Created
August 5, 2019 16:21
-
-
Save Rishabh04-02/9c33e89138b81d9a08bbde18686365f4 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ➜ libreswan master ✓ certutil -H | |
| -A Add a certificate to the database (create if needed) | |
| All options under -E apply | |
| -B Run a series of certutil commands from a batch file | |
| -i batch-file Specify the batch file | |
| -E Add an Email certificate to the database (create if needed) | |
| -n cert-name Specify the nickname of the certificate to add | |
| -t trustargs Set the certificate trust attributes: | |
| trustargs is of the form x,y,z where x is for SSL, y is for S/MIME, | |
| and z is for code signing. Use ,, for no explicit trust. | |
| p prohibited (explicitly distrusted) | |
| P trusted peer | |
| c valid CA | |
| T trusted CA to issue client certs (implies c) | |
| C trusted CA to issue server certs (implies c) | |
| u user cert | |
| w send warning | |
| g make step-up cert | |
| -f pwfile Specify the password file | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -a The input certificate is encoded in ASCII (RFC1113) | |
| -i input Specify the certificate file (default is stdin) | |
| -C Create a new binary certificate from a BINARY cert request | |
| -c issuer-name The nickname of the issuer cert | |
| -i cert-request The BINARY certificate request file | |
| -o output-cert Output binary cert to this file (default is stdout) | |
| -x Self sign | |
| --pss-sign Sign the certificate with RSA-PSS (the issuer key must be rsa) | |
| -m serial-number Cert serial number | |
| -w warp-months Time Warp | |
| -v months-valid Months valid (default is 3) | |
| -f pwfile Specify the password file | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -Z hashAlg | |
| Specify the hash algorithm to use. Possible keywords: | |
| "MD2", "MD4", "MD5", "SHA1", "SHA224", | |
| "SHA256", "SHA384", "SHA512" | |
| -1 | --keyUsage keyword,keyword,... | |
| Create key usage extension. Possible keywords: | |
| "digitalSignature", "nonRepudiation", "keyEncipherment", | |
| "dataEncipherment", "keyAgreement", "certSigning", | |
| "crlSigning", "critical" | |
| -2 Create basic constraint extension | |
| -3 Create authority key ID extension | |
| -4 Create crl distribution point extension | |
| -5 | --nsCertType keyword,keyword,... | |
| Create netscape cert type extension. Possible keywords: | |
| "sslClient", "sslServer", "smime", "objectSigning", | |
| "sslCA", "smimeCA", "objectSigningCA", "critical". | |
| -6 | --extKeyUsage keyword,keyword,... | |
| Create extended key usage extension. Possible keywords: | |
| "serverAuth", "clientAuth","codeSigning", | |
| "emailProtection", "timeStamp","ocspResponder", | |
| "stepUp", "msTrustListSign", "x509Any", | |
| "ipsecIKE", "ipsecIKEEnd", "ipsecIKEIntermediate", | |
| "ipsecEnd", "ipsecTunnel", "ipsecUser", | |
| "critical" | |
| -7 emailAddrs Create an email subject alt name extension | |
| -8 dnsNames Create an dns subject alt name extension | |
| -a The input certificate request is encoded in ASCII (RFC1113) | |
| -G Generate a new key pair | |
| -h token-name Name of token in which to generate key (default is internal) | |
| -k key-type Type of key pair to generate ("dsa", "ec", "rsa" (default)) | |
| -g key-size Key size in bits, (min 512, max 8192, default 2048) (not for ec) | |
| -y exp Set the public exponent value (3, 17, 65537) (rsa only) | |
| -f password-file Specify the password file | |
| -z noisefile Specify the noise file to be used | |
| -q pqgfile read PQG value from pqgfile (dsa only) | |
| -q curve-name Elliptic curve name (ec only) | |
| One of nistp256, nistp384, nistp521, curve25519. | |
| If a custom token is present, the following curves are also supported: | |
| sect163k1, nistk163, sect163r1, sect163r2, | |
| nistb163, sect193r1, sect193r2, sect233k1, nistk233, | |
| sect233r1, nistb233, sect239k1, sect283k1, nistk283, | |
| sect283r1, nistb283, sect409k1, nistk409, sect409r1, | |
| nistb409, sect571k1, nistk571, sect571r1, nistb571, | |
| secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, | |
| nistp192, secp224k1, secp224r1, nistp224, secp256k1, | |
| secp256r1, secp384r1, secp521r1, | |
| prime192v1, prime192v2, prime192v3, | |
| prime239v1, prime239v2, prime239v3, c2pnb163v1, | |
| c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, | |
| c2tnb191v2, c2tnb191v3, | |
| c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, | |
| c2pnb272w1, c2pnb304w1, | |
| c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, | |
| secp112r2, secp128r1, secp128r2, sect113r1, sect113r2 | |
| sect131r1, sect131r2 | |
| -d keydir Key database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| --keyAttrFlags attrflags | |
| PKCS #11 key Attributes. | |
| Comma separated list of key attribute attribute flags, | |
| selected from the following list of choices: | |
| {token | session} {public | private} {sensitive | insensitive} | |
| {modifiable | unmodifiable} {extractable | unextractable} | |
| --keyOpFlagsOn opflags | |
| --keyOpFlagsOff opflags | |
| PKCS #11 key Operation Flags. | |
| Comma separated list of one or more of the following: | |
| encrypt, decrypt, sign, sign_recover, verify, | |
| verify_recover, wrap, unwrap, derive | |
| -D Delete a certificate from the database | |
| -n cert-name The nickname of the cert to delete | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| --rename Change the database nickname of a certificate | |
| -n cert-name The old nickname of the cert to rename | |
| --new-n new-name The new nickname of the cert to rename | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -F Delete a key and associated certificate from the database | |
| -n cert-name The nickname of the key to delete | |
| -k key-id The key id of the key to delete, obtained using -K | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -U List all modules | |
| -d moddir Module database directory (default is '~/.netscape') | |
| -P dbprefix Cert & Key database prefix | |
| -X force the database to open R/W | |
| -K List all private keys | |
| -h token-name Name of token to search ("all" for all tokens) | |
| -k key-type Key type ("all" (default), "dsa", "ec", "rsa") | |
| -n name The nickname of the key or associated certificate | |
| -f password-file Specify the password file | |
| -d keydir Key database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -X force the database to open R/W | |
| -L List all certs, or print out a single named cert (or a subset) | |
| -h token-name Name of token to search ("all" for all tokens) | |
| -n cert-name Pretty print named cert (list all if unspecified) | |
| --email email-address | |
| Pretty print cert with email address (list all if unspecified) | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -X force the database to open R/W | |
| -r For single cert, print binary DER encoding | |
| -a For single cert, print ASCII encoding (RFC1113) | |
| --dump-ext-val OID | |
| For single cert, print binary DER encoding of extension OID | |
| --build-flags Print enabled build flags relevant for NSS test execution | |
| -M Modify trust attributes of certificate | |
| -n cert-name The nickname of the cert to modify | |
| -t trustargs Set the certificate trust attributes (see -A above) | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -N Create a new certificate database | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -f password-file Specify the password file | |
| --empty-password use empty password when creating a new database | |
| -T Reset the Key database or token | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -h token-name Token to reset (default is internal) | |
| -0 SSO-password Set token's Site Security Officer password | |
| -O Print the chain of a certificate | |
| -n cert-name The nickname of the cert to modify | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -a Input the certificate in ASCII (RFC1113); default is binary | |
| -P dbprefix Cert & Key database prefix | |
| -X force the database to open R/W | |
| --simple-self-signed don't search for a chain if issuer name equals subject name | |
| -R Generate a certificate request (stdout) | |
| -s subject Specify the subject name (using RFC1485) | |
| -o output-req Output the cert request to this file | |
| -k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default)) | |
| or nickname of the cert key to use, or key id obtained using -K | |
| -h token-name Name of token in which to generate key (default is internal) | |
| -g key-size Key size in bits, RSA keys only (min 512, max 8192, default 2048) | |
| --pss Create a certificate request restricted to RSA-PSS (rsa only) | |
| -q pqgfile Name of file containing PQG parameters (dsa only) | |
| -q curve-name Elliptic curve name (ec only) | |
| See the "-G" option for a full list of supported names. | |
| -f pwfile Specify the password file | |
| -d keydir Key database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -p phone Specify the contact phone number ("123-456-7890") | |
| -Z hashAlg | |
| Specify the hash algorithm to use. Possible keywords: | |
| "MD2", "MD4", "MD5", "SHA1", "SHA224", | |
| "SHA256", "SHA384", "SHA512" | |
| -a Output the cert request in ASCII (RFC1113); default is binary | |
| See -S for available extension options | |
| See -G for available key flag options | |
| -V Validate a certificate | |
| -n cert-name The nickname of the cert to Validate | |
| -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") | |
| -e Check certificate signature | |
| -u certusage Specify certificate usage: | |
| C SSL Client | |
| V SSL Server | |
| I IPsec | |
| L SSL CA | |
| A Any CA | |
| Y Verify CA | |
| S Email signer | |
| R Email Recipient | |
| O OCSP status responder | |
| J Object signer | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -a Input the certificate in ASCII (RFC1113); default is binary | |
| -P dbprefix Cert & Key database prefix | |
| -X force the database to open R/W | |
| -W Change the key database password | |
| -d certdir cert and key database directory | |
| -f pwfile Specify a file with the current password | |
| -@ newpwfile Specify a file with the new password in two lines | |
| --upgrade-merge Upgrade an old database and merge it into a new one | |
| -d certdir Cert database directory to merge into (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix of the target database | |
| -f pwfile Specify the password file for the target database | |
| --source-dir certdir | |
| Cert database directory to upgrade from | |
| --source-prefix dbprefix | |
| Cert & Key database prefix of the upgrade database | |
| --upgrade-id uniqueID | |
| Unique identifier for the upgrade database | |
| --upgrade-token-name name | |
| Name of the token while it is in upgrade state | |
| -@ pwfile Specify the password file for the upgrade database | |
| --merge Merge source database into the target database | |
| -d certdir Cert database directory of target (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix of the target database | |
| -f pwfile Specify the password file for the target database | |
| --source-dir certdir | |
| Cert database directory of the source database | |
| --source-prefix dbprefix | |
| Cert & Key database prefix of the source database | |
| -@ pwfile Specify the password file for the source database | |
| -S Make a certificate and add to database | |
| -n key-name Specify the nickname of the cert | |
| -s subject Specify the subject name (using RFC1485) | |
| -c issuer-name The nickname of the issuer cert | |
| -t trustargs Set the certificate trust attributes (see -A above) | |
| -k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default)) | |
| -h token-name Name of token in which to generate key (default is internal) | |
| -g key-size Key size in bits, RSA keys only (min 512, max 8192, default 2048) | |
| --pss Create a certificate restricted to RSA-PSS (rsa only) | |
| -q pqgfile Name of file containing PQG parameters (dsa only) | |
| -q curve-name Elliptic curve name (ec only) | |
| See the "-G" option for a full list of supported names. | |
| -x Self sign | |
| --pss-sign Sign the certificate with RSA-PSS (the issuer key must be rsa) | |
| -m serial-number Cert serial number | |
| -w warp-months Time Warp | |
| -v months-valid Months valid (default is 3) | |
| -f pwfile Specify the password file | |
| -d certdir Cert database directory (default is ~/.netscape) | |
| -P dbprefix Cert & Key database prefix | |
| -p phone Specify the contact phone number ("123-456-7890") | |
| -Z hashAlg | |
| Specify the hash algorithm to use. Possible keywords: | |
| "MD2", "MD4", "MD5", "SHA1", "SHA224", | |
| "SHA256", "SHA384", "SHA512" | |
| -1 Create key usage extension | |
| -2 Create basic constraint extension | |
| -3 Create authority key ID extension | |
| -4 Create crl distribution point extension | |
| -5 Create netscape cert type extension | |
| -6 Create extended key usage extension | |
| -7 emailAddrs Create an email subject alt name extension | |
| -8 DNS-names Create a DNS subject alt name extension | |
| --extAIA Create an Authority Information Access extension | |
| --extSIA Create a Subject Information Access extension | |
| --extCP Create a Certificate Policies extension | |
| --extPM Create a Policy Mappings extension | |
| --extPC Create a Policy Constraints extension | |
| --extIA Create an Inhibit Any Policy extension | |
| --extSKID Create a subject key ID extension | |
| See -G for available key flag options | |
| --extNC Create a name constraints extension | |
| --extSAN type:name[,type:name]... | |
| Create a Subject Alt Name extension with one or multiple names | |
| - type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, | |
| other, registerid, rfc822, uri, x400, x400addr | |
| --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... | |
| Add one or multiple extensions that certutil cannot encode yet, | |
| by loading their encodings from external files. | |
| - OID (example): 1.2.3.4 | |
| - critical-flag: critical or not-critical | |
| - filename: full path to a file containing an encoded extension |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment