1PKCS10Client(1) PKI PKCS10Client certificate request tool PKCS10Client(1)
2
3
4
6 PKCS10Client - Used to generate 1024-bit RSA key pair in the security
7 database.
8
9
11 PKCS10Client -d NSS-database -h NSS-token -p NSS-password -a algorithm
12 [-l rsa-key-length] [-c ec-curve-name] -o output-file -n subject-DN
13
14
15 To get a certificate from the CA, the certificate request needs to be
16 submitted to and approved by a CA agent. Once approved, a certificate
17 is created for the request, and certificate attributes, such as exten‐
18 sions, are populated according to certificate profiles.
19
20
22 The PKCS #10 utility, PKCS10Client, generates a RSA or EC key pair in
23 the security database, constructs a PKCS #10 certificate request with
24 the public key, and outputs the request to a file.
25
26
27 PKCS #10 is a certification request syntax standard defined by RSA. A
28 CA may support multiple types of certificate requests. The Certificate
29 System CA supports KEYGEN, PKCS #10, CRMF, and CMC.
30
31
33 PKCS10Client parameters:
34
35
36 -d NSS-database
37 The directory containing the NSS database. This is usually the
38 client's personal directory.
39
40
41 -h NSS-token
42 Name of the token. By default it takes internal.
43
44
45 -p NSS-token
46 The password to the token.
47
48
49 -a algorithm
50 The algorithm type either rsa or ec. By default it takes rsa.
51
52
53 -l rsa-key-length
54 The RSA key bit length when -a rsa is specified. By default it is
55 1024.
56
57
58 -c ec-curve-name
59 Eleptic Curve cryptography curve name.
60 Possible values are (if provided by the crypto module):
61 nistp256 (secp256r1), nistp384 (secp384r1), nistp521 (secp521r1),
62 nistk163 (sect163k1),
63 sect163r1,nistb163 (sect163r2), sect193r1, sect193r2, nistk233
64 (sect233k1),
65 nistb233 (sect233r1), sect239k1, nistk283 (sect283k1), nistb283
66 (sect283r1),
67 nistk409 (sect409k1), nistb409 (sect409r1), nistk571 (sect571k1),
68 nistb571 (sect571r1),
69 secp160k1, secp160r1, secp160r2, secp192k1, nistp192 (secp192r1,
70 prime192v1), secp224k1,
71 nistp224 (secp224r1), secp256k1, prime192v2, prime192v3,
72 prime239v1, prime239v2,
73 prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1,
74 c2tnb191v1, c2tnb191v2,
75 c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
76 c2pnb272w1, c2pnb304w1,
77 c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2,
78 secp128r1, secp128r2,
79 sect113r1, sect113r2, sect131r1, sect131r2.
80
81
82 -o output-file
83 Sets the path and filename to output the new PKCS #10 certificate
84 in base64 format.
85
86
87 -n subject-DN
88 Gives the subject DN of the certificate.
89
90
91 -k enable-encoding
92 true for enabling encoding of attribute values; false for default
93 encoding of attribute values;
94 default is false.
95
96
97 -t temporary
98 true for temporary(session); false for permanent(token); default is
99 false.
100
101
102 -s sensitivity
103 1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode depen‐
104 dent; default is -1.
105
106
107 -e extractable
108 1 for extractable; 0 for non-extractable; -1 token dependent; de‐
109 fault is -1.
110
111
112 Also optional for ECC key generation:
113
114
115 -x ecdh-ecdsa
116 true for SSL cert that does ECDH ECDSA; false otherwise; default
117 false.
118
119
120 -y ski-extension
121 true for adding SubjectKeyIdentifier extension for self-signed CMC
122 shared secret requests;
123 false otherwise; default false.
124 To be used with request.useSharedSecret=true when running CMCRe‐
125 quest.
126
127
129 Amol Kahat <akahat@redhat.com>.
130
131
133 Copyright (c) 2017, 2019 Red Hat, Inc. This is licensed under the GNU
134 General Public License, version 2 (GPLv2). A copy of this license is
135 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
136
137
138
139PKI April 28, 2017 PKCS10Client(1)