👤
Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

OpenSolaris 2009.06 - man page for pktool (opensolaris section 1)

pktool(1)				  User Commands 				pktool(1)

NAME
       pktool - manage certificates and keys

SYNOPSIS
       pktool [-f option_file] [-i] subcommand subcommand_options ...

DESCRIPTION
       The  pktool command allows users to manage the certificates and keys on multiple keystores
       including PKCS#11 tokens (that is, Cryptographic Framework),  Netscape  Security  Services
       (NSS) tokens, and standard file based keystore for OpenSSL.

       pktool  also  provides  support	to  list, delete and import a Certificate Revocation List
       (CRL). pktool does not provide support for creating CRLs, signing CRLs, or exporting CRLs.
       The CRL support for the PKCS#11 keystore is file-based.

OPTIONS
       The following command options are supported:

       -f option_file	 Allows  the user to set up the options in a file instead of entering the
			 options on the command line.

			 This option is provided as a convenience for users  because  pktool  can
			 potentially  have  a large list of subcommands and associated options to
			 be specified on the command line.

			 The format of the option_file is one option or value pair per-line.

			 An example option_file might looks as follows:

			   list
			   keystore=nss
			   dir=/export/foo
			   objtype=key

       -i		 Allows the user to specify the subject-DN interactively for the  gencert
			 and  gencsr  subcommands.  When -i is specified, the user is prompted to
			 input some data to form a subject-DN.

			 An example of using the -i option follows:

			   Country Name (2 letter code) [US]:US
			   State or Province Name (full name) [Some-State]:CA
			   Locality Name (eg, city) []:Menlo Park
			   Organization Name (eg, company):Sun Microsystems Inc.
			   Organizational Unit Name (eg, section):OPG
			   Common Name (eg, YOUR name):John Smith
			    Email Address []: john.smith@sun.com

			 The resulting subject-DN is:

			   "C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\
			      OU=OPG, emailAddress=john.smith@sun.com, \
			      CN=John Smith"

SUBCOMMANDS
       The following subcommands are supported:

       delete

	   The format for the delete subcommand is as follows:

	     pktool delete [token=token[:manuf[:serial]]]
			   [objtype=private|public|both]
			   [label=object-label]

	     pktool delete keystore=pkcs11
			   objtype=cert[:public | private | both]]
			   [token=token[:manuf[:serial]]]
			   [label=cert-label]
			   [serial=hex-serial-number]
			   [issuer=issuer-DN]
			   [subject=subject-DN]

	     pktool delete keystore=nss
			   objtype=cert
			   [subject=subject-DN]
			   [issuer=issuer-DN]
			   [serial=hex-serial-number]
			   [nickname=cert-nickname]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]

	     pktool delete keystore=nss
			   objtype=crl
			   [nickname=cert-nickname]
			   [subject=subject-DN]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]

	     pktool delete keystore=pkcs11
			   objtype=key[:public | private | both]]
			   [token=token[:manuf[:serial]]]
			   [label=key-label]

	     pktool delete keystore=pkcs11
			   objtype=crl
			   infile=input-fn

	     pktool delete keystore=file
			   objtype=cert
			   [infile=input-fn]
			   [dir=directory-path]
			   [serial=hex-serial-number]
			   [issuer=issuer-DN]
			   [subject=subject-DN]

	     pktool delete keystore=file
			   objtype=key
			   [infile=input-fn]
			   [dir=directory-path]

	     pktool delete keystore=file
			   objtype=crl
			   infile=input-fn

	   Deletes a certificate, key, or certificate revocation list (CRL).

	   To delete a private certificate or key from PKCS#11 token, the  user  is  prompted  to
	   authenticate  to  the  PKCS#11  by entering the correct Personal Identification Number
	   (PIN).

       download

	   The format for the download subcommand is as follows:

	      pktool download url=url_str
			      [objtype=crl|cert]
			      [http_proxy=proxy_str]
			      [outfile=output-fn]
			      [dir=directory-path]

	   Downloads a CRL file or a certificate file from the specified URL location.	Once  the
	   file is successfully downloaded, checks the validity of the downloaded CRL or certifi-
	   cate file. If the CRL or the certificate is expired, download issues a warning.

       export

	   The format for the export subcommand is as follows:

	     pktool export [token=token[:manuf[:serial]]]
			   outfile=output-fn

	     pktool export keystore=pkcs11
			   outfile=output-fn
			   [objtype=cert|key]
			   [label=label]
			   [subject=subject-DN]
			   [issuer=issuer-DN]
			   [serial=hex-serial-number]
			   [outformat=pem|der|pkcs12|raw]
			   [token=token[:manuf[:serial]]]

	     pktool export keystore=nss
			   outfile=output-fn
			   [subject=subject-DN]
			   [issuer=issuer-DN]
			   [serial=hex-serial-number]
			   [nickname=cert-nickname]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]
			   [outformat=pem|der|pkcs12]

	     pktool export keystore=file
			   certfile=cert-input-fn
			   keyfile=key-input-fn
			   outfile=output-pkcs12-fn

	   Saves the contents of PKCS#11 token or certificates in the  NSS  token  or  file-based
	   keystore to the specified file.

       gencert

	   The format for the gencert subcommand is as follows:

	     pktool gencert [-i] keystore=nss
			   label=cert-nickname
			   subject=subject-DN
			   serial=hex_serial_number
			   [altname=[critical:]subjectAltName]
			   [keyusage=[critical:]usage,usage...]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]
			   [keytype=rsa|dsa]
			   [keylen=key-size]
			   [trust=trust-value]
			   [lifetime=number-hour|number-day|number-year]
			   [eku=[critical:]EKU_name,...]

	     pktool gencert [-i] [ keystore=pkcs11]
			   label=key/cert-label
			   subject=subject-DN
			   serial=hex_serial_number
			   [altname=[critical:]subjectAltName]
			   [keyusage=[critical:]usage,usage...]
			   [token=token[:manuf[:serial]]]
			   [keytype=rsa|dsa]
			   [keylen=key-size]
			   [lifetime=number-hour|number-day|number-year]
			   [eku=[critical:]EKU_name,...]

	     pktool gencert [-i] keystore=file
			   outcert=cert-fn
			   outkey=key-fn
			   subject=subject-DN
			   serial=hex_serial_number
			   [altname=[critical:]subjectAltName]
			   [keyusage=[critical:]usage,usage...]
			   [format=der|pem]
			   [keytype=rsa|dsa]
			   [keylen=key-size]
			   [lifetime=number-hour|number-day|number-year]
			   [eku=[critical:]EKU_name,...]

	   Generates  a self-signed certificate and installs it and its associated private key to
	   the specified keystore.

	   gencert prompts the user to enter a PIN for token-based keystore.

       gencsr

	   The format for the gencsr subcommand is as follows:

	     pktool gencsr [-i] keystore=nss
			   nickname=key-nickname
			   outcsr=csr-fn
			   subject=subject-DN
			   [altname=[critical:]subjectAltName]
			   [keyusage=[critical:]usage,usage...]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]
			   [keytype=rsa|dsa]
			   [keylen=key-size]
			   [format=pem|der]
			   [eku=[critical:]EKU_name,...]

	     pktool gencsr [-i] keystore=pkcs11
			   label=key-label
			   outcsr=csr-fn
			   subject=subject-DN
			   [altname=[critical:]subjectAltName]
			   [keyusage=[critical:]usage,usage...]
			   [token=token[:manuf[:serial]]]
			   [keytype=rsa|dsa]
			   [keylen=key-size]
			   [format=pem|der]
			   [eku=[critical:]EKU_name,...]

	     pktool gencsr [-i] keystore=file
			   outcsr=csr-fn
			   outkey=key-fn
			   subject=subject-DN
			   [altname=[critical:]subjectAltName]
			   [keyusage=[critical:]usage,usage...]
			   [dir=directory-path]
			   [keytype=rsa|dsa]
			   [keylen=key-size]
			   [format=pem|der]
			   [eku=[critical:]EKU_name,...]

	   Creates a PKCS#10 certificate signing request (CSR) file. This CSR can be  sent  to	a
	   Certifying Authority (CA) for signing. The gencsr subcommand prompts the user to enter
	   a PIN for token-based keystore.

       genkey

	   The format for the genkey subcommand is as follows:

	     pktool genkey [keystore=pkcs11]
			   label=key-label
			   [keytype=aes|arcfour|des|3des|generic]
			   [keylen=key-size (for aes, arcfour, or \
			       generic keytypes only)]
			   [token=token[:manuf[:serial]]]
			   [sensitive=y|n]
			   [extractable=y|n]
			   [print=y|n]

	     pktool genkey keystore=nss
			   label=key-label
			   [keytype=aes|arcfour|des|3des|generic]
			   [keylen=key-size (for aes, arcfour, or \
			       generic keytypes only)]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]

	     pktool genkey keystore=file
			   outkey=key-fn
			   [keytype=aes|arcfour|des|3des|generic]
			   [keylen=key-size (for aes, arcfour, \
				or generic keytypes only)]
			   [print=y|n]

	   Generates a symmetric key in the specified keystore. The genkey subcommand prompts the
	   user to enter a PIN for token-based keystore.

       import

	   The format for the import subcommand is as follows:

	     pktool import [token=token>[:manuf>[:serial>]]]
			   infile=input-fn

	     pktool import [keystore=pkcs11]
			   infile=input-fn
			   label=object-label
			   [keytype=aes|arcfour|des|3des|generic]
			   [sensitive=y|n]
			   [extractable=y|n]
			   [token=token[:manuf[:serial]]]
			   [objtype=cert|key]

	     pktool import keystore=pkcs11
			   objtype=crl
			   infile=input-fn
			   outcrl=output-crl-fn
			   outformat=pem|der

	     pktool import keystore=nss
			   objtype=cert
			   infile=input-fn
			   label=cert-label
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]
			   [trust=trust-value]

	     pktool import keystore=nss
			   objtype=crl
			   infile=input-fn
			   [verifycrl=y|n]
			   [token=token[:manuf[:serial]]]
			   [dir=directory-path]
			   [prefix=DBprefix]

	     pktool import keystore=file
			   infile=input-fn
			   outkey=output-key-fn
			   outcert=output-key-fn
			   [outformat=pem|der]

	     pktool import keystore=file
			   objtype=crl
			   infile=input-fn
			   outcrl=output-crl-fn
			   outformat=pem|der

	   Loads  certificates,  keys,	or  CRLs from the specified input file into the specified
	   keystore.

       list

	   The format for the list subcommand is as follows:

	     pktool list [token=token[:manuf[:serial]]]
			 [objtype=private|public|both]
			 [label=label]

	     pktool list [keystore=pkcs11]
			 [objtype=cert[:public | private | both]]
			 [token=token[:manuf[:serial]]]
			 [label=cert-label]
			 [serial=hex-serial-number]
			 [issuer=issuer-DN]
			 [subject=subject-DN]

	     pktool list [keystore=pkcs11]
			 objtype=key[:public | private | both]]
			 [token=token[:manuf[:serial]]]
			 [label=key-label]

	     pktool list keystore=pkcs11
			 objtype=crl
			 infile=input-fn

	     pktool list keystore=nss
			 objtype=cert
			 [subject=subject-DN]
			 [issuer=issuer-DN]
			 [serial=hex-serial-number]
			 [nickname=cert-nickname]
			 [token=token[:manuf[:serial]]]
			 [dir=directory-path]
			 [prefix=DBprefix]

	     pktool list keystore=nss
			 objtype=key
			 [token=token[:manuf[:serial]]]
			 [dir=directory-path]
			 [prefix=DBprefix]

	     pktool list keystore=file
			 objtype=cert
			 [infile=input-fn]
			 [dir=directory-path]
			 [serial=hex-serial-number]
			 [issuer=issuer-DN]
			 [subject=subject-DN]

	     pktool list keystore=file
			 objtype=key
			 [infile=input-fn]
			 [dir=directory-path]

	   Lists certificates, list keys, or list certificate revocation lists (CRL).  When  dis-
	   playing a private certificate or key in PKCS#11 token, the user is prompted to authen-
	   ticate to the PKCS#11 token by entering the correct PIN.

       setpin

	   The format for the setpin subcommand is as follows:

	     pktool setpin keystore=nss
		    [token=token]
		    [dir=directory-path]
		    [prefix=DBprefix]

	     pktool setpin [ keystore=pkcs11]
		    [token=token[:manuf[:serial]]]

	   Changes the passphrase used to authenticate a  user	to  the  PKCS#11  or  NSS  token.
	   Passphrases	may  be  any  string of characters with lengths between 1 and 256 with no
	   nulls.

	   setpin prompts the user for the old passphrase, if any. If the old passphrase matches,
	   pktool prompts for the new passphrase twice. If the two entries of the new passphrases
	   match, it becomes the current passphrase for the token.

	   For the Sun Software PKCS#11 softtoken keystore (default), the user must use the  set-
	   pin	command  with the default passphrase changeme as the old passphrase to change the
	   passphrase of the object store.  This action is  needed  to	initialize  and  set  the
	   passphrase to a newly created token object store.

       signcsr

	   The format for the signcsr subcommand is as follows:

	     signcsr keystore=pkcs11
		     signkey=label (label of key to use for signing)
		     csr=CSR_filename
		     serial=serial_number_hex_string_for_final_certificate
		     outcert=filename_for_final_certificate
		     issuer=issuer-DN
		     [store=y|n] (store the new cert in NSS DB, default=n)
		     [outlabel=certificate label]
		     [format=pem|der] (certificate output format)
		     [subject=subject-DN] (override the CSR subject name)
		     [altname=subjectAltName] (add subjectAltName )
		     [keyusage=[critical:]usage,...] (add key usage bits)
		     [eku=[critical:]EKU_Name,...] (add Extended Key Usage )
		     [lifetime=number-hour|number-day|number-year]
		     [token=token[:manuf[:serial]]]
	     signcsr keystore=file
		     signkey=filename
		     csr=CSR_filename
		     serial=serial_number_hex_string_for_final_certificate
		     outcert=filename_for_final_certificate
		     issuer=issuer-DN
		     [format=pem|der] (certificate output format)
		     [subject=subject-DN] (override the CSR subject name)
		     [altname=subjectAltName] (add a subjectAltName)
		     [keyusage=[critical:]usage,...] (add key usage bits)
		     [lifetime=number-hour|number-day|number-year]
		     [eku=[critical:]EKU_ Name,...] (add Extended Key Usage)
	     signcsr keystore=nss
		     signkey=label (label of key to use for signing)
		     csr=CSR_filename
		     serial=serial_number_hex_string_for_final_certificate
		     outcert=filename_for_final_certificate
		     issuer=issuer-DN
		     [store=y|n] (store the new cert in NSS DB, default=n)
		     [outlabel=certificate label]
		     [format=pem|der] (certificate output format)
		     [subject=subject-DN] (override the CSR subject name)
		     [altname=subjectAltName] (add a subjectAltName)
		     [keyusage=[critical:]usage,...] (add key usage bits)
		     [eku=[critical:]EKU_Name,...] (add Extended Key Usage)
		     [lifetime=number-hour|number-day|number-year]
		     [token=token[:manuf[:serial]]]
		     [dir=directory-path]
		     [prefix=DBprefix]

       tokens

	   The format for the tokens subcommand is as follows:

	     pktool tokens

	   The tokens subcommand lists all visible PKCS#11 tokens.

       -?

	   The format for the  subcommand is as follows:

	     pktool -?
	     pktool --help

	   The -? option displays usage and help information. --help is a synonym for -?.

USAGE
       The pktool subcommands support the following options:

       altname=[critical:]subjectAltName

	   Subject  Alternative  Names	the  certificate. The argument that follows the -A option
	   should be in the form of tag=value. Valid tags are IP, DNS, EMAIL, URI, DN, KRB,  UPN,
	   and	RID.  The SubjectAltName extension is marked as critical if the altname string is
	   pre-peneded with the

	   Example 1: Add an IP address to  the  subjectAltName  extension.  altname="IP=1.2.3.4"
	   Example  2: Add an email address to the subjectAltName extension, and mark it as being
	   critical. altname="critical:EMAIL=first.last@company.com"

       dir=directory_path

	   Specifies the  NSS  database  directory,  or  OpenSSL  keystore  directory  where  the
	   requested object is stored.

       eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]

	   Specifies the extended key usage X.509v3 extension values to add to the certificate or
	   certificate request.

	   Specify EKU_Name as one  of	the  following:    serverAuth,	clientAuth,  codeSigning,
	   emailProtection,  ipsecEndSystem,  ipsecTunnel,  ipsecUser, timeStamping, OCSPSigning,
	   KPClientAuth, KPKdc, or scLogon.

	   An example is:

	     eku=KPClientAuth,clientAuth

       extractable=y | n

	   Specifies the resulting symmetric key in the  PKCS#11  token  is  extractable  or  not
	   extractable. The valid values are: y and n. The default value is y.

       format=pem | der | pkcs12

	   For	the  gencert subcommand, this option only applies to the file based keystore such
	   as OpenSSL. It is used to specify the output format of the key or certificate file  to
	   be created. The valid formats are: pem or der. The default format is pem.

	   For	the gencsr subcommand, this option specifies the output encoded format of the CSR
	   file. The valid formats are: pem or der. The default format is pem.

       infile=input-fn

	   Specifies the certificate filename for list and delete subcommands  when  objtype=cert
	   and keystore=file. For the import subcommand, this option specifies the filename to be
	   imported. Specifies the input CRL filename for list,  delete  and  import  subcommands
	   when objtype=crl.

       issuer=issuer-DN

	   Specifies the issuer of a certificate.

       keylen=key-size

	   Specifies the size (bits) of the private or symmetric key to generate.

	   For the gencert and gencsr subcommands, the default key length is 1024 bits.

	   For the genkey subcommand, the minimum and maximum bits of the symmetric key to gener-
	   ate using AES algorithm are 128 and 256. Using the ARCFOUR algorithm, the minimum  and
	   maximum  bits  are  8 and 2048. The minimum bits for a generic secret key is 8 and the
	   maximum bits is arbitrary. The default key length for  the  AES,  ARCFOUR  or  generic
	   secret  keys  is  128.  For	a DES key or a 3DES key, the key length is fixed and this
	   option is ignored if specified.

       keystore=nss | pkcs11 | file

	   Specifies the type of the underlying keystore: NSS token, PKCS#11 token, or file-based
	   plugin.

       keytype=rsa | dsa | aes | arcfour | des | 3des | generic

	   Specifies the type of the private or symmetric key to generate.

	   For	the gencert and gencsr subcommands, the valid private key types are: rsa, or dsa.
	   The default key type is rsa.

	   For the genkey subcommand, the valid symmetric key types are: aes, arcfour, des, 3des,
	   or generic. The default key type is aes.

	      keyusage=[critical:]usage,usage,usage,...

	     Key Usage strings:
	     * digitalSignature
	     * nonRepudiation
	     * keyEncipherment
	     * dataEncipherment
	     * keyAgreement
	     * keyCertSign
	     * cRLSign
	     * encipherOnly
	     * decipherOnly

	   Example 1: Set the KeyUsage so that the cert (or csr) can be used for signing and ver-
	   ifying data other than certificates or CRLs (digitalSignature) and also  can  be  used
	   for	encrypting  and decrypting data other than cryptographic keys (dataEncipherment).
	   keyusage=digitalSignature,dataEncipherment

	   Example  2:	The  same  as  above  (Example	1),  but  with	the  critical  bit   set.
	   keyusage=critical:digitalSignature,dataEncipherment

       label=key-label | cert-label

	   For	the  gencert  subcommand,  this option specifies the label of the private key and
	   self-signed certificate in the PKCS#11 token.

	   For the gencsr subcommand, this option specifies the label of the private key  in  the
	   PKCS#11 token.

	   For	the  list  subcommand,	this  option specifies the label of the X.509 Certificate
	   (when objtype=key) or the private key (when objtype=cert)  in  the  PKCS#11	token  to
	   refine the list.

	   For	the  delete  subcommand, this option specifies the label of the X.509 Certificate
	   (when objtype=key) or the private key  (when  objtype=cert)	to  delete  a  designated
	   object from the PKCS#11 token.

       lifetime=number-hour|number-day|number-year

	   Specifies the validity period a certificate is valid. The certificate life time can be
	   specified by number-hour, number-day, or number-year. Only one format  can  be  speci-
	   fied.  The default is 1-year. Examples of this option might be: lifetime=1-hour, life-
	   time=2-day, lifetime=3-year

       nickname=cert-nickname

	   For the gencert subcommand, this option is required to specify the certificate's nick-
	   name for NSS keystore.

	   For	the list subcommand, this option specifies the nickname of the certificate in the
	   NSS token to display its content. For the delete subcommand, to delete a CRL from  the
	   NSS	token,	this  option is used to specify the nickname of the issuer's certificate.
	   For the delete subcommand, to delete a certificate from the	NSS  token,  this  option
	   specifies  the  nickname  of  the  certificate. For the import subcommand, to import a
	   specified input file to the NSS token, this option is required to specify the nickname
	   of the resulting certificate.

       objtype=cert | key | crl

	   Specifies  the class of the object: cert, key, or crl. For the download subcommand, if
	   this option is not specified, default to crl.

       objtype=public | private | both

	   Specifies the type of object: private object, public object, or both. This option only
	   applies to list and delete subcommands for the PKCS#11 token when objtype=key is spec-
	   ified. The default value is public.

	   For the list subcommand, the label option may be combined with this option to  further
	   refine the list of keys. For the delete subcommand, this option may used to narrow the
	   keys to be deleted to only public, or private ones. Alternately, the label option  may
	   be  omitted	to  indicate  that  all  public,  private, or both type of keys are to be
	   deleted.The use of public, private and both as choices for the objtype  parameter  are
	   only applicable with the PKCS#11 keystore in order to maintain compatibility with ear-
	   lier versions of the pktool command.

       outcert=cert-fn

	   Specifies the output certificate filename to write to. This option is required for the
	   file based plugin such as OpenSSL. Option outkey=key-fn is required with this option.

       outcrl=output-crl-fn

	   Specifies the output CRL filename to write to.

       outcsr=csr-fn

	   Specifies the output CSR filename to write to.

       outfile=output-fn

	   For	the  export  subcommand, this option specifies the output filename to be created.
	   For the import subcommand, this option specifies the output filename of  the  certifi-
	   cate  or CRL. It only applies to the file based plugin such as OpenSSL.  For the down-
	   load subcommand, if this option is not specified, the  downloaded  file  name  is  the
	   basename of the URL string.

       outformat=pem | der | pkcs12

	   For	the import subcommand, this option specifies the output format of the certificate
	   or key that is extracted from a specified PKCS#12 file into the file based plugin, The
	   valid values are: pem or der. The default is pem. When importing a CRL to the CRL file
	   based keystore, this option specifies the output format of the CRL. The  valid  values
	   are:  pem or der. The default is der. For the export subcommand, this option specifies
	   the format of the specified output file to be created. The supported formats are: pem,
	   der or pkcs12. The default is pkcs12.

       outkey=key-fn

	   Specifies  the  output  private  key  filename  to which to write. This option is only
	   required when using the files keystore.

       prefix=DBprefix

	   Specifies the NSS database prefix. This option only applies to the NSS token.

       print=y | n

	   This option is used in the genkey subcommand and it applies to the  PKCS11  and  File-
	   based  keystores.  If  print=y,  the genkey subcommand prints out the key value of the
	   generated key in a single line of hex. The default value is n.  For	the  PKCS11  key-
	   store,  if a symmetric key is created with sensitive=y or extractable=n, the key value
	   is not displayed, even the print option is set to y. The key is still created,  but	a
	   warning like cannot reveal the key value is issued.

       sensitive=y | n

	   Specifies  the resulting symmetric key in the PKCS#11 token is sensitive or not sensi-
	   tive. The valid values are: y and n. The default value is n.

       serial=hex-serial-number

	   Specifies a unique serial number for a certificate. The serial number must  be  speci-
	   fied as a hex value. Example: 0x0102030405060708090a0b0c0d0e0f

       subject=subject-DN

	   Specifies  a particular certificate owner for a certificate or certificate request. An
	   example subject= setting might be:

	     subject=O=Sun Microsystems Inc., \
	     OU=Solaris Security Technologies Group, \
	     L=Ashburn, ST=VA, C=US, CN=John Smith

       token=token[:manuf[:serial]]

	   When a token label contains trailing spaces, this option does not require them  to  be
	   typed as a convenience to the user.

	   Colon  separate  token  identification  string token:manuf:serial. If any of the parts
	   have a literal : char then it needs to be escaped using a backslash (\). If	no  :  is
	   found then the entire string (up to 32 chars) is taken as the token label. If only one
	   : is found then the string is the token label and the manufacturer. When  keystore=nss
	   is specified, default to NSS internal token if this option is not specified. When key-
	   store=pkcs11 is specified, default to pkcs11_softtoken if this option  is  not  speci-
	   fied.

       trust=trust-value

	   Specifies the certificate trust attributes. This is only for NSS certificates and that
	   the standard NSS syntax applies.

       url=url_string

	   Specifies the URL to download a CRL or a certificate file.

       verifycrl=y | n

	   When importing a CRL to NSS keystore, this option specifies whether the CRL	verifica-
	   tion is performed. The valid values are: y and n. The default value is n.

       http_proxy=proxy_str

	   Specifies  the  proxy  server  hostname  and  port  number.	The  format can be either
	   http://hostname[:port] or hostname[:port]. If this option is not specified, the  down-
	   load  subcommand  checks  the http_proxy environment variable. The command line option
	   has a higher priority than the environment variable.

EXAMPLES
       Example 1 Generating a Self-Signed Certificate

       The following example creates the certificate and stores it in the keystore  indicated  in
       the command:

	  $ pktool gencert keystore=nss nickname=WebServerCert \
		subject="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, \
		L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \
		keytype=rsa keylen=2048

       Example 2 Generating a Certificate Signing Request

       The  following example creates the CSR and stores it in the keystore indicated in the com-
       mand:

	  $ pktool gencsr keystore=nss subject="O=Sun Microsystems Inc., \
		OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \
		CN=John Smith" keytype=rsa keylen=2048 outcsr=csr.dat

       Example 3 Importing a Certificate

       The following example imports a certificate object from the specified input file into  the
       keystore indicated in the command:

	  $ pktool import keystore=nss objtype=cert infile=mycert.pem \
		nickname=mycert

EXIT STATUS
       The following exit values are returned:

       0     Successful completion.

       >0    An error occurred.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+

SEE ALSO
       attributes(5), pkcs11_softtoken(5)

       RSA PKCS#11 v2.11 http://www.rsasecurity.com

       RSA PKCS#12 v1.0 http://www.rsasecurity.com

SunOS 5.11				   20 May 2008					pktool(1)


All times are GMT -4. The time now is 02:30 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password