1pktool(1)                        User Commands                       pktool(1)
2
3
4

NAME

6       pktool - manage certificates and keys
7

SYNOPSIS

9       pktool [-f option_file] [-i] subcommand subcommand_options ...
10
11

DESCRIPTION

13       The  pktool command allows users to manage the certificates and keys on
14       multiple keystores including PKCS#11  tokens  (that  is,  Cryptographic
15       Framework),  Netscape Security Services (NSS) tokens, and standard file
16       based keystore for OpenSSL.
17
18
19       pktool also provides support to list, delete and import  a  Certificate
20       Revocation  List  (CRL).  pktool  does not provide support for creating
21       CRLs, signing CRLs, or exporting CRLs. The CRL support for the  PKCS#11
22       keystore is file-based.
23

OPTIONS

25       The following command options are supported:
26
27       -f option_file    Allows  the  user  to  set  up  the options in a file
28                         instead of entering the options on the command line.
29
30                         This option is provided as a  convenience  for  users
31                         because  pktool  can potentially have a large list of
32                         subcommands and associated options to be specified on
33                         the command line.
34
35                         The  format of the option_file is one option or value
36                         pair per-line.
37
38                         An example option_file might looks as follows:
39
40                           list
41                           keystore=nss
42                           dir=/export/foo
43                           objtype=key
44
45
46
47
48       -i                Allows the user to specify  the  subject-DN  interac‐
49                         tively  for  the gencert and gencsr subcommands. When
50                         -i is specified, the user is prompted to  input  some
51                         data to form a subject-DN.
52
53                         An example of using the -i option follows:
54
55                           Country Name (2 letter code) [US]:US
56                           State or Province Name (full name) [Some-State]:CA
57                           Locality Name (eg, city) []:Menlo Park
58                           Organization Name (eg, company):Sun Microsystems Inc.
59                           Organizational Unit Name (eg, section):OPG
60                           Common Name (eg, YOUR name):John Smith
61                            Email Address []: john.smith@sun.com
62
63
64                         The resulting subject-DN is:
65
66                           "C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\
67                              OU=OPG, emailAddress=john.smith@sun.com, \
68                              CN=John Smith"
69
70
71
72

SUBCOMMANDS

74       The following subcommands are supported:
75
76       delete
77
78           The format for the delete subcommand is as follows:
79
80             pktool delete [token=token[:manuf[:serial]]]
81                           [objtype=private|public|both]
82                           [label=object-label]
83
84             pktool delete keystore=pkcs11
85                           objtype=cert[:public | private | both]]
86                           [token=token[:manuf[:serial]]]
87                           [label=cert-label]
88                           [serial=hex-serial-number]
89                           [issuer=issuer-DN]
90                           [subject=subject-DN]
91
92             pktool delete keystore=nss
93                           objtype=cert
94                           [subject=subject-DN]
95                           [issuer=issuer-DN]
96                           [serial=hex-serial-number]
97                           [nickname=cert-nickname]
98                           [token=token[:manuf[:serial]]]
99                           [dir=directory-path]
100                           [prefix=DBprefix]
101
102             pktool delete keystore=nss
103                           objtype=crl
104                           [nickname=cert-nickname]
105                           [subject=subject-DN]
106                           [token=token[:manuf[:serial]]]
107                           [dir=directory-path]
108                           [prefix=DBprefix]
109
110             pktool delete keystore=pkcs11
111                           objtype=key[:public | private | both]]
112                           [token=token[:manuf[:serial]]]
113                           [label=key-label]
114
115             pktool delete keystore=pkcs11
116                           objtype=crl
117                           infile=input-fn
118
119
120             pktool delete keystore=file
121                           objtype=cert
122                           [infile=input-fn]
123                           [dir=directory-path]
124                           [serial=hex-serial-number]
125                           [issuer=issuer-DN]
126                           [subject=subject-DN]
127
128             pktool delete keystore=file
129                           objtype=key
130                           [infile=input-fn]
131                           [dir=directory-path]
132
133             pktool delete keystore=file
134                           objtype=crl
135                           infile=input-fn
136
137
138
139           Deletes a certificate, key, or certificate revocation list (CRL).
140
141           To delete a private certificate or key from PKCS#11 token, the user
142           is prompted to authenticate to the PKCS#11 by entering the  correct
143           Personal Identification Number (PIN).
144
145
146       download
147
148           The format for the download subcommand is as follows:
149
150              pktool download url=url_str
151                              [objtype=crl|cert]
152                              [http_proxy=proxy_str]
153                              [outfile=output-fn]
154                              [dir=directory-path]
155
156
157           Downloads  a  CRL file or a certificate file from the specified URL
158           location. Once the file  is  successfully  downloaded,  checks  the
159           validity  of  the downloaded CRL or certificate file. If the CRL or
160           the certificate is expired, download issues a warning.
161
162
163       export
164
165           The format for the export subcommand is as follows:
166
167             pktool export [token=token[:manuf[:serial]]]
168                           outfile=output-fn
169
170             pktool export keystore=pkcs11
171                           outfile=output-fn
172                           [objtype=cert|key]
173                           [label=label]
174                           [subject=subject-DN]
175                           [issuer=issuer-DN]
176                           [serial=hex-serial-number]
177                           [outformat=pem|der|pkcs12|raw]
178                           [token=token[:manuf[:serial]]]
179
180             pktool export keystore=nss
181                           outfile=output-fn
182                           [subject=subject-DN]
183                           [issuer=issuer-DN]
184                           [serial=hex-serial-number]
185                           [nickname=cert-nickname]
186                           [token=token[:manuf[:serial]]]
187                           [dir=directory-path]
188                           [prefix=DBprefix]
189                           [outformat=pem|der|pkcs12]
190
191             pktool export keystore=file
192                           certfile=cert-input-fn
193                           keyfile=key-input-fn
194                           outfile=output-pkcs12-fn
195
196
197           Saves the contents of PKCS#11 token  or  certificates  in  the  NSS
198           token or file-based keystore to the specified file.
199
200
201       gencert
202
203           The format for the gencert subcommand is as follows:
204
205             pktool gencert [-i] keystore=nss
206                           label=cert-nickname
207                           subject=subject-DN
208                           serial=hex_serial_number
209                           [altname=[critical:]subjectAltName]
210                           [keyusage=[critical:]usage,usage...]
211                           [token=token[:manuf[:serial]]]
212                           [dir=directory-path]
213                           [prefix=DBprefix]
214                           [keytype=rsa|dsa]
215                           [keylen=key-size]
216                           [trust=trust-value]
217                           [lifetime=number-hour|number-day|number-year]
218                           [eku=[critical:]EKU_name,...]
219
220             pktool gencert [-i] [ keystore=pkcs11]
221                           label=key/cert-label
222                           subject=subject-DN
223                           serial=hex_serial_number
224                           [altname=[critical:]subjectAltName]
225                           [keyusage=[critical:]usage,usage...]
226                           [token=token[:manuf[:serial]]]
227                           [keytype=rsa|dsa]
228                           [keylen=key-size]
229                           [lifetime=number-hour|number-day|number-year]
230                           [eku=[critical:]EKU_name,...]
231
232             pktool gencert [-i] keystore=file
233                           outcert=cert-fn
234                           outkey=key-fn
235                           subject=subject-DN
236                           serial=hex_serial_number
237                           [altname=[critical:]subjectAltName]
238                           [keyusage=[critical:]usage,usage...]
239                           [format=der|pem]
240                           [keytype=rsa|dsa]
241                           [keylen=key-size]
242                           [lifetime=number-hour|number-day|number-year]
243                           [eku=[critical:]EKU_name,...]
244
245
246           Generates a self-signed certificate and installs it and its associ‐
247           ated private key to the specified keystore.
248
249           gencert prompts the user to enter a PIN for token-based keystore.
250
251
252       gencsr
253
254           The format for the gencsr subcommand is as follows:
255
256             pktool gencsr [-i] keystore=nss
257                           nickname=key-nickname
258                           outcsr=csr-fn
259                           subject=subject-DN
260                           [altname=[critical:]subjectAltName]
261                           [keyusage=[critical:]usage,usage...]
262                           [token=token[:manuf[:serial]]]
263                           [dir=directory-path]
264                           [prefix=DBprefix]
265                           [keytype=rsa|dsa]
266                           [keylen=key-size]
267                           [format=pem|der]
268                           [eku=[critical:]EKU_name,...]
269
270             pktool gencsr [-i] keystore=pkcs11
271                           label=key-label
272                           outcsr=csr-fn
273                           subject=subject-DN
274                           [altname=[critical:]subjectAltName]
275                           [keyusage=[critical:]usage,usage...]
276                           [token=token[:manuf[:serial]]]
277                           [keytype=rsa|dsa]
278                           [keylen=key-size]
279                           [format=pem|der]
280                           [eku=[critical:]EKU_name,...]
281
282             pktool gencsr [-i] keystore=file
283                           outcsr=csr-fn
284                           outkey=key-fn
285                           subject=subject-DN
286                           [altname=[critical:]subjectAltName]
287                           [keyusage=[critical:]usage,usage...]
288                           [dir=directory-path]
289                           [keytype=rsa|dsa]
290                           [keylen=key-size]
291                           [format=pem|der]
292                           [eku=[critical:]EKU_name,...]
293
294
295           Creates a PKCS#10 certificate signing request (CSR) file. This  CSR
296           can  be sent to a Certifying Authority (CA) for signing. The gencsr
297           subcommand prompts the user to enter a  PIN  for  token-based  key‐
298           store.
299
300
301       genkey
302
303           The format for the genkey subcommand is as follows:
304
305
306
307             pktool genkey [keystore=pkcs11]
308                           label=key-label
309                           [keytype=aes|arcfour|des|3des|generic]
310                           [keylen=key-size (for aes, arcfour, or \
311                               generic keytypes only)]
312                           [token=token[:manuf[:serial]]]
313                           [sensitive=y|n]
314                           [extractable=y|n]
315                           [print=y|n]
316
317             pktool genkey keystore=nss
318                           label=key-label
319                           [keytype=aes|arcfour|des|3des|generic]
320                           [keylen=key-size (for aes, arcfour, or \
321                               generic keytypes only)]
322                           [token=token[:manuf[:serial]]]
323                           [dir=directory-path]
324                           [prefix=DBprefix]
325
326             pktool genkey keystore=file
327                           outkey=key-fn
328                           [keytype=aes|arcfour|des|3des|generic]
329                           [keylen=key-size (for aes, arcfour, \
330                                or generic keytypes only)]
331                           [print=y|n]
332
333
334           Generates  a  symmetric  key  in the specified keystore. The genkey
335           subcommand prompts the user to enter a  PIN  for  token-based  key‐
336           store.
337
338
339       import
340
341           The format for the import subcommand is as follows:
342
343             pktool import [token=token>[:manuf>[:serial>]]]
344                           infile=input-fn
345
346             pktool import [keystore=pkcs11]
347                           infile=input-fn
348                           label=object-label
349                           [keytype=aes|arcfour|des|3des|generic]
350                           [sensitive=y|n]
351                           [extractable=y|n]
352                           [token=token[:manuf[:serial]]]
353                           [objtype=cert|key]
354
355             pktool import keystore=pkcs11
356                           objtype=crl
357                           infile=input-fn
358                           outcrl=output-crl-fn
359                           outformat=pem|der
360
361             pktool import keystore=nss
362                           objtype=cert
363                           infile=input-fn
364                           label=cert-label
365                           [token=token[:manuf[:serial]]]
366                           [dir=directory-path]
367                           [prefix=DBprefix]
368                           [trust=trust-value]
369
370             pktool import keystore=nss
371                           objtype=crl
372                           infile=input-fn
373                           [verifycrl=y|n]
374                           [token=token[:manuf[:serial]]]
375                           [dir=directory-path]
376                           [prefix=DBprefix]
377
378             pktool import keystore=file
379                           infile=input-fn
380                           outkey=output-key-fn
381                           outcert=output-key-fn
382                           [outformat=pem|der]
383
384             pktool import keystore=file
385                           objtype=crl
386                           infile=input-fn
387                           outcrl=output-crl-fn
388                           outformat=pem|der
389
390
391           Loads  certificates,  keys,  or  CRLs from the specified input file
392           into the specified keystore.
393
394
395       inittoken
396
397           The format for the inittoken subcommand is as follows:
398
399             pktool inittoken [ slotid=slot number ]
400                              [ currlabel=token[:manuf[:serial]]]
401                              [ newlabel=new token label ]
402
403
404           This command initializes a PKCS#11  token  using  C_InitToken  API.
405           The  preferred method of locating a token is to specify its default
406           label. Optionally, a new label can be  assigned  to  the  token  by
407           using the newlabel argument.  If newlabel is not present, the token
408           label is not modified.  The user is prompted to enter the  security
409           officer (SO) PIN for this  command to proceed.
410
411
412       list
413
414           The format for the list subcommand is as follows:
415
416             pktool list [token=token[:manuf[:serial]]]
417                         [objtype=private|public|both]
418                         [label=label]
419
420             pktool list [keystore=pkcs11]
421                         [objtype=cert[:public | private | both]]
422                         [token=token[:manuf[:serial]]]
423                         [label=cert-label]
424                         [serial=hex-serial-number]
425                         [issuer=issuer-DN]
426                         [subject=subject-DN]
427
428             pktool list [keystore=pkcs11]
429                         objtype=key[:public | private | both]]
430                         [token=token[:manuf[:serial]]]
431                         [label=key-label]
432
433             pktool list keystore=pkcs11
434                         objtype=crl
435                         infile=input-fn
436
437             pktool list keystore=nss
438                         objtype=cert
439                         [subject=subject-DN]
440                         [issuer=issuer-DN]
441                         [serial=hex-serial-number]
442                         [nickname=cert-nickname]
443                         [token=token[:manuf[:serial]]]
444                         [dir=directory-path]
445                         [prefix=DBprefix]
446
447             pktool list keystore=nss
448                         objtype=key
449                         [token=token[:manuf[:serial]]]
450                         [dir=directory-path]
451                         [prefix=DBprefix]
452
453             pktool list keystore=file
454                         objtype=cert
455                         [infile=input-fn]
456                         [dir=directory-path]
457                         [serial=hex-serial-number]
458                         [issuer=issuer-DN]
459                         [subject=subject-DN]
460
461             pktool list keystore=file
462                         objtype=key
463                         [infile=input-fn]
464                         [dir=directory-path]
465
466
467           Lists certificates, list keys, or list certificate revocation lists
468           (CRL). When displaying a private  certificate  or  key  in  PKCS#11
469           token, the user is prompted to authenticate to the PKCS#11 token by
470           entering the correct PIN.
471
472
473       setpin
474
475           The format for the setpin subcommand is as follows:
476
477             pktool setpin keystore=nss
478                    [token=token]
479                    [dir=directory-path]
480                    [prefix=DBprefix]
481
482             pktool setpin [ keystore=pkcs11]
483                    [token=token[:manuf[:serial]]]
484                    [usertype=user | so]
485
486
487           Changes the passphrase used to authenticate a user to  the  PKCS#11
488           or  NSS  token.  Passphrases  can  be any string of characters with
489           lengths between 1 and 256 with no nulls.
490
491           setpin prompts the user for the old passphrase, if any. If the  old
492           passphrase matches, pktool prompts for the new passphrase twice. If
493           the two entries of the new passphrases match, it becomes  the  cur‐
494           rent passphrase for the token.
495
496           For the Sun Software PKCS#11 softtoken keystore (default), the user
497           must use the setpin command with the default passphrase changeme as
498           the  old  passphrase  to change the passphrase of the object store.
499           This action is needed to initialize and set  the  passphrase  to  a
500           newly created token object store.
501
502           If  the  usertype=so  option is specified for PKCS#11 based tokens,
503           the Security Officer (SO) user PIN is changed  as  opposed  to  the
504           normal user PIN.  By default the usertype is assumed to be user.
505
506
507       signcsr
508
509           The format for the signcsr subcommand is as follows:
510
511             signcsr keystore=pkcs11
512                     signkey=label (label of key to use for signing)
513                     csr=CSR_filename
514                     serial=serial_number_hex_string_for_final_certificate
515                     outcert=filename_for_final_certificate
516                     issuer=issuer-DN
517                     [store=y|n] (store the new cert in NSS DB, default=n)
518                     [outlabel=certificate label]
519                     [format=pem|der] (certificate output format)
520                     [subject=subject-DN] (override the CSR subject name)
521                     [altname=subjectAltName] (add subjectAltName )
522                     [keyusage=[critical:]usage,...] (add key usage bits)
523                     [eku=[critical:]EKU_Name,...] (add Extended Key Usage )
524                     [lifetime=number-hour|number-day|number-year]
525                     [token=token[:manuf[:serial]]]
526             signcsr keystore=file
527                     signkey=filename
528                     csr=CSR_filename
529                     serial=serial_number_hex_string_for_final_certificate
530                     outcert=filename_for_final_certificate
531                     issuer=issuer-DN
532                     [format=pem|der] (certificate output format)
533                     [subject=subject-DN] (override the CSR subject name)
534                     [altname=subjectAltName] (add a subjectAltName)
535                     [keyusage=[critical:]usage,...] (add key usage bits)
536                     [lifetime=number-hour|number-day|number-year]
537                     [eku=[critical:]EKU_ Name,...] (add Extended Key Usage)
538             signcsr keystore=nss
539                     signkey=label (label of key to use for signing)
540                     csr=CSR_filename
541                     serial=serial_number_hex_string_for_final_certificate
542                     outcert=filename_for_final_certificate
543                     issuer=issuer-DN
544                     [store=y|n] (store the new cert in NSS DB, default=n)
545                     [outlabel=certificate label]
546                     [format=pem|der] (certificate output format)
547                     [subject=subject-DN] (override the CSR subject name)
548                     [altname=subjectAltName] (add a subjectAltName)
549                     [keyusage=[critical:]usage,...] (add key usage bits)
550                     [eku=[critical:]EKU_Name,...] (add Extended Key Usage)
551                     [lifetime=number-hour|number-day|number-year]
552                     [token=token[:manuf[:serial]]]
553                     [dir=directory-path]
554                     [prefix=DBprefix]
555
556
557
558
559       tokens
560
561           The format for the tokens subcommand is as follows:
562
563             pktool tokens
564
565
566           The tokens subcommand lists all visible PKCS#11 tokens.
567
568
569       -?
570
571           The format for the  subcommand is as follows:
572
573             pktool -?
574             pktool --help
575
576
577           The -? option displays usage and help information. --help is a syn‐
578           onym for -?.
579
580

USAGE

582       The pktool subcommands support the following options:
583
584       altname=[critical:]subjectAltName
585
586           Subject Alternative Names the certificate. The argument  that  fol‐
587           lows  the  -A option should be in the form of tag=value. Valid tags
588           are IP, DNS, EMAIL, URI, DN, KRB, UPN, and RID. The  SubjectAltName
589           extension  is  marked  as  critical  if  the altname string is pre-
590           peneded with the
591
592           Example 1: Add an IP address to the subjectAltName extension.  alt‐
593           name="IP=1.2.3.4"  Example  2:  Add an email address to the subjec‐
594           tAltName extension, and mark it as being critical.  altname="criti‐
595           cal:EMAIL=first.last@company.com"
596
597
598       currlabel=token label
599
600           This  option  is only used by the inittoken command.  This  is used
601           to locate the default token that is  being  initialized.   See  the
602           token  option for details about the format  of the token name to be
603           used.
604
605
606       dir=directory_path
607
608           Specifies the NSS database directory, or OpenSSL keystore directory
609           where the requested object is stored.
610
611
612       eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]
613
614           Specifies the extended key usage X.509v3 extension values to add to
615           the certificate or certificate request.
616
617           Specify EKU_Name as one of the following:   serverAuth, clientAuth,
618           codeSigning,  emailProtection,  ipsecEndSystem,  ipsecTunnel, ipse‐
619           cUser, timeStamping, OCSPSigning, KPClientAuth, KPKdc, or scLogon.
620
621           An example is:
622
623             eku=KPClientAuth,clientAuth
624
625
626
627
628       extractable=y | n
629
630           Specifies the resulting symmetric  key  in  the  PKCS#11  token  is
631           extractable  or not extractable. The valid values are: y and n. The
632           default value is y.
633
634
635       format=pem | der | pkcs12
636
637           For the gencert subcommand, this option only applies  to  the  file
638           based  keystore  such  as OpenSSL. It is used to specify the output
639           format of the key or certificate file to be created. The valid for‐
640           mats are: pem or der. The default format is pem.
641
642           For the gencsr subcommand, this option specifies the output encoded
643           format of the CSR file. The valid formats  are:  pem  or  der.  The
644           default format is pem.
645
646
647       infile=input-fn
648
649           Specifies  the certificate filename for list and delete subcommands
650           when objtype=cert and keystore=file.  For  the  import  subcommand,
651           this  option  specifies  the filename to be imported. Specifies the
652           input CRL filename for list, delete  and  import  subcommands  when
653           objtype=crl.
654
655
656       issuer=issuer-DN
657
658           Specifies the issuer of a certificate.
659
660
661       keylen=key-size
662
663           Specifies the size (bits) of the private or symmetric key to gener‐
664           ate.
665
666           For the gencert and gencsr subcommands, the default key  length  is
667           1024 bits.
668
669           For the genkey subcommand, the minimum and maximum bits of the sym‐
670           metric key to generate using AES algorithm are 128 and  256.  Using
671           the ARCFOUR algorithm, the minimum and maximum bits are 8 and 2048.
672           The minimum bits for a generic secret key is 8 and the maximum bits
673           is  arbitrary.  The  default  key  length  for  the AES, ARCFOUR or
674           generic secret keys is 128. For a DES key or a 3DES  key,  the  key
675           length is fixed and this option is ignored if specified.
676
677
678       keystore=nss | pkcs11 | file
679
680           Specifies  the  type of the underlying keystore: NSS token, PKCS#11
681           token, or file-based plugin.
682
683
684       keytype=rsa | dsa | aes | arcfour | des | 3des | generic
685
686           Specifies the type of the private or symmetric key to generate.
687
688           For the gencert and gencsr subcommands, the valid private key types
689           are: rsa, or dsa. The default key type is rsa.
690
691           For  the genkey subcommand, the valid symmetric key types are: aes,
692           arcfour, des, 3des, or generic. The default key type is aes.
693
694              keyusage=[critical:]usage,usage,usage,...
695
696
697
698             Key Usage strings:
699             * digitalSignature
700             * nonRepudiation
701             * keyEncipherment
702             * dataEncipherment
703             * keyAgreement
704             * keyCertSign
705             * cRLSign
706             * encipherOnly
707             * decipherOnly
708
709
710           Example 1: Set the KeyUsage so that the cert (or csr) can  be  used
711           for  signing  and  verifying  data  other than certificates or CRLs
712           (digitalSignature) and also can be used for encrypting and decrypt‐
713           ing   data   other   than  cryptographic  keys  (dataEncipherment).
714           keyusage=digitalSignature,dataEncipherment
715
716           Example 2: The same as above (Example 1), but with the critical bit
717           set. keyusage=critical:digitalSignature,dataEncipherment
718
719
720       label=key-label | cert-label
721
722           For  the gencert subcommand, this option specifies the label of the
723           private key and self-signed certificate in the PKCS#11 token.
724
725           For the gencsr subcommand, this option specifies the label  of  the
726           private key in the PKCS#11 token.
727
728           For  the  list  subcommand,  this option specifies the label of the
729           X.509 Certificate (when objtype=key) or the private key (when  obj‐
730           type=cert) in the PKCS#11 token to refine the list.
731
732           For  the  delete subcommand, this option specifies the label of the
733           X.509 Certificate (when objtype=key) or the private key (when  obj‐
734           type=cert) to delete a designated object from the PKCS#11 token.
735
736
737       lifetime=number-hour|number-day|number-year
738
739           Specifies  the validity period a certificate is valid. The certifi‐
740           cate life time can be specified by number-hour, number-day, or num‐
741           ber-year.  Only one format can be specified. The default is 1-year.
742           Examples of this option might be: lifetime=1-hour,  lifetime=2-day,
743           lifetime=3-year
744
745
746       newlabel=token label
747
748           This  option  is only used by the inittoken command.  This  is used
749           to change the label assigned to the token that is   being  initial‐
750           ized.   See  the  token option for details about the format  of the
751           token name to be used.
752
753
754       nickname=cert-nickname
755
756           For the gencert subcommand, this option is required to specify  the
757           certificate's nickname for NSS keystore.
758
759           For  the list subcommand, this option specifies the nickname of the
760           certificate in the NSS token to display its content. For the delete
761           subcommand, to delete a CRL from the NSS token, this option is used
762           to specify the nickname of the issuer's certificate. For the delete
763           subcommand, to delete a certificate from the NSS token, this option
764           specifies the nickname of the certificate. For the  import  subcom‐
765           mand,  to  import  a  specified  input  file to the NSS token, this
766           option is required to specify the nickname of  the  resulting  cer‐
767           tificate.
768
769
770       objtype=cert | key | crl
771
772           Specifies the class of the object: cert, key, or crl. For the down‐
773           load subcommand, if this option is not specified, default to crl.
774
775
776       objtype=public | private | both
777
778           Specifies the type of object: private  object,  public  object,  or
779           both.  This  option only applies to list and delete subcommands for
780           the PKCS#11 token when objtype=key is specified. The default  value
781           is public.
782
783           For the list subcommand, the label option can be combined with this
784           option to further refine the list of keys. For the  delete  subcom‐
785           mand, this option can used to narrow the keys to be deleted to only
786           public, or private ones. Alternately, the label option can be omit‐
787           ted  to indicate that all public, private, or both type of keys are
788           to be deleted.The use of public, private and both  as  choices  for
789           the objtype parameter are only applicable with the PKCS#11 keystore
790           in order to maintain compatibility with  earlier  versions  of  the
791           pktool command.
792
793
794       outcert=cert-fn
795
796           Specifies  the output certificate filename to write to. This option
797           is required for the file based plugin such as OpenSSL. Option  out‐
798           key=key-fn is required with this option.
799
800
801       outcrl=output-crl-fn
802
803           Specifies the output CRL filename to write to.
804
805
806       outcsr=csr-fn
807
808           Specifies the output CSR filename to write to.
809
810
811       outfile=output-fn
812
813           For  the  export subcommand, this option specifies the output file‐
814           name to be created. For the import subcommand, this  option  speci‐
815           fies the output filename of the certificate or CRL. It only applies
816           to the file based plugin such as OpenSSL.  For the download subcom‐
817           mand,  if this option is not specified, the downloaded file name is
818           the basename of the URL string.
819
820
821       outformat=pem | der | pkcs12
822
823           For the import subcommand, this option specifies the output  format
824           of  the  certificate  or  key  that  is  extracted from a specified
825           PKCS#12 file into the file based plugin, The valid values are:  pem
826           or  der.  The  default is pem. When importing a CRL to the CRL file
827           based keystore, this option specifies the output format of the CRL.
828           The  valid  values  are:  pem  or  der. The default is der. For the
829           export subcommand, this option specifies the format of  the  speci‐
830           fied output file to be created. The supported formats are: pem, der
831           or pkcs12. The default is pkcs12.
832
833
834       outkey=key-fn
835
836           Specifies the output private key filename to which to  write.  This
837           option is only required when using the files keystore.
838
839
840       prefix=DBprefix
841
842           Specifies  the NSS database prefix. This option only applies to the
843           NSS token.
844
845
846       print=y | n
847
848           This option is used in the genkey subcommand and it applies to  the
849           PKCS11  and File-based keystores. If print=y, the genkey subcommand
850           prints out the key value of the generated key in a single  line  of
851           hex. The default value is n.  For the PKCS11 keystore, if a symmet‐
852           ric key is created with sensitive=y or extractable=n, the key value
853           is  not  displayed,  even  the print option is set to y. The key is
854           still created, but a warning like cannot reveal the  key  value  is
855           issued.
856
857
858       sensitive=y | n
859
860           Specifies  the resulting symmetric key in the PKCS#11 token is sen‐
861           sitive or not sensitive. The valid values are: y and n. The default
862           value is n.
863
864
865       serial=hex-serial-number
866
867           Specifies a unique serial number for a certificate. The serial num‐
868           ber   must   be   specified    as    a    hex    value.    Example:
869           0x0102030405060708090a0b0c0d0e0f
870
871
872       subject=subject-DN
873
874           Specifies  a particular certificate owner for a certificate or cer‐
875           tificate request. An example subject= setting might be:
876
877             subject=O=Sun Microsystems Inc., \
878             OU=Solaris Security Technologies Group, \
879             L=Ashburn, ST=VA, C=US, CN=John Smith
880
881
882
883
884       token=token[:manuf[:serial]]
885
886           When a token label contains trailing spaces, this option  does  not
887           require them to be typed as a convenience to the user.
888
889           Colon  separate  token identification string token:manuf:serial. If
890           any of the parts have a literal : char then it needs to be  escaped
891           using  a backslash (\). If no : is found then the entire string (up
892           to 32 chars) is taken as the token label. If only one  :  is  found
893           then  the string is the token label and the manufacturer. When key‐
894           store=nss is specified, default  to  NSS  internal  token  if  this
895           option is not specified. When keystore=pkcs11 is specified, default
896           to pkcs11_softtoken if this option is not specified.
897
898
899       trust=trust-value
900
901           Specifies the certificate trust attributes. This is  only  for  NSS
902           certificates and that the standard NSS syntax applies.
903
904
905       usertype=user | so
906
907           Specifies  the type of user for which the setpin command   is being
908           performed.  The default is for a standard user,    but  so  can  be
909           specified  in order to set the PIN for  the security officer of the
910           token.
911
912
913       url=url_string
914
915           Specifies the URL to download a CRL or a certificate file.
916
917
918       verifycrl=y | n
919
920           When importing a CRL to NSS keystore, this option specifies whether
921           the  CRL  verification is performed. The valid values are: y and n.
922           The default value is n.
923
924
925       http_proxy=proxy_str
926
927           Specifies the proxy server hostname and port number. The format can
928           be either http://hostname[:port] or hostname[:port]. If this option
929           is not specified, the download  subcommand  checks  the  http_proxy
930           environment variable. The command line option has a higher priority
931           than the environment variable.
932
933

EXAMPLES

935       Example 1 Generating a Self-Signed Certificate
936
937
938       The following example creates the certificate and stores it in the key‐
939       store indicated in the command:
940
941
942          $ pktool gencert keystore=nss nickname=WebServerCert \
943                subject="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, \
944                L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \
945                keytype=rsa keylen=2048
946
947
948
949       Example 2 Generating a Certificate Signing Request
950
951
952       The  following  example  creates  the CSR and stores it in the keystore
953       indicated in the command:
954
955
956          $ pktool gencsr keystore=nss subject="O=Sun Microsystems Inc., \
957                OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \
958                CN=John Smith" keytype=rsa keylen=2048 outcsr=csr.dat
959
960
961
962       Example 3 Importing a Certificate
963
964
965       The following example imports a certificate object from  the  specified
966       input file into the keystore indicated in the command:
967
968
969          $ pktool import keystore=nss objtype=cert infile=mycert.pem \
970                nickname=mycert
971
972
973

EXIT STATUS

975       The following exit values are returned:
976
977       0     Successful completion.
978
979
980       >0    An error occurred.
981
982

ATTRIBUTES

984       See attributes(5) for descriptions of the following attributes:
985
986
987
988
989       ┌─────────────────────────────┬─────────────────────────────┐
990       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
991       ├─────────────────────────────┼─────────────────────────────┤
992       │Availability                 │SUNWcsu                      │
993       ├─────────────────────────────┼─────────────────────────────┤
994       │Interface Stability          │Committed                    │
995       └─────────────────────────────┴─────────────────────────────┘
996

SEE ALSO

998       attributes(5), pkcs11_softtoken(5)
999
1000
1001       RSA PKCS#11 v2.11 http://www.rsasecurity.com
1002
1003
1004       RSA PKCS#12 v1.0 http://www.rsasecurity.com
1005
1006
1007
1008SunOS 5.11                        23 Mar 2009                        pktool(1)
Impressum