1pktool(1) User Commands pktool(1)
2
3
4
6 pktool - manage certificates and keys
7
9 pktool [-f option_file] [-i] subcommand subcommand_options ...
10
11
13 The pktool command allows users to manage the certificates and keys on
14 multiple keystores including PKCS#11 tokens (that is, Cryptographic
15 Framework), Netscape Security Services (NSS) tokens, and standard file
16 based keystore for OpenSSL.
17
18
19 pktool also provides support to list, delete and import a Certificate
20 Revocation List (CRL). pktool does not provide support for creating
21 CRLs, signing CRLs, or exporting CRLs. The CRL support for the PKCS#11
22 keystore is file-based.
23
25 The following command options are supported:
26
27 -f option_file Allows the user to set up the options in a file
28 instead of entering the options on the command line.
29
30 This option is provided as a convenience for users
31 because pktool can potentially have a large list of
32 subcommands and associated options to be specified on
33 the command line.
34
35 The format of the option_file is one option or value
36 pair per-line.
37
38 An example option_file might looks as follows:
39
40 list
41 keystore=nss
42 dir=/export/foo
43 objtype=key
44
45
46
47
48 -i Allows the user to specify the subject-DN interac‐
49 tively for the gencert and gencsr subcommands. When
50 -i is specified, the user is prompted to input some
51 data to form a subject-DN.
52
53 An example of using the -i option follows:
54
55 Country Name (2 letter code) [US]:US
56 State or Province Name (full name) [Some-State]:CA
57 Locality Name (eg, city) []:Menlo Park
58 Organization Name (eg, company):Sun Microsystems Inc.
59 Organizational Unit Name (eg, section):OPG
60 Common Name (eg, YOUR name):John Smith
61 Email Address []: john.smith@sun.com
62
63
64 The resulting subject-DN is:
65
66 "C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\
67 OU=OPG, emailAddress=john.smith@sun.com, \
68 CN=John Smith"
69
70
71
72
74 The following subcommands are supported:
75
76 delete
77
78 The format for the delete subcommand is as follows:
79
80 pktool delete [token=token[:manuf[:serial]]]
81 [objtype=private|public|both]
82 [label=object-label]
83
84 pktool delete keystore=pkcs11
85 objtype=cert[:public | private | both]]
86 [token=token[:manuf[:serial]]]
87 [label=cert-label]
88 [serial=hex-serial-number]
89 [issuer=issuer-DN]
90 [subject=subject-DN]
91
92 pktool delete keystore=nss
93 objtype=cert
94 [subject=subject-DN]
95 [issuer=issuer-DN]
96 [serial=hex-serial-number]
97 [nickname=cert-nickname]
98 [token=token[:manuf[:serial]]]
99 [dir=directory-path]
100 [prefix=DBprefix]
101
102 pktool delete keystore=nss
103 objtype=crl
104 [nickname=cert-nickname]
105 [subject=subject-DN]
106 [token=token[:manuf[:serial]]]
107 [dir=directory-path]
108 [prefix=DBprefix]
109
110 pktool delete keystore=pkcs11
111 objtype=key[:public | private | both]]
112 [token=token[:manuf[:serial]]]
113 [label=key-label]
114
115 pktool delete keystore=pkcs11
116 objtype=crl
117 infile=input-fn
118
119
120 pktool delete keystore=file
121 objtype=cert
122 [infile=input-fn]
123 [dir=directory-path]
124 [serial=hex-serial-number]
125 [issuer=issuer-DN]
126 [subject=subject-DN]
127
128 pktool delete keystore=file
129 objtype=key
130 [infile=input-fn]
131 [dir=directory-path]
132
133 pktool delete keystore=file
134 objtype=crl
135 infile=input-fn
136
137
138
139 Deletes a certificate, key, or certificate revocation list (CRL).
140
141 To delete a private certificate or key from PKCS#11 token, the user
142 is prompted to authenticate to the PKCS#11 by entering the correct
143 Personal Identification Number (PIN).
144
145
146 download
147
148 The format for the download subcommand is as follows:
149
150 pktool download url=url_str
151 [objtype=crl|cert]
152 [http_proxy=proxy_str]
153 [outfile=output-fn]
154 [dir=directory-path]
155
156
157 Downloads a CRL file or a certificate file from the specified URL
158 location. Once the file is successfully downloaded, checks the
159 validity of the downloaded CRL or certificate file. If the CRL or
160 the certificate is expired, download issues a warning.
161
162
163 export
164
165 The format for the export subcommand is as follows:
166
167 pktool export [token=token[:manuf[:serial]]]
168 outfile=output-fn
169
170 pktool export keystore=pkcs11
171 outfile=output-fn
172 [objtype=cert|key]
173 [label=label]
174 [subject=subject-DN]
175 [issuer=issuer-DN]
176 [serial=hex-serial-number]
177 [outformat=pem|der|pkcs12|raw]
178 [token=token[:manuf[:serial]]]
179
180 pktool export keystore=nss
181 outfile=output-fn
182 [subject=subject-DN]
183 [issuer=issuer-DN]
184 [serial=hex-serial-number]
185 [nickname=cert-nickname]
186 [token=token[:manuf[:serial]]]
187 [dir=directory-path]
188 [prefix=DBprefix]
189 [outformat=pem|der|pkcs12]
190
191 pktool export keystore=file
192 certfile=cert-input-fn
193 keyfile=key-input-fn
194 outfile=output-pkcs12-fn
195
196
197 Saves the contents of PKCS#11 token or certificates in the NSS
198 token or file-based keystore to the specified file.
199
200
201 gencert
202
203 The format for the gencert subcommand is as follows:
204
205 pktool gencert [-i] keystore=nss
206 label=cert-nickname
207 subject=subject-DN
208 serial=hex_serial_number
209 [altname=[critical:]subjectAltName]
210 [keyusage=[critical:]usage,usage...]
211 [token=token[:manuf[:serial]]]
212 [dir=directory-path]
213 [prefix=DBprefix]
214 [keytype=rsa|dsa]
215 [keylen=key-size]
216 [trust=trust-value]
217 [lifetime=number-hour|number-day|number-year]
218 [eku=[critical:]EKU_name,...]
219
220 pktool gencert [-i] [ keystore=pkcs11]
221 label=key/cert-label
222 subject=subject-DN
223 serial=hex_serial_number
224 [altname=[critical:]subjectAltName]
225 [keyusage=[critical:]usage,usage...]
226 [token=token[:manuf[:serial]]]
227 [keytype=rsa|dsa]
228 [keylen=key-size]
229 [lifetime=number-hour|number-day|number-year]
230 [eku=[critical:]EKU_name,...]
231
232 pktool gencert [-i] keystore=file
233 outcert=cert-fn
234 outkey=key-fn
235 subject=subject-DN
236 serial=hex_serial_number
237 [altname=[critical:]subjectAltName]
238 [keyusage=[critical:]usage,usage...]
239 [format=der|pem]
240 [keytype=rsa|dsa]
241 [keylen=key-size]
242 [lifetime=number-hour|number-day|number-year]
243 [eku=[critical:]EKU_name,...]
244
245
246 Generates a self-signed certificate and installs it and its associ‐
247 ated private key to the specified keystore.
248
249 gencert prompts the user to enter a PIN for token-based keystore.
250
251
252 gencsr
253
254 The format for the gencsr subcommand is as follows:
255
256 pktool gencsr [-i] keystore=nss
257 nickname=key-nickname
258 outcsr=csr-fn
259 subject=subject-DN
260 [altname=[critical:]subjectAltName]
261 [keyusage=[critical:]usage,usage...]
262 [token=token[:manuf[:serial]]]
263 [dir=directory-path]
264 [prefix=DBprefix]
265 [keytype=rsa|dsa]
266 [keylen=key-size]
267 [format=pem|der]
268 [eku=[critical:]EKU_name,...]
269
270 pktool gencsr [-i] keystore=pkcs11
271 label=key-label
272 outcsr=csr-fn
273 subject=subject-DN
274 [altname=[critical:]subjectAltName]
275 [keyusage=[critical:]usage,usage...]
276 [token=token[:manuf[:serial]]]
277 [keytype=rsa|dsa]
278 [keylen=key-size]
279 [format=pem|der]
280 [eku=[critical:]EKU_name,...]
281
282 pktool gencsr [-i] keystore=file
283 outcsr=csr-fn
284 outkey=key-fn
285 subject=subject-DN
286 [altname=[critical:]subjectAltName]
287 [keyusage=[critical:]usage,usage...]
288 [dir=directory-path]
289 [keytype=rsa|dsa]
290 [keylen=key-size]
291 [format=pem|der]
292 [eku=[critical:]EKU_name,...]
293
294
295 Creates a PKCS#10 certificate signing request (CSR) file. This CSR
296 can be sent to a Certifying Authority (CA) for signing. The gencsr
297 subcommand prompts the user to enter a PIN for token-based key‐
298 store.
299
300
301 genkey
302
303 The format for the genkey subcommand is as follows:
304
305
306
307 pktool genkey [keystore=pkcs11]
308 label=key-label
309 [keytype=aes|arcfour|des|3des|generic]
310 [keylen=key-size (for aes, arcfour, or \
311 generic keytypes only)]
312 [token=token[:manuf[:serial]]]
313 [sensitive=y|n]
314 [extractable=y|n]
315 [print=y|n]
316
317 pktool genkey keystore=nss
318 label=key-label
319 [keytype=aes|arcfour|des|3des|generic]
320 [keylen=key-size (for aes, arcfour, or \
321 generic keytypes only)]
322 [token=token[:manuf[:serial]]]
323 [dir=directory-path]
324 [prefix=DBprefix]
325
326 pktool genkey keystore=file
327 outkey=key-fn
328 [keytype=aes|arcfour|des|3des|generic]
329 [keylen=key-size (for aes, arcfour, \
330 or generic keytypes only)]
331 [print=y|n]
332
333
334 Generates a symmetric key in the specified keystore. The genkey
335 subcommand prompts the user to enter a PIN for token-based key‐
336 store.
337
338
339 import
340
341 The format for the import subcommand is as follows:
342
343 pktool import [token=token>[:manuf>[:serial>]]]
344 infile=input-fn
345
346 pktool import [keystore=pkcs11]
347 infile=input-fn
348 label=object-label
349 [keytype=aes|arcfour|des|3des|generic]
350 [sensitive=y|n]
351 [extractable=y|n]
352 [token=token[:manuf[:serial]]]
353 [objtype=cert|key]
354
355 pktool import keystore=pkcs11
356 objtype=crl
357 infile=input-fn
358 outcrl=output-crl-fn
359 outformat=pem|der
360
361 pktool import keystore=nss
362 objtype=cert
363 infile=input-fn
364 label=cert-label
365 [token=token[:manuf[:serial]]]
366 [dir=directory-path]
367 [prefix=DBprefix]
368 [trust=trust-value]
369
370 pktool import keystore=nss
371 objtype=crl
372 infile=input-fn
373 [verifycrl=y|n]
374 [token=token[:manuf[:serial]]]
375 [dir=directory-path]
376 [prefix=DBprefix]
377
378 pktool import keystore=file
379 infile=input-fn
380 outkey=output-key-fn
381 outcert=output-key-fn
382 [outformat=pem|der]
383
384 pktool import keystore=file
385 objtype=crl
386 infile=input-fn
387 outcrl=output-crl-fn
388 outformat=pem|der
389
390
391 Loads certificates, keys, or CRLs from the specified input file
392 into the specified keystore.
393
394
395 inittoken
396
397 The format for the inittoken subcommand is as follows:
398
399 pktool inittoken [ slotid=slot number ]
400 [ currlabel=token[:manuf[:serial]]]
401 [ newlabel=new token label ]
402
403
404 This command initializes a PKCS#11 token using C_InitToken API.
405 The preferred method of locating a token is to specify its default
406 label. Optionally, a new label can be assigned to the token by
407 using the newlabel argument. If newlabel is not present, the token
408 label is not modified. The user is prompted to enter the security
409 officer (SO) PIN for this command to proceed.
410
411
412 list
413
414 The format for the list subcommand is as follows:
415
416 pktool list [token=token[:manuf[:serial]]]
417 [objtype=private|public|both]
418 [label=label]
419
420 pktool list [keystore=pkcs11]
421 [objtype=cert[:public | private | both]]
422 [token=token[:manuf[:serial]]]
423 [label=cert-label]
424 [serial=hex-serial-number]
425 [issuer=issuer-DN]
426 [subject=subject-DN]
427
428 pktool list [keystore=pkcs11]
429 objtype=key[:public | private | both]]
430 [token=token[:manuf[:serial]]]
431 [label=key-label]
432
433 pktool list keystore=pkcs11
434 objtype=crl
435 infile=input-fn
436
437 pktool list keystore=nss
438 objtype=cert
439 [subject=subject-DN]
440 [issuer=issuer-DN]
441 [serial=hex-serial-number]
442 [nickname=cert-nickname]
443 [token=token[:manuf[:serial]]]
444 [dir=directory-path]
445 [prefix=DBprefix]
446
447 pktool list keystore=nss
448 objtype=key
449 [token=token[:manuf[:serial]]]
450 [dir=directory-path]
451 [prefix=DBprefix]
452
453 pktool list keystore=file
454 objtype=cert
455 [infile=input-fn]
456 [dir=directory-path]
457 [serial=hex-serial-number]
458 [issuer=issuer-DN]
459 [subject=subject-DN]
460
461 pktool list keystore=file
462 objtype=key
463 [infile=input-fn]
464 [dir=directory-path]
465
466
467 Lists certificates, list keys, or list certificate revocation lists
468 (CRL). When displaying a private certificate or key in PKCS#11
469 token, the user is prompted to authenticate to the PKCS#11 token by
470 entering the correct PIN.
471
472
473 setpin
474
475 The format for the setpin subcommand is as follows:
476
477 pktool setpin keystore=nss
478 [token=token]
479 [dir=directory-path]
480 [prefix=DBprefix]
481
482 pktool setpin [ keystore=pkcs11]
483 [token=token[:manuf[:serial]]]
484 [usertype=user | so]
485
486
487 Changes the passphrase used to authenticate a user to the PKCS#11
488 or NSS token. Passphrases can be any string of characters with
489 lengths between 1 and 256 with no nulls.
490
491 setpin prompts the user for the old passphrase, if any. If the old
492 passphrase matches, pktool prompts for the new passphrase twice. If
493 the two entries of the new passphrases match, it becomes the cur‐
494 rent passphrase for the token.
495
496 For the Sun Software PKCS#11 softtoken keystore (default), the user
497 must use the setpin command with the default passphrase changeme as
498 the old passphrase to change the passphrase of the object store.
499 This action is needed to initialize and set the passphrase to a
500 newly created token object store.
501
502 If the usertype=so option is specified for PKCS#11 based tokens,
503 the Security Officer (SO) user PIN is changed as opposed to the
504 normal user PIN. By default the usertype is assumed to be user.
505
506
507 signcsr
508
509 The format for the signcsr subcommand is as follows:
510
511 signcsr keystore=pkcs11
512 signkey=label (label of key to use for signing)
513 csr=CSR_filename
514 serial=serial_number_hex_string_for_final_certificate
515 outcert=filename_for_final_certificate
516 issuer=issuer-DN
517 [store=y|n] (store the new cert in NSS DB, default=n)
518 [outlabel=certificate label]
519 [format=pem|der] (certificate output format)
520 [subject=subject-DN] (override the CSR subject name)
521 [altname=subjectAltName] (add subjectAltName )
522 [keyusage=[critical:]usage,...] (add key usage bits)
523 [eku=[critical:]EKU_Name,...] (add Extended Key Usage )
524 [lifetime=number-hour|number-day|number-year]
525 [token=token[:manuf[:serial]]]
526 signcsr keystore=file
527 signkey=filename
528 csr=CSR_filename
529 serial=serial_number_hex_string_for_final_certificate
530 outcert=filename_for_final_certificate
531 issuer=issuer-DN
532 [format=pem|der] (certificate output format)
533 [subject=subject-DN] (override the CSR subject name)
534 [altname=subjectAltName] (add a subjectAltName)
535 [keyusage=[critical:]usage,...] (add key usage bits)
536 [lifetime=number-hour|number-day|number-year]
537 [eku=[critical:]EKU_ Name,...] (add Extended Key Usage)
538 signcsr keystore=nss
539 signkey=label (label of key to use for signing)
540 csr=CSR_filename
541 serial=serial_number_hex_string_for_final_certificate
542 outcert=filename_for_final_certificate
543 issuer=issuer-DN
544 [store=y|n] (store the new cert in NSS DB, default=n)
545 [outlabel=certificate label]
546 [format=pem|der] (certificate output format)
547 [subject=subject-DN] (override the CSR subject name)
548 [altname=subjectAltName] (add a subjectAltName)
549 [keyusage=[critical:]usage,...] (add key usage bits)
550 [eku=[critical:]EKU_Name,...] (add Extended Key Usage)
551 [lifetime=number-hour|number-day|number-year]
552 [token=token[:manuf[:serial]]]
553 [dir=directory-path]
554 [prefix=DBprefix]
555
556
557
558
559 tokens
560
561 The format for the tokens subcommand is as follows:
562
563 pktool tokens
564
565
566 The tokens subcommand lists all visible PKCS#11 tokens.
567
568
569 -?
570
571 The format for the subcommand is as follows:
572
573 pktool -?
574 pktool --help
575
576
577 The -? option displays usage and help information. --help is a syn‐
578 onym for -?.
579
580
582 The pktool subcommands support the following options:
583
584 altname=[critical:]subjectAltName
585
586 Subject Alternative Names the certificate. The argument that fol‐
587 lows the -A option should be in the form of tag=value. Valid tags
588 are IP, DNS, EMAIL, URI, DN, KRB, UPN, and RID. The SubjectAltName
589 extension is marked as critical if the altname string is pre-
590 peneded with the
591
592 Example 1: Add an IP address to the subjectAltName extension. alt‐
593 name="IP=1.2.3.4" Example 2: Add an email address to the subjec‐
594 tAltName extension, and mark it as being critical. altname="criti‐
595 cal:EMAIL=first.last@company.com"
596
597
598 currlabel=token label
599
600 This option is only used by the inittoken command. This is used
601 to locate the default token that is being initialized. See the
602 token option for details about the format of the token name to be
603 used.
604
605
606 dir=directory_path
607
608 Specifies the NSS database directory, or OpenSSL keystore directory
609 where the requested object is stored.
610
611
612 eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]
613
614 Specifies the extended key usage X.509v3 extension values to add to
615 the certificate or certificate request.
616
617 Specify EKU_Name as one of the following: serverAuth, clientAuth,
618 codeSigning, emailProtection, ipsecEndSystem, ipsecTunnel, ipse‐
619 cUser, timeStamping, OCSPSigning, KPClientAuth, KPKdc, or scLogon.
620
621 An example is:
622
623 eku=KPClientAuth,clientAuth
624
625
626
627
628 extractable=y | n
629
630 Specifies the resulting symmetric key in the PKCS#11 token is
631 extractable or not extractable. The valid values are: y and n. The
632 default value is y.
633
634
635 format=pem | der | pkcs12
636
637 For the gencert subcommand, this option only applies to the file
638 based keystore such as OpenSSL. It is used to specify the output
639 format of the key or certificate file to be created. The valid for‐
640 mats are: pem or der. The default format is pem.
641
642 For the gencsr subcommand, this option specifies the output encoded
643 format of the CSR file. The valid formats are: pem or der. The
644 default format is pem.
645
646
647 infile=input-fn
648
649 Specifies the certificate filename for list and delete subcommands
650 when objtype=cert and keystore=file. For the import subcommand,
651 this option specifies the filename to be imported. Specifies the
652 input CRL filename for list, delete and import subcommands when
653 objtype=crl.
654
655
656 issuer=issuer-DN
657
658 Specifies the issuer of a certificate.
659
660
661 keylen=key-size
662
663 Specifies the size (bits) of the private or symmetric key to gener‐
664 ate.
665
666 For the gencert and gencsr subcommands, the default key length is
667 1024 bits.
668
669 For the genkey subcommand, the minimum and maximum bits of the sym‐
670 metric key to generate using AES algorithm are 128 and 256. Using
671 the ARCFOUR algorithm, the minimum and maximum bits are 8 and 2048.
672 The minimum bits for a generic secret key is 8 and the maximum bits
673 is arbitrary. The default key length for the AES, ARCFOUR or
674 generic secret keys is 128. For a DES key or a 3DES key, the key
675 length is fixed and this option is ignored if specified.
676
677
678 keystore=nss | pkcs11 | file
679
680 Specifies the type of the underlying keystore: NSS token, PKCS#11
681 token, or file-based plugin.
682
683
684 keytype=rsa | dsa | aes | arcfour | des | 3des | generic
685
686 Specifies the type of the private or symmetric key to generate.
687
688 For the gencert and gencsr subcommands, the valid private key types
689 are: rsa, or dsa. The default key type is rsa.
690
691 For the genkey subcommand, the valid symmetric key types are: aes,
692 arcfour, des, 3des, or generic. The default key type is aes.
693
694 keyusage=[critical:]usage,usage,usage,...
695
696
697
698 Key Usage strings:
699 * digitalSignature
700 * nonRepudiation
701 * keyEncipherment
702 * dataEncipherment
703 * keyAgreement
704 * keyCertSign
705 * cRLSign
706 * encipherOnly
707 * decipherOnly
708
709
710 Example 1: Set the KeyUsage so that the cert (or csr) can be used
711 for signing and verifying data other than certificates or CRLs
712 (digitalSignature) and also can be used for encrypting and decrypt‐
713 ing data other than cryptographic keys (dataEncipherment).
714 keyusage=digitalSignature,dataEncipherment
715
716 Example 2: The same as above (Example 1), but with the critical bit
717 set. keyusage=critical:digitalSignature,dataEncipherment
718
719
720 label=key-label | cert-label
721
722 For the gencert subcommand, this option specifies the label of the
723 private key and self-signed certificate in the PKCS#11 token.
724
725 For the gencsr subcommand, this option specifies the label of the
726 private key in the PKCS#11 token.
727
728 For the list subcommand, this option specifies the label of the
729 X.509 Certificate (when objtype=key) or the private key (when obj‐
730 type=cert) in the PKCS#11 token to refine the list.
731
732 For the delete subcommand, this option specifies the label of the
733 X.509 Certificate (when objtype=key) or the private key (when obj‐
734 type=cert) to delete a designated object from the PKCS#11 token.
735
736
737 lifetime=number-hour|number-day|number-year
738
739 Specifies the validity period a certificate is valid. The certifi‐
740 cate life time can be specified by number-hour, number-day, or num‐
741 ber-year. Only one format can be specified. The default is 1-year.
742 Examples of this option might be: lifetime=1-hour, lifetime=2-day,
743 lifetime=3-year
744
745
746 newlabel=token label
747
748 This option is only used by the inittoken command. This is used
749 to change the label assigned to the token that is being initial‐
750 ized. See the token option for details about the format of the
751 token name to be used.
752
753
754 nickname=cert-nickname
755
756 For the gencert subcommand, this option is required to specify the
757 certificate's nickname for NSS keystore.
758
759 For the list subcommand, this option specifies the nickname of the
760 certificate in the NSS token to display its content. For the delete
761 subcommand, to delete a CRL from the NSS token, this option is used
762 to specify the nickname of the issuer's certificate. For the delete
763 subcommand, to delete a certificate from the NSS token, this option
764 specifies the nickname of the certificate. For the import subcom‐
765 mand, to import a specified input file to the NSS token, this
766 option is required to specify the nickname of the resulting cer‐
767 tificate.
768
769
770 objtype=cert | key | crl
771
772 Specifies the class of the object: cert, key, or crl. For the down‐
773 load subcommand, if this option is not specified, default to crl.
774
775
776 objtype=public | private | both
777
778 Specifies the type of object: private object, public object, or
779 both. This option only applies to list and delete subcommands for
780 the PKCS#11 token when objtype=key is specified. The default value
781 is public.
782
783 For the list subcommand, the label option can be combined with this
784 option to further refine the list of keys. For the delete subcom‐
785 mand, this option can used to narrow the keys to be deleted to only
786 public, or private ones. Alternately, the label option can be omit‐
787 ted to indicate that all public, private, or both type of keys are
788 to be deleted.The use of public, private and both as choices for
789 the objtype parameter are only applicable with the PKCS#11 keystore
790 in order to maintain compatibility with earlier versions of the
791 pktool command.
792
793
794 outcert=cert-fn
795
796 Specifies the output certificate filename to write to. This option
797 is required for the file based plugin such as OpenSSL. Option out‐
798 key=key-fn is required with this option.
799
800
801 outcrl=output-crl-fn
802
803 Specifies the output CRL filename to write to.
804
805
806 outcsr=csr-fn
807
808 Specifies the output CSR filename to write to.
809
810
811 outfile=output-fn
812
813 For the export subcommand, this option specifies the output file‐
814 name to be created. For the import subcommand, this option speci‐
815 fies the output filename of the certificate or CRL. It only applies
816 to the file based plugin such as OpenSSL. For the download subcom‐
817 mand, if this option is not specified, the downloaded file name is
818 the basename of the URL string.
819
820
821 outformat=pem | der | pkcs12
822
823 For the import subcommand, this option specifies the output format
824 of the certificate or key that is extracted from a specified
825 PKCS#12 file into the file based plugin, The valid values are: pem
826 or der. The default is pem. When importing a CRL to the CRL file
827 based keystore, this option specifies the output format of the CRL.
828 The valid values are: pem or der. The default is der. For the
829 export subcommand, this option specifies the format of the speci‐
830 fied output file to be created. The supported formats are: pem, der
831 or pkcs12. The default is pkcs12.
832
833
834 outkey=key-fn
835
836 Specifies the output private key filename to which to write. This
837 option is only required when using the files keystore.
838
839
840 prefix=DBprefix
841
842 Specifies the NSS database prefix. This option only applies to the
843 NSS token.
844
845
846 print=y | n
847
848 This option is used in the genkey subcommand and it applies to the
849 PKCS11 and File-based keystores. If print=y, the genkey subcommand
850 prints out the key value of the generated key in a single line of
851 hex. The default value is n. For the PKCS11 keystore, if a symmet‐
852 ric key is created with sensitive=y or extractable=n, the key value
853 is not displayed, even the print option is set to y. The key is
854 still created, but a warning like cannot reveal the key value is
855 issued.
856
857
858 sensitive=y | n
859
860 Specifies the resulting symmetric key in the PKCS#11 token is sen‐
861 sitive or not sensitive. The valid values are: y and n. The default
862 value is n.
863
864
865 serial=hex-serial-number
866
867 Specifies a unique serial number for a certificate. The serial num‐
868 ber must be specified as a hex value. Example:
869 0x0102030405060708090a0b0c0d0e0f
870
871
872 subject=subject-DN
873
874 Specifies a particular certificate owner for a certificate or cer‐
875 tificate request. An example subject= setting might be:
876
877 subject=O=Sun Microsystems Inc., \
878 OU=Solaris Security Technologies Group, \
879 L=Ashburn, ST=VA, C=US, CN=John Smith
880
881
882
883
884 token=token[:manuf[:serial]]
885
886 When a token label contains trailing spaces, this option does not
887 require them to be typed as a convenience to the user.
888
889 Colon separate token identification string token:manuf:serial. If
890 any of the parts have a literal : char then it needs to be escaped
891 using a backslash (\). If no : is found then the entire string (up
892 to 32 chars) is taken as the token label. If only one : is found
893 then the string is the token label and the manufacturer. When key‐
894 store=nss is specified, default to NSS internal token if this
895 option is not specified. When keystore=pkcs11 is specified, default
896 to pkcs11_softtoken if this option is not specified.
897
898
899 trust=trust-value
900
901 Specifies the certificate trust attributes. This is only for NSS
902 certificates and that the standard NSS syntax applies.
903
904
905 usertype=user | so
906
907 Specifies the type of user for which the setpin command is being
908 performed. The default is for a standard user, but so can be
909 specified in order to set the PIN for the security officer of the
910 token.
911
912
913 url=url_string
914
915 Specifies the URL to download a CRL or a certificate file.
916
917
918 verifycrl=y | n
919
920 When importing a CRL to NSS keystore, this option specifies whether
921 the CRL verification is performed. The valid values are: y and n.
922 The default value is n.
923
924
925 http_proxy=proxy_str
926
927 Specifies the proxy server hostname and port number. The format can
928 be either http://hostname[:port] or hostname[:port]. If this option
929 is not specified, the download subcommand checks the http_proxy
930 environment variable. The command line option has a higher priority
931 than the environment variable.
932
933
935 Example 1 Generating a Self-Signed Certificate
936
937
938 The following example creates the certificate and stores it in the key‐
939 store indicated in the command:
940
941
942 $ pktool gencert keystore=nss nickname=WebServerCert \
943 subject="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, \
944 L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \
945 keytype=rsa keylen=2048
946
947
948
949 Example 2 Generating a Certificate Signing Request
950
951
952 The following example creates the CSR and stores it in the keystore
953 indicated in the command:
954
955
956 $ pktool gencsr keystore=nss subject="O=Sun Microsystems Inc., \
957 OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \
958 CN=John Smith" keytype=rsa keylen=2048 outcsr=csr.dat
959
960
961
962 Example 3 Importing a Certificate
963
964
965 The following example imports a certificate object from the specified
966 input file into the keystore indicated in the command:
967
968
969 $ pktool import keystore=nss objtype=cert infile=mycert.pem \
970 nickname=mycert
971
972
973
975 The following exit values are returned:
976
977 0 Successful completion.
978
979
980 >0 An error occurred.
981
982
984 See attributes(5) for descriptions of the following attributes:
985
986
987
988
989 ┌─────────────────────────────┬─────────────────────────────┐
990 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
991 ├─────────────────────────────┼─────────────────────────────┤
992 │Availability │SUNWcsu │
993 ├─────────────────────────────┼─────────────────────────────┤
994 │Interface Stability │Committed │
995 └─────────────────────────────┴─────────────────────────────┘
996
998 attributes(5), pkcs11_softtoken(5)
999
1000
1001 RSA PKCS#11 v2.11 http://www.rsasecurity.com
1002
1003
1004 RSA PKCS#12 v1.0 http://www.rsasecurity.com
1005
1006
1007
1008SunOS 5.11 23 Mar 2009 pktool(1)