Usingthe certutil Utility
Beforerunning certutil, make sure that LD_LIBRARY_PATH points to the location of the
librariesrequired for this utility to run. This location can be identied from the value of
AS_NSS_LIBin asenv.conf (product wide conguration le).
Thecerticate database tool, certutil, is an NSS command-line utility that can create and
modifythe Netscape Communicator cert8.db and key3.db database les. It can also list,
generate,modify, or delete certicates within the cert8.db le and create or change the
password,generate new public and private key pairs, display the contents of the key database, or
deletekey pairs within the key3.db le.
Thekey and certicate management process generally begins with creating keys in the key
database,then generating and managing certicates in the certicate database. The following
documentdiscusses certicate and key database management with NSS, including the syntax
forthe certutil utility:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Eachof the items in the list below gives an example using NSS and JSSE security tools to create
and/ormanage certicates.
■Generatea self-signed server and client certicate. In this example, the CN must be of the
formhostname.domain.[com|org|net|...].
Inthis example, domain-dir/config. The serverseed.txt and clientseed.txt les can
containany random text. This random text will be used for generating the key pair.
certutil -S -n $SERVER_CERT_NAME -x -t "u,u,u"
-s "CN=$HOSTNAME.$HOSTDOMAIN, OU=Java Software, O=Sun Microsystems Inc.,
L=Santa Clara, ST=CA, C=US"
-m 25001 -o $CERT_DB_DIR/Server.crt
-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/serverseed.txt
Generatethe client certicate. This certicate is also a self-signed certicate.
certutil -S -n $CLIENT_CERT_NAME -x -t "u,u,u"
-s "CN=MyClient, OU=Java Software, O=Sun Microsystems Inc.,
L=Santa Clara, ST=CA, C=US"
-m 25002 -o $CERT_DB_DIR/Client.crt
-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/clientseed.txt
■Verifythe certicates generated in the previous bullet.
certutil -V -u V -n $SERVER_CERT_NAME -d $CERT_DB_DIR
certutil -V -u C -n $CLIENT_CERT_NAME -d $CERT_DB_DIR
■Displayavailable certicates.
certutil -L -d $CERT_DB_DIR
UsingNetworkSecurit y Services (NSS)Tools
Chapter9 • Conguring Security 117