index.rst (12387B)
1 .. _mozilla_projects_nss_tools_crlutil: 2 3 NSS tools : crlutil 4 =================== 5 6 .. container:: 7 8 | Name 9 | crlutil — List, generate, modify, or delete CRLs within the NSS security 10 | database file(s) and list, create, modify or delete certificates entries 11 | in a particular CRL. 12 | Synopsis 13 | crlutil [options] `arguments <arguments>`__ 14 | Description 15 | The Certificate Revocation List (CRL) Management Tool, crlutil, is a 16 | command-line utility that can list, generate, modify, or delete CRLs 17 | within the NSS security database file(s) and list, create, modify or 18 | delete certificates entries in a particular CRL. 19 | The key and certificate management process generally begins with creating 20 | keys in the key database, then generating and managing certificates in the 21 | certificate database(see certutil tool) and continues with certificates 22 | expiration or revocation. 23 | This document discusses certificate revocation list management. For 24 | information on security module database management, see Using the Security 25 | Module Database Tool. For information on certificate and key database 26 | management, see Using the Certificate Database Tool. 27 | To run the Certificate Revocation List Management Tool, type the command 28 | crlutil option [arguments] 29 | where options and arguments are combinations of the options and arguments 30 | listed in the following section. Each command takes one option. Each 31 | option may take zero or more arguments. To see a usage string, issue the 32 | command without options, or with the -H option. 33 | Options and Arguments 34 | Options 35 | Options specify an action. Option arguments modify an action. The options 36 | and arguments for the crlutil command are defined as follows: 37 | -G 38 | Create new Certificate Revocation List(CRL). 39 | -D 40 | Delete Certificate Revocation List from cert database. 41 | -I 42 | Import a CRL to the cert database 43 | -E 44 | Erase all CRLs of specified type from the cert database 45 | -L 46 | List existing CRL located in cert database file. 47 | -M 48 | Modify existing CRL which can be located in cert db or in 49 | arbitrary file. If located in file it should be encoded in ASN.1 50 | encode format. 51 | -G 52 | Arguments 53 | Option arguments modify an action and are lowercase. 54 | -B 55 | Bypass CA signature checks. 56 | -P dbprefix 57 | Specify the prefix used on the NSS security database files (for 58 | example, my_cert8.db and my_key3.db). This option is provided as a 59 | special case. Changing the names of the certificate and key 60 | databases is not recommended. 61 | -a 62 | Use ASCII format or allow the use of ASCII format for input and 63 | output. This formatting follows RFC #1113. 64 | -c crl-gen-file 65 | Specify script file that will be used to control crl 66 | generation/modification. See crl-cript-file format below. If 67 | options -M|-G is used and -c crl-script-file is not specified, 68 | crlutil will read script data from standard input. 69 | -d directory 70 | Specify the database directory containing the certificate and key 71 | database files. On Unix the Certificate Database Tool defaults to 72 | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default 73 | is the current directory. 74 | The NSS database files must reside in the same directory. 75 | -i crl-import-file 76 | Specify the file which contains the CRL to import 77 | -f password-file 78 | Specify a file that will automatically supply the password to 79 | include in a certificate or to access a certificate database. This 80 | is a plain-text file containing one password. Be sure to prevent 81 | unauthorized access to this file. 82 | -l algorithm-name 83 | Specify a specific signature algorithm. List of possible 84 | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512 85 | -n nickname 86 | Specify the nickname of a certificate or key to list, create, add 87 | to a database, modify, or validate. Bracket the nickname string 88 | with quotation marks if it contains spaces. 89 | -o output-file 90 | Specify the output file name for new CRL. Bracket the output-file 91 | string with quotation marks if it contains spaces. If this 92 | argument is not used the output destination defaults to standard 93 | output. 94 | -t crl-type 95 | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - 96 | SEC_CRL_TYPE. This option is obsolete 97 | -u url 98 | Specify the url. 99 | CRL Generation script syntax 100 | CRL generation script file has the following syntax: 101 | \* Line with comments should have # as a first symbol of a line 102 | \* Set "this update" or "next update" CRL fields: 103 | update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ 104 | Field "next update" is optional. Time should be in GeneralizedTime format 105 | (YYYYMMDDhhmmssZ). For example: 20050204153000Z 106 | \* Add an extension to a CRL or a crl certificate entry: 107 | addext extension-name critical/non-critical [arg1[arg2 ...]] 108 | Where: 109 | extension-name: string value of a name of known extensions. 110 | critical/non-critical: is 1 when extension is critical and 0 otherwise. 111 | arg1, arg2: specific to extension type extension parameters 112 | addext uses the range that was set earlier by addcert and will install an 113 | extension to every cert entries within the range. 114 | \* Add certificate entries(s) to CRL: 115 | addcert range date 116 | range: two integer values separated by dash: range of certificates that 117 | will be added by this command. dash is used as a delimiter. Only one cert 118 | will be added if there is no delimiter. date: revocation date of a cert. 119 | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). 120 | \* Remove certificate entry(s) from CRL 121 | rmcert range 122 | Where: 123 | range: two integer values separated by dash: range of certificates that 124 | will be added by this command. dash is used as a delimiter. Only one cert 125 | will be added if there is no delimiter. 126 | \* Change range of certificate entry(s) in CRL 127 | range new-range 128 | Where: 129 | new-range: two integer values separated by dash: range of certificates 130 | that will be added by this command. dash is used as a delimiter. Only one 131 | cert will be added if there is no delimiter. 132 | Implemented Extensions 133 | The extensions defined for CRL provide methods for associating additional 134 | attributes with CRLs of theirs entries. For more information see RFC #3280 135 | \* Add The Authority Key Identifier extension: 136 | The authority key identifier extension provides a means of identifying the 137 | public key corresponding to the private key used to sign a CRL. 138 | authKeyId critical [key-id \| dn cert-serial] 139 | Where: 140 | authKeyIdent: identifies the name of an extension critical: value of 1 of 141 | 0. Should be set to 1 if this extension is critical or 0 otherwise. 142 | key-id: key identifier represented in octet string. dn:: is a CA 143 | distinguished name cert-serial: authority certificate serial number. 144 | \* Add Issuer Alternative Name extension: 145 | The issuer alternative names extension allows additional identities to be 146 | associated with the issuer of the CRL. Defined options include an rfc822 147 | name (electronic mail address), a DNS name, an IP address, and a URI. 148 | issuerAltNames non-critical name-list 149 | Where: 150 | subjAltNames: identifies the name of an extension should be set to 0 since 151 | this is non-critical extension name-list: comma separated list of names 152 | \* Add CRL Number extension: 153 | The CRL number is a non-critical CRL extension which conveys a 154 | monotonically increasing sequence number for a given CRL scope and CRL 155 | issuer. This extension allows users to easily determine when a particular 156 | CRL supersedes another CRL 157 | crlNumber non-critical number 158 | Where: 159 | crlNumber: identifies the name of an extension critical: should be set to 160 | 0 since this is non-critical extension number: value of long which 161 | identifies the sequential number of a CRL. 162 | \* Add Revocation Reason Code extension: 163 | The reasonCode is a non-critical CRL entry extension that identifies the 164 | reason for the certificate revocation. 165 | reasonCode non-critical code 166 | Where: 167 | reasonCode: identifies the name of an extension non-critical: should be 168 | set to 0 since this is non-critical extension code: the following codes 169 | are available: 170 | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged 171 | (3), superseded (4), cessationOfOperation (5), certificateHold (6), 172 | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) 173 | \* Add Invalidity Date extension: 174 | The invalidity date is a non-critical CRL entry extension that provides 175 | the date on which it is known or suspected that the private key was 176 | compromised or that the certificate otherwise became invalid. 177 | invalidityDate non-critical date 178 | Where: 179 | crlNumber: identifies the name of an extension non-critical: should be set 180 | to 0 since this is non-critical extension date: invalidity date of a cert. 181 | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). 182 | Usage 183 | The Certificate Revocation List Management Tool's capabilities are grouped 184 | as follows, using these combinations of options and arguments. Options and 185 | arguments in square brackets are optional, those without square brackets 186 | are required. 187 | See "Implemented extensions" for more information regarding extensions and 188 | their parameters. 189 | \* Creating or modifying a CRL: 190 | crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] 191 [-a] [-B] 192 | \* Listing all CRls or a named CRL: 193 | crlutil -L [-n crl-name] [-d krydir] 194 | \* Deleting CRL from db: 195 | crlutil -D -n nickname [-d keydir] [-P dbprefix] 196 | \* Erasing CRLs from db: 197 | crlutil -E [-d keydir] [-P dbprefix] 198 | \* Deleting CRL from db: 199 | crlutil -D -n nickname [-d keydir] [-P dbprefix] 200 | \* Erasing CRLs from db: 201 | crlutil -E [-d keydir] [-P dbprefix] 202 | \* Import CRL from file: 203 | crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] 204 | See also 205 | certutil(1) 206 | See Also 207 | Additional Resources 208 | NSS is maintained in conjunction with PKI and security-related projects 209 | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, 210 | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. 211 | For information specifically about NSS, the NSS project wiki is located at 212 | 213 [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. 214 The NSS site relates 215 | directly to NSS code changes and releases. 216 | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com 217 | IRC: Freenode at #dogtag-pki 218 | Authors 219 | The NSS tools were written and maintained by developers with Netscape and 220 | now with Red Hat. 221 | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey 222 | <dlackey@redhat.com>. 223 | Copyright 224 | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. 225 | References 226 | Visible links 227 | 1. http://pki.fedoraproject.org/wiki/ 228 | 2. 229 `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__