NSS Database - dogtagpki/pki GitHub Wiki

Creating Database

Modules

See NSS Modules.

Listing Certificates

See Listing Certificates.

Displaying Certificate Info

See Displaying Certificate Info.

Exporting Certificate

See Exporting Certificate.

Decoding Certificate

See Decoding Certificate.

Importing Certificate

See Importing Certificate.

Exporting Certificate Chain

To export a certificate chain, export each certificate (see Exporting Certificate), then create a PKCS #7 file:

$ openssl crl2pkcs7 -nocrl -certfile ca1.crt -certfile ca2.crt ... -out cert_chain.p7b

Verify with the following command:

$ openssl pkcs7 -print_certs -in cert_chain.p7b

Importing Certificate Chain

To import a certificate chain, import each certificate (see Importing Certificate):

$ certutil -A -d nssdb -a -i -n testcert -i testcert.pem -t CT,C,C

Alternatively, the entire certificate chain can be imported as a PKCS #7 file:

$ openssl pkcs7 -print_certs -in /tmp/cert_chain.p7b -out /tmp/cert_chain.pem
$ openssl pkcs12 -export -nokeys -in /tmp/cert_chain.pem -out /tmp/cert_chain.p12 -passout file:password.txt
$ pk12util -d nssdb -k password.txt -i /tmp/cert_chain.p12 -w password.txt
$ certutil -M -d nssdb -n <nickname> -t CT,C,C

Exporting into PKCS #12 File

To export the all keys and certificates in the database:

$ PKCS12Export -d nssdb -p password.internal -o output.p12 -w output.password

See also Exporting PKCS12 File.

Importing from PKCS #12 File

See Importing PKCS12 File.

Exporting from PKCS #12 File

Export Cert from a PKCS #12 file:

$ openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys

Export encrypted RSA key from a pkics#12 (.p12) file:

$ openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

Convert encrypted RSA key to unencrypted (pkcs#1):

$ openssl rsa -in newfile.key.pem -out newfile.key.pkcs1

Convert unencrypted RSA private key (pkcs#1) to pkcs#8 key:

$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in newfile.key.pkcs1 -out newfile.key

Verify the exported cert and key match

$ openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
$ openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum

The output from both commands must match.

Modifying a Certificate

See Modifying Certificate.

Validating Certificate

See Validating Certificate.

Deleting Certificate

See Deleting Certificate.

Listing Keys

See Listing Keys.

Deleting a Key

See Deleting Key.

Cloning Database

To clone an NSS database, export all certificates:

$ certutil -L -d nssdb -h HSM -n testcert -a > testcert.pem

Create the new database with the HSM modules if applicable:

$ mkdir clone
$ certutil -N -d nssdb

Then reimport all certificates:

$ certutil -A -d nssdb -h HSM -f password.HSM -n testcert -i testcert.pem -t "CT,C,C"

Generating Key Pair

Generate a key pair with the following command:

$ openssl rand -out noise.bin 2048
$ certutil -G -d nssdb -h internal -f password.internal -z nssdb/noise.bin


Generating key.  This may take a few moments...

Generating Certificate Request

Creating Noise File

$ openssl rand -out noise.bin 2048

Creating CSR File

Generate a CSR with the following command:

$ certutil -R \
    -d nssdb \
    -h internal \
    -f password.internal \
    -s "UID=testuser,O=EXAMPLE" \
    -z noise.bin \
    -o testuser.csr.der
$ BtoA testuser.csr.der testuser.csr.pem
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > testuser.csr
$ cat testuser.csr.pem >> testuser.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> testuser.csr
$ rm testuser.csr.der
$ rm testuser.csr.pem

Creating Certificates

See Also

⚠️ **GitHub.com Fallback** ⚠️