1PKCS10Client(1) PKI PKCS10Client certificate request tool PKCS10Client(1)
2
3
4
6 PKCS10Client - Used to generate 1024-bit RSA key pair in the security
7 database.
8
9
11 Usage: PKCS10Client -d <location of certdb> -h <token name> -p <token
12 password> -a <algorithm: 'rsa' or 'ec'> -l <rsa key length> -c <ec
13 curve name> -o <output file which saves the base64 PKCS10> -n <sub‐
14 jectDN>
15
16 Available ECC curve names (if provided by the crypto module): nistp256
17 (secp256r1), nistp384 (secp384r1), nistp521 (secp521r1), nistk163
18 (sect163k1), sect163r1,nistb163 (sect163r2), sect193r1, sect193r2,
19 nistk233 (sect233k1), nistb233 (sect233r1), sect239k1, nistk283
20 (sect283k1), nistb283 (sect283r1), nistk409 (sect409k1), nistb409
21 (sect409r1), nistk571 (sect571k1), nistb571 (sect571r1), secp160k1,
22 secp160r1, secp160r2, secp192k1, nistp192 (secp192r1, prime192v1),
23 secp224k1, nistp224 (secp224r1), secp256k1, prime192v2, prime192v3,
24 prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3,
25 c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1,
26 c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1,
27 c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1,
28 sect113r2, sect131r1, sect131r2
29
30 To get a certificate from the CA, the certificate request needs to be
31 submitted to and approved by a CA agent. Once approved, a certificate
32 is created for the request, and certificate attributes, such as exten‐
33 sions, are populated according to certificate profiles.
34
35 Optionally, for ECC key generation per definition in JSS
36 pkcs11.PK11KeyPairGenerator.
37
38
40 The PKCS #10 utility, PKCS10Client, generates a 1024-bit RSA key pair
41 in the security database, constructs a PKCS#10 certificate request with
42 the public key, and outputs the request to a file.
43
44 PKCS #10 is a certification request syntax standard defined by RSA. A
45 CA may support multiple types of certificate requests. The Certificate
46 System CA supports KEYGEN, PKCS#10, CRMF, and CMC.
47
49 PKCS10Client parameters:
50
51 -d <directory_of_NSS_security_database>
52 The directory containing the cert8.db, key3.db, and secmod.db
53 files. This is usually the client's personal directory.
54
55
56 -h <token_name>
57 Name of the token. By default it takes 'internal'.
58
59
60 -p <token_passwd>
61 The password to the token.
62
63
64 -l <algorithm: 'rsa' or 'ec'>
65 The algorithm type either 'rsa' or 'ec'. By default it takes
66 'rsa'.
67
68
69 -c <curve_name>
70 Eleptic Curve cryptography curve name.
71
72 -o <output_file>
73 Sets the path and filename to output the new PKCS #10 certifi‐
74 cate in base64 format.
75
76
77 -n <subject_DN>
78 Gives the subject DN of the certificate.
79
80
81 -k <true for enabling encoding of attribute values; false for default
82 encoding of attribute values; default is false>
83
84
85 -t <true for temporary(session); false for permanent(token); default is
86 false>
87
88
89 -s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode depen‐
90 dent; default is -1>
91
92
93 -e <1 for extractable; 0 for non-extractable; -1 token dependent;
94 default is -1>
95
96
97
98
99
100 -x <true for SSL cert that does ECDH ECDSA; false otherwise;
101 default false>
102
103
104 -y <true for adding SubjectKeyIdentifier extensionfor self-
105 signed cmc Shared Secret requests; false otherwise; default
106 false>
107 To be used with "request.useSharedSecret=true" when run‐
108 ning CMCRequest.
109
110
112 Amol Kahat <akahat@redhat.com>.
113
114
116 Copyright (c) 2017 Red Hat, Inc. This is licensed under the GNU
117 General Public License, version 2 (GPLv2). A copy of this
118 license is available at http://www.gnu.org/licenses/old-
119 licenses/gpl-2.0.txt.
120
121
122
123version 10.4 April 28, 2017 PKCS10Client(1)