Using Hardware Crypto Accelerator With Enterprise Server

Listing Keys and Certificates

To list the keys and certificates in the configured PKCS#11 tokens, run the following command:

certutil -L -d AS_NSS_DB [-h tokenname]

For example, to list the contents of the default NSS soft token, type:

certutil -L -d AS_NSS_DB

The standard output will be similar to the following:

verisignc1g1T,c,c

verisignc1g2T,c,c

verisignc1g3T,c,c

verisignc2g3T,c,c

verisignsecureserver T,c,c

verisignc2g1T,c,c

verisignc2g2T,c,c

verisignc3g1T,c,c

verisignc3g2T,c,c

verisignc3g3T,c,c

s1as

u,u,u

The output displays the name of the token in the left column and a set of three trust attributes in the right column. For Enterprise Server certificates, it is usually T,c,c. Unlike the J2SE java.security.KeyStore API, which contains only one level of trust, the NSS technology contains several levels of trust. Enterprise Server is primarily interested in the first trust attribute, which describes how this token uses SSL. For this attribute:

T indicates that the Certificate Authority (CA) is trusted for issuing client certificates. u indicates that you can use the certificates (and keys) for authentication or signing. The attribute combination of u,u,u indicates that a private key exists in the database.

To list the contents of the hardware token, mytoken, run the following command:

certutil -L -d AS_NSS_DB -h mytoken

You will be prompted for the password for the hardware token. The standard output is similar to the following:

Enter Password or Pin for "mytoken":

mytoken:Server-Cert

u,u,u

Chapter 9 • Configuring Security

123

Page 123
Image 123
Sun Microsystems 820433510 manual Listing Keys and Certificates, Standard output will be similar to the following