Usingthe certutil Utility
Beforerunning certutil, make sure that LD_LIBRARY_PATH points to the location of the
librariesrequired for this utility to run. This location can be identied from the value of
AS_NSS_LIBin asenv.conf (product wide conguration le).
Thecerticate database tool, certutil, is an NSS command-line utility that can create and
modifythe Netscape Communicator cert8.db and key3.db database les. It can also list,
generate,modify, or delete certicates within the cert8.db le and create or change the
password,generate new public and private key pairs, display the contents of the key database, or
deletekey pairs within the key3.db le.
Thekey and certicate management process generally begins with creating keys in the key
database,then generating and managing certicates in the certicate database. The following
documentdiscusses certicate and key database management with NSS, including the syntax
forthe certutil utility:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Eachof the items in the list below gives an example using NSS and JSSE security tools to create
and/ormanage certicates.
Generatea self-signed server and client certicate. In this example, the CN must be of the
formhostname.domain.[com|org|net|...].
Inthis example, domain-dir/config. The serverseed.txt and clientseed.txt les can
containany random text. This random text will be used for generating the key pair.
certutil -S -n $SERVER_CERT_NAME -x -t "u,u,u"
-s "CN=$HOSTNAME.$HOSTDOMAIN, OU=Java Software, O=Sun Microsystems Inc.,
L=Santa Clara, ST=CA, C=US"
-m 25001 -o $CERT_DB_DIR/Server.crt
-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/serverseed.txt
Generatethe client certicate. This certicate is also a self-signed certicate.
certutil -S -n $CLIENT_CERT_NAME -x -t "u,u,u"
-s "CN=MyClient, OU=Java Software, O=Sun Microsystems Inc.,
L=Santa Clara, ST=CA, C=US"
-m 25002 -o $CERT_DB_DIR/Client.crt
-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/clientseed.txt
Verifythe certicates generated in the previous bullet.
certutil -V -u V -n $SERVER_CERT_NAME -d $CERT_DB_DIR
certutil -V -u C -n $CLIENT_CERT_NAME -d $CERT_DB_DIR
Displayavailable certicates.
certutil -L -d $CERT_DB_DIR
UsingNetworkSecurit y Services (NSS)Tools
Chapter9 • Conguring Security 117