1CRLUTIL(1) NSS Security Tools CRLUTIL(1)
2
6 crlutil - List, generate, modify, or delete CRLs within the NSS
7 security database file(s) and list, create, modify or delete
8 certificates entries in a particular CRL.
9
11 crlutil [options] [[arguments]]
12
14 This documentation is still work in progress. Please contribute to the
15 initial review in Mozilla NSS bug 836477[1]
16
18 The Certificate Revocation List (CRL) Management Tool, crlutil, is a
19 command-line utility that can list, generate, modify, or delete CRLs
20 within the NSS security database file(s) and list, create, modify or
21 delete certificates entries in a particular CRL.
22 The key and certificate management process generally begins with
24 creating keys in the key database, then generating and managing
25 certificates in the certificate database(see certutil tool) and
26 continues with certificates expiration or revocation.
27 This document discusses certificate revocation list management. For
29 information on security module database management, see Using the
30 Security Module Database Tool. For information on certificate and key
31 database management, see Using the Certificate Database Tool.
32 To run the Certificate Revocation List Management Tool, type the
34 command
35 crlutil option [arguments]
37 where options and arguments are combinations of the options and
39 arguments listed in the following section. Each command takes one
40 option. Each option may take zero or more arguments. To see a usage
41 string, issue the command without options, or with the -H option.
42
44 Options
45 Options specify an action. Option arguments modify an action. The
47 options and arguments for the crlutil command are defined as follows:
48 -D
50 Delete Certificate Revocation List from cert database.
51 -E
53 Erase all CRLs of specified type from the cert database
54 -G
56 Create new Certificate Revocation List (CRL).
57 -I
59 Import a CRL to the cert database
60 -L
62 List existing CRL located in cert database file.
63 -M
65 Modify existing CRL which can be located in cert db or in arbitrary
66 file. If located in file it should be encoded in ASN.1 encode
67 format.
68 -S
70 Show contents of a CRL file which isn't stored in the database.
71 Arguments
73 Option arguments modify an action.
75 -a
77 Use ASCII format or allow the use of ASCII format for input and
78 output. This formatting follows RFC #1113.
79 -B
81 Bypass CA signature checks.
82 -c crl-gen-file
84 Specify script file that will be used to control crl
85 generation/modification. See crl-cript-file format below. If
86 options -M|-G is used and -c crl-script-file is not specified,
87 crlutil will read script data from standard input.
88 -d directory
90 Specify the database directory containing the certificate and key
91 database files. On Unix the Certificate Database Tool defaults to
92 $HOME/.netscape (that is, ~/.netscape). On Windows NT the default
93 is the current directory.
94 The NSS database files must reside in the same directory.
96 -f password-file
98 Specify a file that will automatically supply the password to
99 include in a certificate or to access a certificate database. This
100 is a plain-text file containing one password. Be sure to prevent
101 unauthorized access to this file.
102 -i crl-file
104 Specify the file which contains the CRL to import or show.
105 -l algorithm-name
107 Specify a specific signature algorithm. List of possible
108 algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
109 -n nickname
111 Specify the nickname of a certificate or key to list, create, add
112 to a database, modify, or validate. Bracket the nickname string
113 with quotation marks if it contains spaces.
114 -o output-file
116 Specify the output file name for new CRL. Bracket the output-file
117 string with quotation marks if it contains spaces. If this argument
118 is not used the output destination defaults to standard output.
119 -P dbprefix
121 Specify the prefix used on the NSS security database files (for
122 example, my_cert8.db and my_key3.db). This option is provided as a
123 special case. Changing the names of the certificate and key
124 databases is not recommended.
125 -t crl-type
127 Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -
128 SEC_CRL_TYPE. This option is obsolete
129 -u url
131 Specify the url.
132 -w pwd-string
134 Provide db password in command line.
135 -Z algorithm
137 Specify the hash algorithm to use for signing the CRL.
138
140 CRL generation script file has the following syntax:
141 * Line with comments should have # as a first symbol of a line
143 * Set "this update" or "next update" CRL fields:
145 update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ
147 Field "next update" is optional. Time should be in GeneralizedTime
149 format (YYYYMMDDhhmmssZ). For example: 20050204153000Z
150 * Add an extension to a CRL or a crl certificate entry:
152 addext extension-name critical/non-critical [arg1[arg2 ...]]
154 Where:
156 extension-name: string value of a name of known extensions.
158 critical/non-critical: is 1 when extension is critical and 0 otherwise.
159 arg1, arg2: specific to extension type extension parameters
160 addext uses the range that was set earlier by addcert and will install
162 an extension to every cert entries within the range.
163 * Add certificate entries(s) to CRL:
165 addcert range date
167 range: two integer values separated by dash: range of certificates that
169 will be added by this command. dash is used as a delimiter. Only one
170 cert will be added if there is no delimiter. date: revocation date of a
171 cert. Date should be represented in GeneralizedTime format
172 (YYYYMMDDhhmmssZ).
173 * Remove certificate entry(s) from CRL
175 rmcert range
177 Where:
179 range: two integer values separated by dash: range of certificates that
181 will be added by this command. dash is used as a delimiter. Only one
182 cert will be added if there is no delimiter.
183 * Change range of certificate entry(s) in CRL
185 range new-range
187 Where:
189 new-range: two integer values separated by dash: range of certificates
191 that will be added by this command. dash is used as a delimiter. Only
192 one cert will be added if there is no delimiter.
193 Implemented Extensions
195 The extensions defined for CRL provide methods for associating
197 additional attributes with CRLs of theirs entries. For more information
198 see RFC #3280
199 * Add The Authority Key Identifier extension:
201 The authority key identifier extension provides a means of identifying
203 the public key corresponding to the private key used to sign a CRL.
204 authKeyId critical [key-id | dn cert-serial]
206 Where:
208 authKeyIdent: identifies the name of an extension critical: value of 1
210 of 0. Should be set to 1 if this extension is critical or 0 otherwise.
211 key-id: key identifier represented in octet string. dn:: is a CA
212 distinguished name cert-serial: authority certificate serial number.
213 * Add Issuer Alternative Name extension:
215 The issuer alternative names extension allows additional identities to
217 be associated with the issuer of the CRL. Defined options include an
218 rfc822 name (electronic mail address), a DNS name, an IP address, and a
219 URI.
220 issuerAltNames non-critical name-list
222 Where:
224 subjAltNames: identifies the name of an extension should be set to 0
226 since this is non-critical extension name-list: comma separated list of
227 names
228 * Add CRL Number extension:
230 The CRL number is a non-critical CRL extension which conveys a
232 monotonically increasing sequence number for a given CRL scope and CRL
233 issuer. This extension allows users to easily determine when a
234 particular CRL supersedes another CRL
235 crlNumber non-critical number
237 Where:
239 crlNumber: identifies the name of an extension critical: should be set
241 to 0 since this is non-critical extension number: value of long which
242 identifies the sequential number of a CRL.
243 * Add Revocation Reason Code extension:
245 The reasonCode is a non-critical CRL entry extension that identifies
247 the reason for the certificate revocation.
248 reasonCode non-critical code
250 Where:
252 reasonCode: identifies the name of an extension non-critical: should be
254 set to 0 since this is non-critical extension code: the following codes
255 are available:
256 unspecified (0), keyCompromise (1), cACompromise (2),
258 affiliationChanged (3), superseded (4), cessationOfOperation (5),
259 certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9),
260 aACompromise (10)
261 * Add Invalidity Date extension:
263 The invalidity date is a non-critical CRL entry extension that provides
265 the date on which it is known or suspected that the private key was
266 compromised or that the certificate otherwise became invalid.
267 invalidityDate non-critical date
269 Where:
271 crlNumber: identifies the name of an extension non-critical: should be
273 set to 0 since this is non-critical extension date: invalidity date of
274 a cert. Date should be represented in GeneralizedTime format
275 (YYYYMMDDhhmmssZ).
276
278 The Certificate Revocation List Management Tool's capabilities are
279 grouped as follows, using these combinations of options and arguments.
280 Options and arguments in square brackets are optional, those without
281 square brackets are required.
282 See "Implemented extensions" for more information regarding extensions
284 and their parameters.
285 * Creating or modifying a CRL:
287 crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B]
289 * Listing all CRls or a named CRL:
292 crlutil -L [-n crl-name] [-d krydir]
294 * Deleting CRL from db:
297 crlutil -D -n nickname [-d keydir] [-P dbprefix]
299 * Erasing CRLs from db:
302 crlutil -E [-d keydir] [-P dbprefix]
304 * Deleting CRL from db:
307 crlutil -D -n nickname [-d keydir] [-P dbprefix]
309 * Erasing CRLs from db:
312 crlutil -E [-d keydir] [-P dbprefix]
314 * Import CRL from file:
317 crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
319
322 certutil(1)
323
325 For information about NSS and other tools related to NSS (like JSS),
326 check out the NSS project wiki at
327 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
328 directly to NSS code changes and releases.
329 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
331 IRC: Freenode at #dogtag-pki
333
335 The NSS tools were written and maintained by developers with Netscape,
336 Red Hat, Sun, Oracle, Mozilla, and Google.
337 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
339 <dlackey@redhat.com>.
340
342 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
343 was not distributed with this file, You can obtain one at
344 http://mozilla.org/MPL/2.0/.
345
347 1. Mozilla NSS bug 836477
348 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
349nss-tools 5 June 2014 CRLUTIL(1)