t "u,u,u"

-s "CN=$HOSTNAME.$HOSTDOMAIN, OU=Java Software, O=Sun Microsystems Inc., L=Santa Clara, ST=CA, C=US"

-m 25001 -o $CERT_DB_DIR/Server.crt

-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/serverseed.txt

Generate the client certificate. This certificate is also a self-signed certificate.

certutil -S -n $CLIENT_CERT_NAME -x -t "u,u,u"

-s "CN=MyClient, OU=Java Software, O=Sun Microsystems Inc., L=Santa Clara, ST=CA, C=US"

-m 25002 -o $CERT_DB_DIR/Client.crt

-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/clientseed.txt

Verify the certificates generated in the previous bullet.

certutil -V -u V -n $SERVER_CERT_NAME -d $CERT_DB_DIR certutil -V -u C -n $CLIENT_CERT_NAME -d $CERT_DB_DIR

Display available certificates.

certutil -L -d $CERT_DB_DIR

Chapter 9 • Configuring Security

117

Page 116 Page 118
Page 117
Image 117
Sun Microsystems 820433510 manual Using the certutil Utility, Verify the certificates generated in the previous bullet
Page 116 Page 118
Top Page Image Contents