1PKICertImport(1)          PKI certificate import tool         PKICertImport(1)
2
3
4

NAME

6       PKICertImport  -  Used  to safely validate and import certificates into
7       the NSS database.
8
9

SYNOPSIS

11       PKICertImport -d NSS-database -i certificate -n nickname  -t  trust  -u
12       usage [-h token] [-f password-file] [-a]
13
14
15       Validate  and  import  a  certificate  into the specified NSS database.
16       Verifies signature, trust chain, trust, and usage flags.  If a certifi‐
17       cate  is  not valid, it will not be added to the NSS database or speci‐
18       fied token.
19
20

DESCRIPTION

22       The certificate import utility validates signature, trust chain, trust,
23       and  usage  flags before importing a certificate into the specified NSS
24       database.  This ensures that no certificate is used before its  authen‐
25       ticity has been verified.  Unlike certutil, only one invocation is nec‐
26       essary to both validate and import certificates.
27
28
29       See certutil for more information about the  parameters  to  PKICertIm‐
30       port.
31
32

OPTIONS

34       PKICertImport parameters:
35
36
37       --ascii, -a
38           The  certificate is encoded in ASCII (PEM) format instead of binary
39       format. Optional.
40
41
42       --certificate, -i certificate
43           Path to the certificate to import. Required.
44
45
46       --chain, -c
47           Import an entire PKCS12 chain; requires --pkcs12. Optional.
48
49
50       --chain-trust trust
51           Trust flags to assign intermediate certificates; requires --chain.
52
53
54       --chain-usage usage
55           Usage  to  validate  intermediate  certificates  against;  requires
56       --chain.
57
58
59       --database, -d NSS-database
60           The  directory  containing  the  NSS  database. This is usually the
61       client's personal directory. Required.
62
63
64       --password, -f password-file
65           The path to a file containing the password to the NSS database. Op‐
66       tional.
67
68
69       --hsm, -h token
70           Name  of  the token. If not specified, the default token is the in‐
71       ternal database slot. Optional.
72
73
74       --leaf-only, -l
75           Import only the leaf certificate  from  a  PKCS12  chain;  requiers
76       --pkcs12. Optional.
77
78
79       --nickname, -n nickname
80           Nickname for the certificate in the NSS database. Required.
81
82
83       --pkcs12, -p
84           The input certificate is a .p12/PKCS12 file. Optional.
85
86
87       --pkcs12-password, -w password-file
88           Password file for the PKCS12 chain; requires --pkcs12.
89
90
91       --trust, -t trust
92           Trust  flags for the certificate. See certutil for more information
93       about the available trust flags. Required.
94
95
96       --usage, -u usage
97           Usage to validate the certificate against. See  certutil  for  more
98       information about available usage flags. Required.
99
100

UNSAFE OPTIONS

102       --unsafe-keep-keys
103           Keep the keys in the NSS DB in the event of a verification failure.
104
105
106       --unsafe-trust-then-verify
107           Specify trust when importing the certificate instead of after veri‐
108       fying certificates. This enables importing a new root  certificate  in‐
109       stead of requiring the chain to have an existing, trusted root.
110
111

ENVIRONMENT

113       VERBOSE
114           When specified, see all internal commands being executed as part of
115       this command.
116
117

EXAMPLES

119       To import a server certificate:
120
121
122              PKICertImport -d . -n "example.com" -i example-com.crt -t ,, -u V
123
124
125
126       To import a CA certificate (root or intermediate):
127
128
129              PKICertImport -d . -n "MyCA Cert" -i ca-cert.crt -t CT,C,C -u L
130
131
132
133       To import a leaf client certificate from a PKCS12 chain:
134
135
136              PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --leaf
137
138
139
140       To import the entire chain of a client certificate:
141
142
143              PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --chain --chain-trust CT,C,C --chain-usage L
144
145
146

AUTHORS

148       Alexander Scheel <ascheel@redhat.com>.
149
150
152       Copyright (c) 2019 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
153       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
154       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
155
156
157
158PKI                              Jan 30, 2019                 PKICertImport(1)
Impressum