Sun Microsystems 820433510 Server User Manual


  Open as PDF
of 256
 
Using the certutil Utility
Before running certutil, make sure that LD_LIBRARY_PATH points to the location of the
libraries required for this utility to run. This location can be identied from the value of
AS_NSS_LIB in asenv.conf (product wide conguration le).
The certicate database tool, certutil, is an NSS command-line utility that can create and
modify the Netscape Communicator cert8.db and key3.db database les. It can also list,
generate, modify, or delete certicates within the cert8.db le and create or change the
password, generate new public and private key pairs, display the contents of the key database, or
delete key pairs within the key3.db le.
The key and certicate management process generally begins with creating keys in the key
database, then generating and managing certicates in the certicate database. The following
document discusses certicate and key database management with NSS, including the syntax
for the certutil utility:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Each of the items in the list below gives an example using NSS and JSSE security tools to create
and/or manage certicates.
Generate a self-signed server and client certicate. In this example, the CN must be of the
form hostname.domain.[com|org|net|...].
In this example, domain-dir/config. The serverseed.txt and clientseed.txt les can
contain any random text. This random text will be used for generating the key pair.
certutil -S -n $SERVER_CERT_NAME -x -t "u,u,u"
-s "CN=$HOSTNAME.$HOSTDOMAIN, OU=Java Software, O=Sun Microsystems Inc.,
L=Santa Clara, ST=CA, C=US"
-m 25001 -o $CERT_DB_DIR/Server.crt
-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/serverseed.txt
Generate the client certicate. This certicate is also a self-signed certicate.
certutil -S -n $CLIENT_CERT_NAME -x -t "u,u,u"
-s "CN=MyClient, OU=Java Software, O=Sun Microsystems Inc.,
L=Santa Clara, ST=CA, C=US"
-m 25002 -o $CERT_DB_DIR/Client.crt
-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/clientseed.txt
Verify the certicates generated in the previous bullet.
certutil -V -u V -n $SERVER_CERT_NAME -d $CERT_DB_DIR
certutil -V -u C -n $CLIENT_CERT_NAME -d $CERT_DB_DIR
Display available certicates.
certutil -L -d $CERT_DB_DIR
UsingNetworkSecurityServices (NSS)Tools
Chapter9 • ConguringSecurity 117
 previous next