1CRLUTIL(1)                    NSS Security Tools                    CRLUTIL(1)
2
3
4

NAME

6       crlutil - List, generate, modify, or delete CRLs within the NSS
7       security database file(s) and list, create, modify or delete
8       certificates entries in a particular CRL.
9

SYNOPSIS

11       crlutil [options] [[arguments]]
12

STATUS

14       This documentation is still work in progress. Please contribute to the
15       initial review in Mozilla NSS bug 836477[1]
16

DESCRIPTION

18       The Certificate Revocation List (CRL) Management Tool, crlutil, is a
19       command-line utility that can list, generate, modify, or delete CRLs
20       within the NSS security database file(s) and list, create, modify or
21       delete certificates entries in a particular CRL.
22
23       The key and certificate management process generally begins with
24       creating keys in the key database, then generating and managing
25       certificates in the certificate database(see certutil tool) and
26       continues with certificates expiration or revocation.
27
28       This document discusses certificate revocation list management. For
29       information on security module database management, see Using the
30       Security Module Database Tool. For information on certificate and key
31       database management, see Using the Certificate Database Tool.
32
33       To run the Certificate Revocation List Management Tool, type the
34       command
35
36       crlutil option [arguments]
37
38       where options and arguments are combinations of the options and
39       arguments listed in the following section. Each command takes one
40       option. Each option may take zero or more arguments. To see a usage
41       string, issue the command without options, or with the -H option.
42

OPTIONS AND ARGUMENTS

44       Options
45
46       Options specify an action. Option arguments modify an action. The
47       options and arguments for the crlutil command are defined as follows:
48
49       -D
50           Delete Certificate Revocation List from cert database.
51
52       -E
53           Erase all CRLs of specified type from the cert database
54
55       -G
56           Create new Certificate Revocation List (CRL).
57
58       -I
59           Import a CRL to the cert database
60
61       -L
62           List existing CRL located in cert database file.
63
64       -M
65           Modify existing CRL which can be located in cert db or in arbitrary
66           file. If located in file it should be encoded in ASN.1 encode
67           format.
68
69       -S
70           Show contents of a CRL file which isn't stored in the database.
71
72       Arguments
73
74       Option arguments modify an action.
75
76       -a
77           Use ASCII format or allow the use of ASCII format for input and
78           output. This formatting follows RFC #1113.
79
80       -B
81           Bypass CA signature checks.
82
83       -c crl-gen-file
84           Specify script file that will be used to control crl
85           generation/modification. See crl-cript-file format below. If
86           options -M|-G is used and -c crl-script-file is not specified,
87           crlutil will read script data from standard input.
88
89       -d directory
90           Specify the database directory containing the certificate and key
91           database files. On Unix the Certificate Database Tool defaults to
92           $HOME/.netscape (that is, ~/.netscape). On Windows NT the default
93           is the current directory.
94
95           The NSS database files must reside in the same directory.
96
97       -f password-file
98           Specify a file that will automatically supply the password to
99           include in a certificate or to access a certificate database. This
100           is a plain-text file containing one password. Be sure to prevent
101           unauthorized access to this file.
102
103       -i crl-file
104           Specify the file which contains the CRL to import or show.
105
106       -l algorithm-name
107           Specify a specific signature algorithm. List of possible
108           algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
109
110       -n nickname
111           Specify the nickname of a certificate or key to list, create, add
112           to a database, modify, or validate. Bracket the nickname string
113           with quotation marks if it contains spaces.
114
115       -o output-file
116           Specify the output file name for new CRL. Bracket the output-file
117           string with quotation marks if it contains spaces. If this argument
118           is not used the output destination defaults to standard output.
119
120       -P dbprefix
121           Specify the prefix used on the NSS security database files (for
122           example, my_cert8.db and my_key3.db). This option is provided as a
123           special case. Changing the names of the certificate and key
124           databases is not recommended.
125
126       -t crl-type
127           Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -
128           SEC_CRL_TYPE. This option is obsolete
129
130       -u url
131           Specify the url.
132
133       -w pwd-string
134           Provide db password in command line.
135
136       -Z algorithm
137           Specify the hash algorithm to use for signing the CRL.
138

CRL GENERATION SCRIPT SYNTAX

140       CRL generation script file has the following syntax:
141
142       * Line with comments should have # as a first symbol of a line
143
144       * Set "this update" or "next update" CRL fields:
145
146       update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ
147
148       Field "next update" is optional. Time should be in GeneralizedTime
149       format (YYYYMMDDhhmmssZ). For example: 20050204153000Z
150
151       * Add an extension to a CRL or a crl certificate entry:
152
153       addext extension-name critical/non-critical [arg1[arg2 ...]]
154
155       Where:
156
157       extension-name: string value of a name of known extensions.
158       critical/non-critical: is 1 when extension is critical and 0 otherwise.
159       arg1, arg2: specific to extension type extension parameters
160
161       addext uses the range that was set earlier by addcert and will install
162       an extension to every cert entries within the range.
163
164       * Add certificate entries(s) to CRL:
165
166       addcert range date
167
168       range: two integer values separated by dash: range of certificates that
169       will be added by this command. dash is used as a delimiter. Only one
170       cert will be added if there is no delimiter. date: revocation date of a
171       cert. Date should be represented in GeneralizedTime format
172       (YYYYMMDDhhmmssZ).
173
174       * Remove certificate entry(s) from CRL
175
176       rmcert range
177
178       Where:
179
180       range: two integer values separated by dash: range of certificates that
181       will be added by this command. dash is used as a delimiter. Only one
182       cert will be added if there is no delimiter.
183
184       * Change range of certificate entry(s) in CRL
185
186       range new-range
187
188       Where:
189
190       new-range: two integer values separated by dash: range of certificates
191       that will be added by this command. dash is used as a delimiter. Only
192       one cert will be added if there is no delimiter.
193
194       Implemented Extensions
195
196       The extensions defined for CRL provide methods for associating
197       additional attributes with CRLs of theirs entries. For more information
198       see RFC #3280
199
200       * Add The Authority Key Identifier extension:
201
202       The authority key identifier extension provides a means of identifying
203       the public key corresponding to the private key used to sign a CRL.
204
205       authKeyId critical [key-id | dn cert-serial]
206
207       Where:
208
209       authKeyIdent: identifies the name of an extension critical: value of 1
210       of 0. Should be set to 1 if this extension is critical or 0 otherwise.
211       key-id: key identifier represented in octet string. dn:: is a CA
212       distinguished name cert-serial: authority certificate serial number.
213
214       * Add Issuer Alternative Name extension:
215
216       The issuer alternative names extension allows additional identities to
217       be associated with the issuer of the CRL. Defined options include an
218       rfc822 name (electronic mail address), a DNS name, an IP address, and a
219       URI.
220
221       issuerAltNames non-critical name-list
222
223       Where:
224
225       subjAltNames: identifies the name of an extension should be set to 0
226       since this is non-critical extension name-list: comma separated list of
227       names
228
229       * Add CRL Number extension:
230
231       The CRL number is a non-critical CRL extension which conveys a
232       monotonically increasing sequence number for a given CRL scope and CRL
233       issuer. This extension allows users to easily determine when a
234       particular CRL supersedes another CRL
235
236       crlNumber non-critical number
237
238       Where:
239
240       crlNumber: identifies the name of an extension critical: should be set
241       to 0 since this is non-critical extension number: value of long which
242       identifies the sequential number of a CRL.
243
244       * Add Revocation Reason Code extension:
245
246       The reasonCode is a non-critical CRL entry extension that identifies
247       the reason for the certificate revocation.
248
249       reasonCode non-critical code
250
251       Where:
252
253       reasonCode: identifies the name of an extension non-critical: should be
254       set to 0 since this is non-critical extension code: the following codes
255       are available:
256
257       unspecified (0), keyCompromise (1), cACompromise (2),
258       affiliationChanged (3), superseded (4), cessationOfOperation (5),
259       certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9),
260       aACompromise (10)
261
262       * Add Invalidity Date extension:
263
264       The invalidity date is a non-critical CRL entry extension that provides
265       the date on which it is known or suspected that the private key was
266       compromised or that the certificate otherwise became invalid.
267
268       invalidityDate non-critical date
269
270       Where:
271
272       crlNumber: identifies the name of an extension non-critical: should be
273       set to 0 since this is non-critical extension date: invalidity date of
274       a cert. Date should be represented in GeneralizedTime format
275       (YYYYMMDDhhmmssZ).
276

USAGE

278       The Certificate Revocation List Management Tool's capabilities are
279       grouped as follows, using these combinations of options and arguments.
280       Options and arguments in square brackets are optional, those without
281       square brackets are required.
282
283       See "Implemented extensions" for more information regarding extensions
284       and their parameters.
285
286       * Creating or modifying a CRL:
287
288           crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B]
289
290
291       * Listing all CRls or a named CRL:
292
293                crlutil -L [-n crl-name] [-d krydir]
294
295
296       * Deleting CRL from db:
297
298                crlutil -D -n nickname [-d keydir] [-P dbprefix]
299
300
301       * Erasing CRLs from db:
302
303                crlutil -E [-d keydir] [-P dbprefix]
304
305
306       * Deleting CRL from db:
307
308                     crlutil -D -n nickname [-d keydir] [-P dbprefix]
309
310
311       * Erasing CRLs from db:
312
313                     crlutil -E [-d keydir] [-P dbprefix]
314
315
316       * Import CRL from file:
317
318                     crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
319
320

SEE ALSO

322       certutil(1)
323

ADDITIONAL RESOURCES

325       For information about NSS and other tools related to NSS (like JSS),
326       check out the NSS project wiki at
327       http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
328       directly to NSS code changes and releases.
329
330       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
331
332       IRC: Freenode at #dogtag-pki
333

AUTHORS

335       The NSS tools were written and maintained by developers with Netscape,
336       Red Hat, Sun, Oracle, Mozilla, and Google.
337
338       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
339       <dlackey@redhat.com>.
340

LICENSE

342       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
343       was not distributed with this file, You can obtain one at
344       http://mozilla.org/MPL/2.0/.
345

NOTES

347        1. Mozilla NSS bug 836477
348           https://bugzilla.mozilla.org/show_bug.cgi?id=836477
349
350
351
352nss-tools 3.44.0                  Nov 13 2013                       CRLUTIL(1)
Impressum