Sun Microsystems 820433510 Server User Manual


 
Listing Keys and Certicates
To list the keys and certicates in the congured PKCS#11 tokens, run the following
command:
certutil -L -d AS_NSS_DB [-h tokenname]
For example, to list the contents of the default NSS soft token, type:
certutil -L -d AS_NSS_DB
The standard output will be similar to the following:
verisignc1g1 T,c,c
verisignc1g2 T,c,c
verisignc1g3 T,c,c
verisignc2g3 T,c,c
verisignsecureserver T,c,c
verisignc2g1 T,c,c
verisignc2g2 T,c,c
verisignc3g1 T,c,c
verisignc3g2 T,c,c
verisignc3g3 T,c,c
s1as u,u,u
The output displays the name of the token in the left column and a set of three trust
attributes in the right column. For Enterprise Server certicates, it is usually T,c,c. Unlike
the J2SE java.security.KeyStore API, which contains only one level of trust, the NSS
technology contains several levels of trust. Enterprise Server is primarily interested in the
rst trust attribute, which describes how this token uses SSL. For this attribute:
T indicates that the Certicate Authority (CA) is trusted for issuing client certicates.
u indicates that you can use the certicates (and keys) for authentication or signing.
The attribute combination of u,u,u indicates that a private key exists in the database.
To list the contents of the hardware token, mytoken, run the following command:
certutil -L -d AS_NSS_DB -h mytoken
You will be prompted for the password for the hardware token. The standard output is
similar to the following:
Enter Password or Pin for "mytoken":
mytoken:Server-Cert 	u,u,u
UsingHardwareCrypto AcceleratorWithEnterpriseServer
Chapter9 • ConguringSecurity 123