PKI NSS Key CLI - dogtagpki/pki GitHub Wiki

Overview

The pki nss-key commands can be used to manage keys in NSS database.

Listing Keys in NSS Database

To list keys in internal token:

$ pki nss-key-find
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA

  Key ID: 0x64594734139b4006527bc57c8792d90333e4263c
  Type: EC
  Algorithm: EC

  Nickname: shared-secret
  Type: AES
  Algorithm: AES

To list keys in HSM:

$ pki --token HSM nss-key-find
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA

  Key ID: 0x64594734139b4006527bc57c8792d90333e4263c
  Type: EC
  Algorithm: EC

  Nickname: shared-secret
  Type: AES
  Algorithm: AES

To find the key belonging to a certificate:

$ pki nss-key-find --nickname ca_signing
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA

Availability: Since PKI 11.2

Displaying Key Details

To display key details:

$ pki nss-key-show --key-id 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA

$ pki nss-key-show --key-id 0x64594734139b4006527bc57c8792d90333e4263c
  Key ID: 0x64594734139b4006527bc57c8792d90333e4263c
  Type: EC
  Algorithm: EC

$ pki nss-key-show --key-nickname shared-secret
  Nickname: shared-secret
  Type: AES
  Algorithm: AES

$ pki --token HSM nss-key-show --key-id 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA

Availability: Since PKI 11.6

Creating Key in NSS Database

To create an RSA key:

$ pki nss-key-create --key-type=RSA
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA

To create an EC key:

$ pki nss-key-create --key-type=EC
  Key ID: 0x12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: EC
  Algorithm: EC

To create an AES key:

$ pki nss-key-create --key-type=AES shared-secret
  Nickname: shared-secret
  Type: AES
  Algorithm: AES

Availability: Since PKI 11.3.

Deleting Key from NSS Database (Not Implemented)

To delete a key in internal token:

$ pki -c Secret.123 nss-key-del e47e4cbd15fadbdd17eb865ce55031122c7c1b6

To delete a key in HSM:

$ pki --token HSM -c Secret.123 nss-key-del e47e4cbd15fadbdd17eb865ce55031122c7c1b6

Exporting Key from NSS Database

To export a shared secret to the standard output:

$ pki nss-key-export "TPS-localhost.localdomain-8443 sharedSecret" --wrapper kra_transport
{
  "wrappedPrivateData" : "s1mlQNrOsttJgBxJWURqM+j/nc9yPFlCnipH/AGvFo64evmqbZTtqbViQLK0i9jh5hFDhWYW4JuMdw6X2BIYuHadJ+QN4BHpxiWCZygyjJsj3t96zSMzTH+YVEsaktzP39nQKtkaA4iOYU3Rvy0Cfokvn01V1x+GbUXOgpblTOIeXySKa3PJ/LPJREz8MmYMT21GsnEyXsJ5Xq4t9lUYaK4hzE69IXFZeInude/3sdJFFl5SIjMlE1U59YDdkcKAFfD/dyESUwOEGw7k5PgQAJO3BSks0S83NHR9jfutxOpX3UeFXcqq90/HgJj8g18mzVttQYtQfY+6NO5pXoXcsA==",
  "additionalWrappedPrivateData" : "o7E/mZb8w/i7dLCaJ2OjsGtZCuP8uoXl"
}

The output can be stored into a file with a --output <path> option.

Importing Key into NSS Database

To import a shared secret from the standard input:

$ pki nss-key-import "TPS-localhost.localdomain-8443 sharedSecret" --wrapper kra_transport

The input can be loaded from a file with a --input <path> option.

⚠️ **GitHub.com Fallback** ⚠️