Listing Keys and Certicates
■
To list the keys and certicates in the congured PKCS#11 tokens, run the following
command:
certutil -L -d AS_NSS_DB [-h tokenname]
For example, to list the contents of the default NSS soft token, type:
certutil -L -d AS_NSS_DB
The standard output will be similar to the following:
verisignc1g1 T,c,c
verisignc1g2 T,c,c
verisignc1g3 T,c,c
verisignc2g3 T,c,c
verisignsecureserver T,c,c
verisignc2g1 T,c,c
verisignc2g2 T,c,c
verisignc3g1 T,c,c
verisignc3g2 T,c,c
verisignc3g3 T,c,c
s1as u,u,u
The output displays the name of the token in the left column and a set of three trust
attributes in the right column. For Enterprise Server certicates, it is usually T,c,c. Unlike
the J2SE java.security.KeyStore API, which contains only one level of trust, the NSS
technology contains several levels of trust. Enterprise Server is primarily interested in the
rst trust attribute, which describes how this token uses SSL. For this attribute:
T indicates that the Certicate Authority (CA) is trusted for issuing client certicates.
u indicates that you can use the certicates (and keys) for authentication or signing.
The attribute combination of u,u,u indicates that a private key exists in the database.
■
To list the contents of the hardware token, mytoken, run the following command:
certutil -L -d AS_NSS_DB -h mytoken
You will be prompted for the password for the hardware token. The standard output is
similar to the following:
Enter Password or Pin for "mytoken":
mytoken:Server-Cert 	u,u,u
UsingHardwareCrypto AcceleratorWithEnterpriseServer
Chapter9 • ConguringSecurity 123