PKTOOL(1) User Commands PKTOOL(1)
NAME
pktool - manage certificates and keys
SYNOPSIS
pktool [
-f option_file] [
-i]
subcommand subcommand_options ...
DESCRIPTION
The
pktool command allows users to manage the certificates and keys
on multiple keystores including PKCS#11 tokens (that is,
Cryptographic Framework), Netscape Security Services (NSS) tokens,
and standard file based keystore for OpenSSL.
pktool also provides support to list, delete and import a Certificate
Revocation List (CRL).
pktool does not provide support for creating
CRLs, signing CRLs, or exporting CRLs. The CRL support for the
PKCS#11 keystore is file-based.
OPTIONS
The following command options are supported:
-f option_file Allows the user to set up the options in a file
instead of entering the options on the command
line.
This option is provided as a convenience for users
because
pktool can potentially have a large list of
subcommands and associated options to be specified
on the command line.
The format of the
option_file is one option or
value pair per-line.
An example
option_file might looks as follows:
list
keystore=nss
dir=/export/foo
objtype=key
-i Allows the user to specify the
subject-DN interactively for the
gencert and
gencsr subcommands. When
-i is specified, the user is
prompted to input some data to form a
subject-DN.
An example of using the
-i option follows:
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company):Example Microsystems Inc.
Organizational Unit Name (eg, section):OPG
Common Name (eg, YOUR name):John Smith
Email Address []: john.smith@example.com
The resulting
subject-DN is:
"C=US, ST=CA, L=Menlo Park, O=Example Microsystems Inc.,\
OU=OPG, emailAddress=john.smith@example.com, \
CN=John Smith"
SUBCOMMANDS
The following subcommands are supported:
delete The format for the
delete subcommand is as follows:
pktool delete [token=
token[:
manuf[:
serial]]]
[objtype=private|public|both]
[label=
object-label]
pktool delete keystore=pkcs11
objtype=cert[:public | private | both]]
[token=
token[:
manuf[:
serial]]]
[label=
cert-label]
[serial=
hex-serial-number]
[issuer=
issuer-DN]
[subject=
subject-DN]
pktool delete keystore=nss
objtype=cert
[subject=
subject-DN]
[issuer=
issuer-DN]
[serial=
hex-serial-number]
[nickname=
cert-nickname]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
pktool delete keystore=nss
objtype=crl
[nickname=
cert-nickname]
[subject=
subject-DN]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
pktool delete keystore=pkcs11
objtype=key[:public | private | both]]
[token=
token[:
manuf[:
serial]]]
[label=
key-label]
pktool delete keystore=pkcs11
objtype=crl
infile=
input-fn pktool delete keystore=file
objtype=cert
[infile=
input-fn]
[dir=
directory-path]
[serial=
hex-serial-number]
[issuer=
issuer-DN]
[subject=
subject-DN]
pktool delete keystore=file
objtype=key
[infile=
input-fn]
[dir=
directory-path]
pktool delete keystore=file
objtype=crl
infile=
input-fn Deletes a certificate, key, or certificate revocation list (CRL).
To delete a private certificate or key from PKCS#11 token, the
user is prompted to authenticate to the PKCS#11 by entering the
correct Personal Identification Number (PIN).
download The format for the
download subcommand is as follows:
pktool download url=
url_str [objtype=crl|cert]
[http_proxy=
proxy_str]
[outfile=
output-fn]
[dir=
directory-path]
Downloads a CRL file or a certificate file from the specified URL
location. Once the file is successfully downloaded, checks the
validity of the downloaded CRL or certificate file. If the CRL or
the certificate is expired,
download issues a warning.
export The format for the
export subcommand is as follows:
pktool export [token=
token[:
manuf[:
serial]]]
outfile=
output-fn pktool export keystore=pkcs11
outfile=
output-fn [objtype=cert|key]
[label=
label]
[subject=
subject-DN]
[issuer=
issuer-DN]
[serial=
hex-serial-number]
[outformat=pem|der|pkcs12|raw]
[token=
token[:
manuf[:
serial]]]
pktool export keystore=nss
outfile=
output-fn [subject=
subject-DN]
[issuer=
issuer-DN]
[serial=
hex-serial-number]
[nickname=
cert-nickname]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
[outformat=pem|der|pkcs12]
pktool export keystore=file
certfile=
cert-input-fn keyfile=
key-input-fn outfile=
output-pkcs12-fn Saves the contents of PKCS#11 token or certificates in the NSS
token or file-based keystore to the specified file.
gencert The format for the
gencert subcommand is as follows:
pktool gencert [-i] keystore=nss
label=
cert-nickname subject=
subject-DN serial=
hex_serial_number [altname=[critical:]
subjectAltName]
[keyusage=[critical:]
usage,
usage...]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
[keytype=rsa|dsa]
[keylen=
key-size]
[trust=
trust-value]
[lifetime=
number-hour|
number-day|
number-year]
[eku=[critical:]
EKU_name,...]
pktool gencert [-i] [ keystore=pkcs11]
label=
key/cert-label subject=
subject-DN serial=
hex_serial_number [altname=[critical:]
subjectAltName]
[keyusage=[critical:]
usage,
usage...]
[token=
token[:
manuf[:
serial]]]
[keytype=rsa|dsa]
[keylen=
key-size]
[lifetime=
number-hour|
number-day|
number-year]
[eku=[critical:]
EKU_name,...]
pktool gencert [-i] keystore=file
outcert=
cert-fn outkey=
key-fn subject=
subject-DN serial=
hex_serial_number [altname=[critical:]
subjectAltName]
[keyusage=[critical:]
usage,
usage...]
[format=der|pem]
[keytype=rsa|dsa]
[keylen=
key-size]
[lifetime=
number-hour|
number-day|
number-year]
[eku=[critical:]
EKU_name,...]
Generates a self-signed certificate and installs it and its
associated private key to the specified keystore.
gencert prompts the user to enter a PIN for token-based keystore.
gencsr The format for the
gencsr subcommand is as follows:
pktool gencsr [-i] keystore=nss
nickname=
key-nickname outcsr=
csr-fn subject=
subject-DN [altname=[critical:]
subjectAltName]
[keyusage=[critical:]
usage,
usage...]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
[keytype=rsa|dsa]
[keylen=
key-size]
[format=pem|der]
[eku=[critical:]
EKU_name,...]
pktool gencsr [-i] keystore=pkcs11
label=
key-label outcsr=
csr-fn subject=
subject-DN [altname=[critical:]
subjectAltName]
[keyusage=[critical:]
usage,
usage...]
[token=
token[:
manuf[:
serial]]]
[keytype=rsa|dsa]
[keylen=
key-size]
[format=pem|der]
[eku=[critical:]
EKU_name,...]
pktool gencsr [-i] keystore=file
outcsr=
csr-fn outkey=
key-fn subject=
subject-DN [altname=[critical:]
subjectAltName]
[keyusage=[critical:]
usage,usage...]
[dir=
directory-path]
[keytype=rsa|dsa]
[keylen=
key-size]
[format=pem|der]
[eku=[critical:]
EKU_name,...]
Creates a PKCS#10 certificate signing request (CSR) file. This
CSR can be sent to a Certifying Authority (CA) for signing. The
gencsr subcommand prompts the user to enter a PIN for token-based
keystore.
genkey The format for the
genkey subcommand is as follows:
pktool genkey [keystore=pkcs11]
label=
key-label [keytype=aes|arcfour|des|3des|generic]
[keylen=
key-size (for aes, arcfour, or \
generic keytypes only)]
[token=
token[:
manuf[:
serial]]]
[sensitive=y|n]
[extractable=y|n]
[print=y|n]
pktool genkey keystore=nss
label=
key-label [keytype=aes|arcfour|des|3des|generic]
[keylen=
key-size (for aes, arcfour, or \
generic keytypes only)]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
pktool genkey keystore=file
outkey=
key-fn [keytype=aes|arcfour|des|3des|generic]
[keylen=
key-size (for aes, arcfour, \
or generic keytypes only)]
[print=y|n]
Generates a symmetric key in the specified keystore. The
genkey subcommand prompts the user to enter a PIN for token-based
keystore.
import The format for the
import subcommand is as follows:
pktool import [token=
token>[:
manuf>[:
serial>]]]
infile=
input-fn pktool import [keystore=pkcs11]
infile=
input-fn label=
object-label [keytype=aes|arcfour|des|3des|generic]
[sensitive=y|n]
[extractable=y|n]
[token=
token[:
manuf[:
serial]]]
[objtype=cert|key]
pktool import keystore=pkcs11
objtype=
crl infile=
input-fn outcrl=
output-crl-fn outformat=pem|der
pktool import keystore=nss
objtype=
cert infile=
input-fn label=
cert-label [token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
[trust=
trust-value]
pktool import keystore=nss
objtype=crl
infile=
input-fn [verifycrl=y|n]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
pktool import keystore=file
infile=
input-fn outkey=
output-key-fn outcert=
output-key-fn [outformat=pem|der]
pktool import keystore=file
objtype=crl
infile=
input-fn outcrl=
output-crl-fn outformat=pem|der
Loads certificates, keys, or CRLs from the specified input file
into the specified keystore.
inittoken The format for the
inittoken subcommand is as follows:
pktool inittoken [ slotid=slot number ]
[ currlabel=token[:manuf[:serial]]]
[ newlabel=new token label ]
This command initializes a PKCS#11 token using
C_InitToken API.
The preferred method of locating a token is to specify its
default label. Optionally, a new label can be assigned to the
token by using the
newlabel argument. If
newlabel is not
present, the token label is not modified. The user is prompted
to enter the security officer (SO) PIN for this command to
proceed.
list The format for the
list subcommand is as follows:
pktool list [token=
token[:
manuf[:
serial]]]
[objtype=private|public|both]
[label=
label]
pktool list [keystore=pkcs11]
[objtype=cert[:public | private | both]]
[token=
token[:
manuf[:
serial]]]
[label=
cert-label]
[serial=
hex-serial-number]
[issuer=
issuer-DN]
[subject=
subject-DN]
pktool list [keystore=pkcs11]
objtype=key[:public | private | both]]
[token=
token[:
manuf[:
serial]]]
[label=
key-label]
pktool list keystore=pkcs11
objtype=crl
infile=
input-fn pktool list keystore=nss
objtype=cert
[subject=
subject-DN]
[issuer=
issuer-DN]
[serial=
hex-serial-number]
[nickname=
cert-nickname]
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
pktool list keystore=nss
objtype=key
[token=
token[:
manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
pktool list keystore=file
objtype=cert
[infile=
input-fn]
[dir=
directory-path]
[serial=
hex-serial-number]
[issuer=
issuer-DN]
[subject=
subject-DN]
pktool list keystore=file
objtype=
key [infile=
input-fn]
[dir=
directory-path]
Lists certificates, list keys, or list certificate revocation
lists (CRL). When displaying a private certificate or key in
PKCS#11 token, the user is prompted to authenticate to the
PKCS#11 token by entering the correct PIN.
setpin The format for the
setpin subcommand is as follows:
pktool setpin keystore=nss
[token=
token]
[dir=
directory-path]
[prefix=
DBprefix]
pktool setpin [ keystore=pkcs11]
[token=
token[:
manuf[:
serial]]]
[usertype=user | so]
Changes the passphrase used to authenticate a user to the PKCS#11
or NSS token. Passphrases can be any string of characters with
lengths between 1 and 256 with no nulls.
setpin prompts the user for the old passphrase, if any. If the
old passphrase matches,
pktool prompts for the new passphrase
twice. If the two entries of the new passphrases match, it
becomes the current passphrase for the token.
For the Sun Software PKCS#11 softtoken keystore (default), the
user must use the
setpin command with the default passphrase
changeme as the old passphrase to change the passphrase of the
object store. This action is needed to initialize and set the
passphrase to a newly created token object store.
If the
usertype=so option is specified for PKCS#11 based tokens,
the Security Officer (SO) user PIN is changed as opposed to the
normal user PIN. By default the
usertype is assumed to be
user.
signcsr The format for the
signcsr subcommand is as follows:
signcsr keystore=pkcs11
signkey=
label (label of key to use for signing)
csr=
CSR_filename serial=
serial_number_hex_string_for_final_certificate outcert=
filename_for_final_certificate issuer=
issuer-DN [store=y|n] (store the new cert in NSS DB, default=n)
[outlabel=
certificate label]
[format=pem|der] (certificate output format)
[subject=
subject-DN] (override the CSR subject name)
[altname=
subjectAltName] (add subjectAltName )
[keyusage=[critical:]
usage,...] (add key usage bits)
[eku=[critical:]
EKU_Name,...] (add Extended Key Usage )
[lifetime=
number-hour|
number-day|
number-year]
[token=
token[:
manuf[:
serial]]]
signcsr keystore=
file signkey=
filename csr=
CSR_filename serial=
serial_number_hex_string_for_final_certificate outcert=
filename_for_final_certificate issuer=
issuer-DN [format=pem|der] (certificate output format)
[subject=
subject-DN] (override the CSR subject name)
[altname=
subjectAltName] (add a subjectAltName)
[keyusage=[critical:]
usage,...] (add key usage bits)
[lifetime=
number-hour|
number-day|
number-year]
[eku=[critical:]
EKU_ Name,...] (add Extended Key Usage)
signcsr keystore=nss
signkey=
label (label of key to use for signing)
csr=
CSR_filename serial=
serial_number_hex_string_for_final_certificate outcert=
filename_for_final_certificate issuer=
issuer-DN [store=y|n] (store the new cert in NSS DB, default=n)
[outlabel=
certificate label]
[format=pem|der] (certificate output format)
[subject=
subject-DN] (override the CSR subject name)
[altname=
subjectAltName] (add a subjectAltName)
[keyusage=[critical:]
usage,...] (add key usage bits)
[eku=[critical:]
EKU_Name,...] (add Extended Key Usage)
[lifetime=
number-hour|
number-day|
number-year]
[token=token[
:manuf[:
serial]]]
[dir=
directory-path]
[prefix=
DBprefix]
tokens The format for the
tokens subcommand is as follows:
pktool tokens
The tokens subcommand lists all visible PKCS#11 tokens.
-? The format for the subcommand is as follows:
pktool -?
pktool --help
The
-? option displays usage and help information.
--help is a
synonym for
-?.
USAGE
The
pktool subcommands support the following options:
altname=[critical:]subjectAltName Subject Alternative Names the certificate. The argument that
follows the -A option should be in the form of tag=value. Valid
tags are IP, DNS, EMAIL, URI, DN, KRB, UPN, and RID. The
SubjectAltName extension is marked as
critical if the altname
string is prepended with the word
critical.
Example 1: Add an IP address to the
subjectAltName extension.
altname="IP=1.2.3.4" Example 2: Add an email address to the
subjectAltName extension, and mark it as being critical.
altname="critical:EMAIL=first.last@example.com" currlabel=token label This option is only used by the
inittoken command. This is used
to locate the default token that is being initialized. See the
token option for details about the format of the token name to
be used.
dir=directory_path Specifies the NSS database directory, or OpenSSL keystore
directory where the requested object is stored.
eku=[critical:]
EKU_Name,[critical:]
EKU_Name, ...]
Specifies the extended key usage X.509v3 extension values to add
to the certificate or certificate request.
Specify
EKU_Name as one of the following:
serverAuth,
clientAuth,
codeSigning,
emailProtection,
ipsecEndSystem,
ipsecTunnel,
ipsecUser,
timeStamping,
OCSPSigning,
KPClientAuth,
KPKdc, or
scLogon.
An example is:
eku=KPClientAuth,clientAuth
extractable=y | n Specifies the resulting symmetric key in the PKCS#11 token is
extractable or not extractable. The valid values are:
y and
n.
The default value is
y.
format=pem | der | pkcs12 For the
gencert subcommand, this option only applies to the file
based keystore such as OpenSSL. It is used to specify the output
format of the key or certificate file to be created. The valid
formats are:
pem or
der. The default format is
pem.
For the
gencsr subcommand, this option specifies the output
encoded format of the CSR file. The valid formats are:
pem or
der. The default format is
pem.
infile=input-fn Specifies the certificate filename for
list and
delete subcommands when objtype=cert and keystore=file. For the
import subcommand, this option specifies the filename to be imported.
Specifies the input CRL filename for
list,
delete and
import subcommands when
objtype=crl.
issuer=issuer-DN Specifies the issuer of a certificate.
keylen=key-size Specifies the size (bits) of the private or symmetric key to
generate.
For the
gencert and
gencsr subcommands, the default key length is
1024 bits.
For the
genkey subcommand, the minimum and maximum bits of the
symmetric key to generate using AES algorithm are
128 and
256.
Using the ARCFOUR algorithm, the minimum and maximum bits are
8 and
2048. The minimum bits for a generic secret key is
8 and the
maximum bits is arbitrary. The default key length for the AES,
ARCFOUR or generic secret keys is 128. For a DES key or a 3DES
key, the key length is fixed and this option is ignored if
specified.
keystore=nss | pkcs11 | file Specifies the type of the underlying keystore: NSS token, PKCS#11
token, or file-based plugin.
keytype=rsa | dsa | aes | arcfour | des | 3des | generic Specifies the type of the private or symmetric key to generate.
For the
gencert and
gencsr subcommands, the valid private key
types are:
rsa, or
dsa. The default key type is
rsa.
For the
genkey subcommand, the valid symmetric key types are:
aes,
arcfour,
des,
3des, or
generic. The default key type is
aes.
keyusage=[critical:]usage,usage,usage,...
Key Usage strings:
* digitalSignature
* nonRepudiation
* keyEncipherment
* dataEncipherment
* keyAgreement
* keyCertSign
* cRLSign
* encipherOnly
* decipherOnly
Example 1: Set the KeyUsage so that the cert (or csr) can be used
for signing and verifying data other than certificates or CRLs
(digitalSignature) and also can be used for encrypting and
decrypting data other than cryptographic keys (dataEncipherment).
keyusage=digitalSignature,dataEncipherment
Example 2: The same as above (Example 1), but with the critical
bit set. keyusage=critical:digitalSignature,dataEncipherment
label=key-label |
cert-label For the
gencert subcommand, this option specifies the label of
the private key and self-signed certificate in the PKCS#11 token.
For the
gencsr subcommand, this option specifies the label of the
private key in the PKCS#11 token.
For the
list subcommand, this option specifies the label of the
X.509 Certificate (when
objtype=key) or the private key (when
objtype=cert) in the PKCS#11 token to refine the list.
For the
delete subcommand, this option specifies the label of the
X.509 Certificate (when
objtype=key) or the private key (when
objtype=cert) to delete a designated object from the PKCS#11
token.
lifetime=number-hour|
number-day|
number-year
Specifies the validity period a certificate is valid. The
certificate life time can be specified by
number-hour,
number-day, or
number-year. Only one format can be specified. The
default is
1-year. Examples of this option might be:
lifetime=1-hour, lifetime=2-day, lifetime=3-year newlabel=token label This option is only used by the
inittoken command. This is used
to change the label assigned to the token that is being
initialized. See the
token option for details about the format
of the token name to be used.
nickname=cert-nickname For the
gencert subcommand, this option is required to specify
the certificate's nickname for NSS keystore.
For the
list subcommand, this option specifies the nickname of
the certificate in the NSS token to display its content. For the
delete subcommand, to delete a CRL from the NSS token, this
option is used to specify the nickname of the issuer's
certificate. For the
delete subcommand, to delete a certificate
from the NSS token, this option specifies the nickname of the
certificate. For the
import subcommand, to import a specified
input file to the NSS token, this option is required to specify
the nickname of the resulting certificate.
objtype=cert | key | crl Specifies the class of the object:
cert, key, or
crl. For the
download subcommand, if this option is not specified, default to
crl.
objtype=public | private | both Specifies the type of object: private object, public object, or
both. This option only applies to
list and
delete subcommands for
the PKCS#11 token when
objtype=key is specified. The default
value is
public.
For the
list subcommand, the label option can be combined with
this option to further refine the list of keys. For the
delete subcommand, this option can used to narrow the keys to be deleted
to only public, or private ones. Alternately, the label option
can be omitted to indicate that all public, private, or both type
of keys are to be deleted.The use of
public,
private and
both as
choices for the
objtype parameter are only applicable with the
PKCS#11 keystore in order to maintain compatibility with earlier
versions of the
pktool command.
outcert=cert-fn Specifies the output certificate filename to write to. This
option is required for the file based plugin such as OpenSSL.
Option
outkey=key-fn is required with this option.
outcrl=output-crl-fn Specifies the output CRL filename to write to.
outcsr=csr-fn Specifies the output CSR filename to write to.
outfile=output-fn For the
export subcommand, this option specifies the output
filename to be created. For the
import subcommand, this option
specifies the output filename of the certificate or CRL. It only
applies to the file based plugin such as OpenSSL. For the
download subcommand, if this option is not specified, the
downloaded file name is the basename of the URL string.
outformat=pem | der | pkcs12 For the
import subcommand, this option specifies the output
format of the certificate or key that is extracted from a
specified PKCS#12 file into the file based plugin, The valid
values are:
pem or
der. The default is
pem. When importing a CRL
to the CRL file based keystore, this option specifies the output
format of the CRL. The valid values are:
pem or
der. The default
is
der. For the
export subcommand, this option specifies the
format of the specified output file to be created. The supported
formats are:
pem,
der or
pkcs12. The default is
pkcs12.
outkey=key-fn Specifies the output private key filename to which to write. This
option is only required when using the
files keystore.
prefix=DBprefix Specifies the NSS database prefix. This option only applies to
the NSS token.
print=y | n This option is used in the
genkey subcommand and it applies to
the PKCS11 and File-based keystores. If
print=y, the
genkey subcommand prints out the key value of the generated key in a
single line of hex. The default value is
n. For the PKCS11
keystore, if a symmetric key is created with
sensitive=y or
extractable=n, the key value is not displayed, even the
print option is set to
y. The key is still created, but a warning like
cannot reveal the key value is issued.
sensitive=y | n Specifies the resulting symmetric key in the PKCS#11 token is
sensitive or not sensitive. The valid values are:
y and
n. The
default value is
n.
serial=hex-serial-number Specifies a unique serial number for a certificate. The serial
number must be specified as a hex value. Example:
0x0102030405060708090a0b0c0d0e0f subject=subject-DN Specifies a particular certificate owner for a certificate or
certificate request. An example
subject= setting might be:
subject=O=Example Microsystems Inc., \
OU=Solaris Security Technologies Group, \
L=Ashburn, ST=VA, C=US, CN=John Smith
token=token[:
manuf[:
serial]]
When a token label contains trailing spaces, this option does not
require them to be typed as a convenience to the user.
Colon separate token identification string
token:
manuf:
serial. If
any of the parts have a literal
: char then it needs to be
escaped using a backslash (
\). If no
: is found then the entire
string (up to 32 chars) is taken as the token label. If only one
: is found then the string is the token label and the
manufacturer. When
keystore=nss is specified, default to NSS
internal token if this option is not specified. When
keystore=pkcs11 is specified, default to
pkcs11_softtoken if this
option is not specified.
trust=trust-
value Specifies the certificate trust attributes. This is only for NSS
certificates and that the standard NSS syntax applies.
usertype=user | so Specifies the type of user for which the
setpin command is
being performed. The default is for a standard user, but
so can be specified in order to set the PIN for the security
officer of the token.
url=url_string Specifies the URL to download a CRL or a certificate file.
verifycrl=y | n When importing a CRL to NSS keystore, this option specifies
whether the CRL verification is performed. The valid values are:
y and
n. The default value is
n.
http_proxy=proxy_str Specifies the proxy server hostname and port number. The format
can be either
http://hostname[:
port] or
hostname[:port]. If this
option is not specified, the
download subcommand checks the
http_proxy environment variable. The command line option has a
higher priority than the environment variable.
EXAMPLES
Example 1: Generating a Self-Signed Certificate
The following example creates the certificate and stores it in the
keystore indicated in the command:
$ pktool gencert keystore=nss nickname=WebServerCert \
subject="O=Example Microsystems Inc., OU=Solaris Security Technologies Group, \
L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \
keytype=rsa keylen=2048
Example 2: Generating a Certificate Signing Request
The following example creates the CSR and stores it in the keystore
indicated in the command:
$ pktool gencsr keystore=nss subject="O=Example Microsystems Inc., \
OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \
CN=John Smith" keytype=rsa keylen=2048 outcsr=csr.dat
Example 3: Importing a Certificate
The following example imports a certificate object from the specified
input file into the keystore indicated in the command:
$ pktool import keystore=nss objtype=cert infile=mycert.pem \
nickname=mycert
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
attributes(7),
pkcs11_softtoken(7) RSA PKCS#11 v2.11 http://www.rsasecurity.com
RSA PKCS#12 v1.0 http://www.rsasecurity.com
November 22, 2021 PKTOOL(1)
