NSS Database - dogtagpki/pki GitHub Wiki
See NSS Modules.
See Listing Certificates.
See Decoding Certificate.
To export a certificate chain, export each certificate (see Exporting Certificate), then create a PKCS #7 file:
$ openssl crl2pkcs7 -nocrl -certfile ca1.crt -certfile ca2.crt ... -out cert_chain.p7b
Verify with the following command:
$ openssl pkcs7 -print_certs -in cert_chain.p7b
To import a certificate chain, import each certificate (see Importing Certificate):
$ certutil -A -d nssdb -a -i -n testcert -i testcert.pem -t CT,C,C
Alternatively, the entire certificate chain can be imported as a PKCS #7 file:
$ openssl pkcs7 -print_certs -in /tmp/cert_chain.p7b -out /tmp/cert_chain.pem $ openssl pkcs12 -export -nokeys -in /tmp/cert_chain.pem -out /tmp/cert_chain.p12 -passout file:password.txt $ pk12util -d nssdb -k password.txt -i /tmp/cert_chain.p12 -w password.txt $ certutil -M -d nssdb -n <nickname> -t CT,C,C
To export the all keys and certificates in the database:
$ PKCS12Export -d nssdb -p password.internal -o output.p12 -w output.password
See also Exporting PKCS12 File.
Export Cert from a PKCS #12 file:
$ openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
Export encrypted RSA key from a pkics#12 (.p12) file:
$ openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
Convert encrypted RSA key to unencrypted (pkcs#1):
$ openssl rsa -in newfile.key.pem -out newfile.key.pkcs1
Convert unencrypted RSA private key (pkcs#1) to pkcs#8 key:
$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in newfile.key.pkcs1 -out newfile.key
$ openssl pkey -in privateKey.key -pubout -outform pem | sha256sum $ openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
The output from both commands must match.
See Deleting Certificate.
See Listing Keys.
See Deleting Key.
To clone an NSS database, export all certificates:
$ certutil -L -d nssdb -h HSM -n testcert -a > testcert.pem
Create the new database with the HSM modules if applicable:
$ mkdir clone $ certutil -N -d nssdb
Then reimport all certificates:
$ certutil -A -d nssdb -h HSM -f password.HSM -n testcert -i testcert.pem -t "CT,C,C"
Generate a key pair with the following command:
$ openssl rand -out noise.bin 2048 $ certutil -G -d nssdb -h internal -f password.internal -z nssdb/noise.bin Generating key. This may take a few moments...
Generate a CSR with the following command:
$ certutil -R \ -d nssdb \ -h internal \ -f password.internal \ -s "UID=testuser,O=EXAMPLE" \ -z noise.bin \ -o testuser.csr.der $ BtoA testuser.csr.der testuser.csr.pem $ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > testuser.csr $ cat testuser.csr.pem >> testuser.csr $ echo "-----END NEW CERTIFICATE REQUEST-----" >> testuser.csr $ rm testuser.csr.der $ rm testuser.csr.pem