1CRLUTIL(1) NSS Security Tools CRLUTIL(1)
2
3
4
6 crlutil - List, generate, modify, or delete CRLs within the NSS
7 security database file(s) and list, create, modify or delete
8 certificates entries in a particular CRL.
9
11 crlutil [options] [[arguments]]
12
14 This documentation is still work in progress. Please contribute to the
15 initial review in Mozilla NSS bug 836477[1]
16
18 The Certificate Revocation List (CRL) Management Tool, crlutil, is a
19 command-line utility that can list, generate, modify, or delete CRLs
20 within the NSS security database file(s) and list, create, modify or
21 delete certificates entries in a particular CRL.
22
23 The key and certificate management process generally begins with
24 creating keys in the key database, then generating and managing
25 certificates in the certificate database(see certutil tool) and
26 continues with certificates expiration or revocation.
27
28 This document discusses certificate revocation list management. For
29 information on security module database management, see Using the
30 Security Module Database Tool. For information on certificate and key
31 database management, see Using the Certificate Database Tool.
32
33 To run the Certificate Revocation List Management Tool, type the
34 command
35
36 crlutil option [arguments]
37
38 where options and arguments are combinations of the options and
39 arguments listed in the following section. Each command takes one
40 option. Each option may take zero or more arguments. To see a usage
41 string, issue the command without options, or with the -H option.
42
44 Options
45
46 Options specify an action. Option arguments modify an action. The
47 options and arguments for the crlutil command are defined as follows:
48
49 -D
50 Delete Certificate Revocation List from cert database.
51
52 -E
53 Erase all CRLs of specified type from the cert database
54
55 -G
56 Create new Certificate Revocation List (CRL).
57
58 -I
59 Import a CRL to the cert database
60
61 -L
62 List existing CRL located in cert database file.
63
64 -M
65 Modify existing CRL which can be located in cert db or in arbitrary
66 file. If located in file it should be encoded in ASN.1 encode
67 format.
68
69 -S
70 Show contents of a CRL file which isn't stored in the database.
71
72 Arguments
73
74 Option arguments modify an action.
75
76 -a
77 Use ASCII format or allow the use of ASCII format for input and
78 output. This formatting follows RFC #1113.
79
80 -B
81 Bypass CA signature checks.
82
83 -c crl-gen-file
84 Specify script file that will be used to control crl
85 generation/modification. See crl-cript-file format below. If
86 options -M|-G is used and -c crl-script-file is not specified,
87 crlutil will read script data from standard input.
88
89 -d directory
90 Specify the database directory containing the certificate and key
91 database files. On Unix the Certificate Database Tool defaults to
92 $HOME/.netscape (that is, ~/.netscape). On Windows NT the default
93 is the current directory.
94
95 The NSS database files must reside in the same directory.
96
97 -f password-file
98 Specify a file that will automatically supply the password to
99 include in a certificate or to access a certificate database. This
100 is a plain-text file containing one password. Be sure to prevent
101 unauthorized access to this file.
102
103 -i crl-file
104 Specify the file which contains the CRL to import or show.
105
106 -l algorithm-name
107 Specify a specific signature algorithm. List of possible
108 algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
109
110 -n nickname
111 Specify the nickname of a certificate or key to list, create, add
112 to a database, modify, or validate. Bracket the nickname string
113 with quotation marks if it contains spaces.
114
115 -o output-file
116 Specify the output file name for new CRL. Bracket the output-file
117 string with quotation marks if it contains spaces. If this argument
118 is not used the output destination defaults to standard output.
119
120 -P dbprefix
121 Specify the prefix used on the NSS security database files (for
122 example, my_cert8.db and my_key3.db). This option is provided as a
123 special case. Changing the names of the certificate and key
124 databases is not recommended.
125
126 -t crl-type
127 Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -
128 SEC_CRL_TYPE. This option is obsolete
129
130 -u url
131 Specify the url.
132
133 -w pwd-string
134 Provide db password in command line.
135
136 -Z algorithm
137 Specify the hash algorithm to use for signing the CRL.
138
140 CRL generation script file has the following syntax:
141
142 * Line with comments should have # as a first symbol of a line
143
144 * Set "this update" or "next update" CRL fields:
145
146 update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ
147
148 Field "next update" is optional. Time should be in GeneralizedTime
149 format (YYYYMMDDhhmmssZ). For example: 20050204153000Z
150
151 * Add an extension to a CRL or a crl certificate entry:
152
153 addext extension-name critical/non-critical [arg1[arg2 ...]]
154
155 Where:
156
157 extension-name: string value of a name of known extensions.
158 critical/non-critical: is 1 when extension is critical and 0 otherwise.
159 arg1, arg2: specific to extension type extension parameters
160
161 addext uses the range that was set earlier by addcert and will install
162 an extension to every cert entries within the range.
163
164 * Add certificate entries(s) to CRL:
165
166 addcert range date
167
168 range: two integer values separated by dash: range of certificates that
169 will be added by this command. dash is used as a delimiter. Only one
170 cert will be added if there is no delimiter. date: revocation date of a
171 cert. Date should be represented in GeneralizedTime format
172 (YYYYMMDDhhmmssZ).
173
174 * Remove certificate entry(s) from CRL
175
176 rmcert range
177
178 Where:
179
180 range: two integer values separated by dash: range of certificates that
181 will be added by this command. dash is used as a delimiter. Only one
182 cert will be added if there is no delimiter.
183
184 * Change range of certificate entry(s) in CRL
185
186 range new-range
187
188 Where:
189
190 new-range: two integer values separated by dash: range of certificates
191 that will be added by this command. dash is used as a delimiter. Only
192 one cert will be added if there is no delimiter.
193
194 Implemented Extensions
195
196 The extensions defined for CRL provide methods for associating
197 additional attributes with CRLs of theirs entries. For more information
198 see RFC #3280
199
200 * Add The Authority Key Identifier extension:
201
202 The authority key identifier extension provides a means of identifying
203 the public key corresponding to the private key used to sign a CRL.
204
205 authKeyId critical [key-id | dn cert-serial]
206
207 Where:
208
209 authKeyIdent: identifies the name of an extension critical: value of 1
210 of 0. Should be set to 1 if this extension is critical or 0 otherwise.
211 key-id: key identifier represented in octet string. dn:: is a CA
212 distinguished name cert-serial: authority certificate serial number.
213
214 * Add Issuer Alternative Name extension:
215
216 The issuer alternative names extension allows additional identities to
217 be associated with the issuer of the CRL. Defined options include an
218 rfc822 name (electronic mail address), a DNS name, an IP address, and a
219 URI.
220
221 issuerAltNames non-critical name-list
222
223 Where:
224
225 subjAltNames: identifies the name of an extension should be set to 0
226 since this is non-critical extension name-list: comma separated list of
227 names
228
229 * Add CRL Number extension:
230
231 The CRL number is a non-critical CRL extension which conveys a
232 monotonically increasing sequence number for a given CRL scope and CRL
233 issuer. This extension allows users to easily determine when a
234 particular CRL supersedes another CRL
235
236 crlNumber non-critical number
237
238 Where:
239
240 crlNumber: identifies the name of an extension critical: should be set
241 to 0 since this is non-critical extension number: value of long which
242 identifies the sequential number of a CRL.
243
244 * Add Revocation Reason Code extension:
245
246 The reasonCode is a non-critical CRL entry extension that identifies
247 the reason for the certificate revocation.
248
249 reasonCode non-critical code
250
251 Where:
252
253 reasonCode: identifies the name of an extension non-critical: should be
254 set to 0 since this is non-critical extension code: the following codes
255 are available:
256
257 unspecified (0), keyCompromise (1), cACompromise (2),
258 affiliationChanged (3), superseded (4), cessationOfOperation (5),
259 certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9),
260 aACompromise (10)
261
262 * Add Invalidity Date extension:
263
264 The invalidity date is a non-critical CRL entry extension that provides
265 the date on which it is known or suspected that the private key was
266 compromised or that the certificate otherwise became invalid.
267
268 invalidityDate non-critical date
269
270 Where:
271
272 crlNumber: identifies the name of an extension non-critical: should be
273 set to 0 since this is non-critical extension date: invalidity date of
274 a cert. Date should be represented in GeneralizedTime format
275 (YYYYMMDDhhmmssZ).
276
278 The Certificate Revocation List Management Tool's capabilities are
279 grouped as follows, using these combinations of options and arguments.
280 Options and arguments in square brackets are optional, those without
281 square brackets are required.
282
283 See "Implemented extensions" for more information regarding extensions
284 and their parameters.
285
286 * Creating or modifying a CRL:
287
288 crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B]
289
290
291 * Listing all CRls or a named CRL:
292
293 crlutil -L [-n crl-name] [-d krydir]
294
295
296 * Deleting CRL from db:
297
298 crlutil -D -n nickname [-d keydir] [-P dbprefix]
299
300
301 * Erasing CRLs from db:
302
303 crlutil -E [-d keydir] [-P dbprefix]
304
305
306 * Deleting CRL from db:
307
308 crlutil -D -n nickname [-d keydir] [-P dbprefix]
309
310
311 * Erasing CRLs from db:
312
313 crlutil -E [-d keydir] [-P dbprefix]
314
315
316 * Import CRL from file:
317
318 crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
319
320
322 certutil(1)
323
325 For information about NSS and other tools related to NSS (like JSS),
326 check out the NSS project wiki at
327 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
328 directly to NSS code changes and releases.
329
330 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
331
332 IRC: Freenode at #dogtag-pki
333
335 The NSS tools were written and maintained by developers with Netscape,
336 Red Hat, Sun, Oracle, Mozilla, and Google.
337
338 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
339 <dlackey@redhat.com>.
340
342 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
343 was not distributed with this file, You can obtain one at
344 http://mozilla.org/MPL/2.0/.
345
347 1. Mozilla NSS bug 836477
348 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
349
350
351
352nss-tools 3.44.0 Nov 13 2013 CRLUTIL(1)