1PKICertImport(1) PKI certificate import tool PKICertImport(1)
2
6 PKICertImport - Used to safely validate and import certificates into
7 the NSS database.
8
11 PKICertImport -d NSS-database -i certificate -n nickname -t trust -u
12 usage [-h token] [-f password-file] [-a]
13 Validate and import a certificate into the specified NSS database.
16 Verifies signature, trust chain, trust, and usage flags. If a certifi‐
17 cate is not valid, it will not be added to the NSS database or speci‐
18 fied token.
19
22 The certificate import utility validates signature, trust chain, trust,
23 and usage flags before importing a certificate into the specified NSS
24 database. This ensures that no certificate is used before its authen‐
25 ticity has been verified. Unlike certutil, only one invocation is nec‐
26 essary to both validate and import certificates.
27 See certutil for more information about the parameters to PKICertIm‐
30 port.
31
34 PKICertImport parameters:
35 --ascii, -a
38 The certificate is encoded in ASCII (PEM) format instead of binary
39 format. Optional.
40 --certificate, -i certificate
43 Path to the certificate to import. Required.
44 --chain, -c
47 Import an entire PKCS12 chain; requires --pkcs12. Optional.
48 --chain-trust trust
51 Trust flags to assign intermediate certificates; requires --chain.
52 --chain-usage usage
55 Usage to validate intermediate certificates against; requires
56 --chain.
57 --database, -d NSS-database
60 The directory containing the NSS database. This is usually the
61 client's personal directory. Required.
62 --password, -f password-file
65 The path to a file containing the password to the NSS database. Op‐
66 tional.
67 --hsm, -h token
70 Name of the token. If not specified, the default token is the in‐
71 ternal database slot. Optional.
72 --leaf-only, -l
75 Import only the leaf certificate from a PKCS12 chain; requiers
76 --pkcs12. Optional.
77 --nickname, -n nickname
80 Nickname for the certificate in the NSS database. Required.
81 --pkcs12, -p
84 The input certificate is a .p12/PKCS12 file. Optional.
85 --pkcs12-password, -w password-file
88 Password file for the PKCS12 chain; requires --pkcs12.
89 --trust, -t trust
92 Trust flags for the certificate. See certutil for more information
93 about the available trust flags. Required.
94 --usage, -u usage
97 Usage to validate the certificate against. See certutil for more
98 information about available usage flags. Required.
99
102 --unsafe-keep-keys
103 Keep the keys in the NSS DB in the event of a verification failure.
104 --unsafe-trust-then-verify
107 Specify trust when importing the certificate instead of after veri‐
108 fying certificates. This enables importing a new root certificate in‐
109 stead of requiring the chain to have an existing, trusted root.
110
113 VERBOSE
114 When specified, see all internal commands being executed as part of
115 this command.
116
119 To import a server certificate:
120 PKICertImport -d . -n "example.com" -i example-com.crt -t ,, -u V
123 To import a CA certificate (root or intermediate):
127 PKICertImport -d . -n "MyCA Cert" -i ca-cert.crt -t CT,C,C -u L
130 To import a leaf client certificate from a PKCS12 chain:
134 PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --leaf
137 To import the entire chain of a client certificate:
141 PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --chain --chain-trust CT,C,C --chain-usage L
144
148 Alexander Scheel <ascheel@redhat.com>.
149
152 Copyright (c) 2019 Red Hat, Inc. This is licensed under the GNU Gen‐
153 eral Public License, version 2 (GPLv2). A copy of this license is
154 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
155PKI Jan 30, 2019 PKICertImport(1)