The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

pktool (1)
  • >> pktool (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )
  •  

    NAME

    pktool - manage certificates and keys
     
    

    SYNOPSIS

    pktool [-f option_file] [-i] subcommand subcommand_options ...
    

     

    DESCRIPTION

    The pktool command allows users to manage the certificates and keys on multiple keystores including PKCS#11 tokens (that is, Cryptographic Framework), Netscape Security Services (NSS) tokens, and standard file based keystore for OpenSSL.

    pktool also provides support to list, delete and import a Certificate Revocation List (CRL). pktool does not provide support for creating CRLs, signing CRLs, or exporting CRLs. The CRL support for the PKCS#11 keystore is file-based.  

    OPTIONS

    The following command options are supported:

    -f option_file

    Allows the user to set up the options in a file instead of entering the options on the command line.

    This option is provided as a convenience for users because pktool can potentially have a large list of subcommands and associated options to be specified on the command line.

    The format of the option_file is one option or value pair per-line.

    An example option_file might looks as follows:

    list
    keystore=nss
    dir=/export/foo
    objtype=key
    

    -i

    Allows the user to specify the subject-DN interactively for the gencert and gencsr subcommands. When -i is specified, the user is prompted to input some data to form a subject-DN.

    An example of using the -i option follows:

    Country Name (2 letter code) [US]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:Menlo Park
    Organization Name (eg, company):Sun Microsystems Inc.
    Organizational Unit Name (eg, section):OPG
    Common Name (eg, YOUR name):John Smith
    Email Address []: john.smith@sun.com
    

    The resulting subject-DN is:

    "C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\
      OU=OPG, emailAddress=john.smith@sun.com, \
      CN=John Smith"
    

     

    SUBCOMMANDS

    The following subcommands are supported:

    delete

    The format for the delete subcommand is as follows:

    pktool delete [token=token[:manuf[:serial]]]
                 [objtype=private|public|both]
                 [label=object-label]
    
    pktool delete keystore=pkcs11
                 objtype=cert[:public | private | both]]
                 [token=token[:manuf[:serial]]]
                 [label=cert-label]
                 [serial=hex-serial-number]
                 [issuer=issuer-DN]
                 [subject=subject-DN]
    
    pktool delete keystore=nss
                 objtype=cert
                 [subject=subject-DN]
                 [issuer=issuer-DN]
                 [serial=hex-serial-number]
                 [nickname=cert-nickname]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
    
    pktool delete keystore=nss
                 objtype=crl
                 [nickname=cert-nickname]
                 [subject=subject-DN]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
    
    pktool delete keystore=pkcs11
                 objtype=key[:public | private | both]]
                 [token=token[:manuf[:serial]]]
                 [label=key-label]
    
    pktool delete keystore=pkcs11
                 objtype=crl
                 infile=input-fn
    
    
    pktool delete keystore=file
                 objtype=cert
                 [infile=input-fn]
                 [dir=directory-path]
                 [serial=hex-serial-number]
                 [issuer=issuer-DN]
                 [subject=subject-DN]
    
    pktool delete keystore=file
                 objtype=key
                 [infile=input-fn]
                 [dir=directory-path]
    
    pktool delete keystore=file
                 objtype=crl
                 infile=input-fn
                 
    

    Deletes a certificate, key, or certificate revocation list (CRL).

    To delete a private certificate or key from PKCS#11 token, the user is prompted to authenticate to the PKCS#11 by entering the correct Personal Identification Number (PIN).

    download

    The format for the download subcommand is as follows:

     pktool download url=url_str 
                    [objtype=crl|cert]
                    [http_proxy=proxy_str]
                    [outfile=output-fn]
                    [dir=directory-path]
    

    Downloads a CRL file or a certificate file from the specified URL location. Once the file is successfully downloaded, checks the validity of the downloaded CRL or certificate file. If the CRL or the certificate is expired, download issues a warning.

    export

    The format for the export subcommand is as follows:

    pktool export [token=token[:manuf[:serial]]]
                 outfile=output-fn
    
    pktool export keystore=pkcs11
                 outfile=output-fn
                 [objtype=cert|key]
                 [label=label]
                 [subject=subject-DN]
                 [issuer=issuer-DN]
                 [serial=hex-serial-number]
                 [outformat=pem|der|pkcs12|raw]
                 [token=token[:manuf[:serial]]]
    
    pktool export keystore=nss
                 outfile=output-fn
                 [subject=subject-DN]
                 [issuer=issuer-DN]
                 [serial=hex-serial-number]
                 [nickname=cert-nickname]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
                 [outformat=pem|der|pkcs12]
    
    pktool export keystore=file
                 certfile=cert-input-fn
                 keyfile=key-input-fn
                 outfile=output-pkcs12-fn
    

    Saves the contents of PKCS#11 token or certificates in the NSS token or file-based keystore to the specified file.

    gencert

    The format for the gencert subcommand is as follows:

    pktool gencert [-i] keystore=nss
                 label=cert-nickname
                 subject=subject-DN
                 serial=hex_serial_number
                 [altname=[critical:]subjectAltName]
                 [keyusage=[critical:]usage,usage...]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
                 [keytype=rsa|dsa]
                 [keylen=key-size]
                 [trust=trust-value]
                 [lifetime=number-hour|number-day|number-year]
                 [eku=[critical:]EKU_name,...]
    
    pktool gencert [-i] [ keystore=pkcs11]
                 label=key/cert-label
                 subject=subject-DN
                 serial=hex_serial_number
                 [altname=[critical:]subjectAltName]
                 [keyusage=[critical:]usage,usage...]
                 [token=token[:manuf[:serial]]]
                 [keytype=rsa|dsa]
                 [keylen=key-size]
                 [lifetime=number-hour|number-day|number-year]
                 [eku=[critical:]EKU_name,...]
                 
    pktool gencert [-i] keystore=file
                 outcert=cert-fn
                 outkey=key-fn
                 subject=subject-DN
                 serial=hex_serial_number
                 [altname=[critical:]subjectAltName]
                 [keyusage=[critical:]usage,usage...]
                 [format=der|pem]
                 [keytype=rsa|dsa]
                 [keylen=key-size]
                 [lifetime=number-hour|number-day|number-year]
                 [eku=[critical:]EKU_name,...]
    

    Generates a self-signed certificate and installs it and its associated private key to the specified keystore.

    gencert prompts the user to enter a PIN for token-based keystore.

    gencsr

    The format for the gencsr subcommand is as follows:

    pktool gencsr [-i] keystore=nss
                 nickname=key-nickname
                 outcsr=csr-fn
                 subject=subject-DN
                 [altname=[critical:]subjectAltName]
                 [keyusage=[critical:]usage,usage...]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
                 [keytype=rsa|dsa]
                 [keylen=key-size]
                 [format=pem|der]
                 [eku=[critical:]EKU_name,...]
                
    pktool gencsr [-i] keystore=pkcs11
                 label=key-label
                 outcsr=csr-fn
                 subject=subject-DN
                 [altname=[critical:]subjectAltName]
                 [keyusage=[critical:]usage,usage...]
                 [token=token[:manuf[:serial]]]
                 [keytype=rsa|dsa]
                 [keylen=key-size]
                 [format=pem|der]
                 [eku=[critical:]EKU_name,...]
                
    pktool gencsr [-i] keystore=file
                 outcsr=csr-fn
                 outkey=key-fn
                 subject=subject-DN
                 [altname=[critical:]subjectAltName]
                 [keyusage=[critical:]usage,usage...]
                 [dir=directory-path]
                 [keytype=rsa|dsa]
                 [keylen=key-size]
                 [format=pem|der]
                 [eku=[critical:]EKU_name,...]
    

    Creates a PKCS#10 certificate signing request (CSR) file. This CSR can be sent to a Certifying Authority (CA) for signing. The gencsr subcommand prompts the user to enter a PIN for token-based keystore.

    genkey

    The format for the genkey subcommand is as follows:

    pktool genkey [keystore=pkcs11]
                 label=key-label
                 [keytype=aes|arcfour|des|3des|generic]
                 [keylen=key-size (for aes, arcfour, or \
                     generic keytypes only)]
                 [token=token[:manuf[:serial]]]
                 [sensitive=y|n]
                 [extractable=y|n]
                 [print=y|n]
    
    pktool genkey keystore=nss
                 label=key-label
                 [keytype=aes|arcfour|des|3des|generic]
                 [keylen=key-size (for aes, arcfour, or \
                     generic keytypes only)]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
    
    pktool genkey keystore=file
                 outkey=key-fn
                 [keytype=aes|arcfour|des|3des|generic]
                 [keylen=key-size (for aes, arcfour, \
                      or generic keytypes only)]
                 [print=y|n]
    

    Generates a symmetric key in the specified keystore. The genkey subcommand prompts the user to enter a PIN for token-based keystore.

    import

    The format for the import subcommand is as follows:

    pktool import [token=token>[:manuf>[:serial>]]]
                 infile=input-fn
    
    pktool import [keystore=pkcs11]
                 infile=input-fn
                 label=object-label
                 [keytype=aes|arcfour|des|3des|generic]
                 [sensitive=y|n]
                 [extractable=y|n]
                 [token=token[:manuf[:serial]]]
                 [objtype=cert|key]
    
    pktool import keystore=pkcs11
                 objtype=crl
                 infile=input-fn
                 outcrl=output-crl-fn
                 outformat=pem|der
    
    pktool import keystore=nss
                 objtype=cert
                 infile=input-fn
                 label=cert-label
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
                 [trust=trust-value]
    
    pktool import keystore=nss
                 objtype=crl
                 infile=input-fn
                 [verifycrl=y|n]
                 [token=token[:manuf[:serial]]]
                 [dir=directory-path]
                 [prefix=DBprefix]
    
    pktool import keystore=file
                 infile=input-fn
                 outkey=output-key-fn
                 outcert=output-key-fn
                 [outformat=pem|der]
    
    pktool import keystore=file
                 objtype=crl
                 infile=input-fn
                 outcrl=output-crl-fn
                 outformat=pem|der
    

    Loads certificates, keys, or CRLs from the specified input file into the specified keystore.

    list

    The format for the list subcommand is as follows:

    pktool list [token=token[:manuf[:serial]]]
               [objtype=private|public|both]
               [label=label]
    
    pktool list [keystore=pkcs11]
               [objtype=cert[:public | private | both]]
               [token=token[:manuf[:serial]]]
               [label=cert-label]
               [serial=hex-serial-number]
               [issuer=issuer-DN]
               [subject=subject-DN]
    
    pktool list [keystore=pkcs11]
               objtype=key[:public | private | both]]
               [token=token[:manuf[:serial]]]
               [label=key-label]
    
    pktool list keystore=pkcs11
               objtype=crl
               infile=input-fn
               
    pktool list keystore=nss
               objtype=cert
               [subject=subject-DN]
               [issuer=issuer-DN]
               [serial=hex-serial-number]
               [nickname=cert-nickname]
               [token=token[:manuf[:serial]]]
               [dir=directory-path]
               [prefix=DBprefix]
    
    pktool list keystore=nss
               objtype=key
               [token=token[:manuf[:serial]]]
               [dir=directory-path]
               [prefix=DBprefix]
               
    pktool list keystore=file
               objtype=cert
               [infile=input-fn]
               [dir=directory-path]
               [serial=hex-serial-number]
               [issuer=issuer-DN]
               [subject=subject-DN]
    
    pktool list keystore=file
               objtype=key
               [infile=input-fn]
               [dir=directory-path]
    

    Lists certificates, list keys, or list certificate revocation lists (CRL). When displaying a private certificate or key in PKCS#11 token, the user is prompted to authenticate to the PKCS#11 token by entering the correct PIN.

    setpin

    The format for the setpin subcommand is as follows:

    pktool setpin keystore=nss
          [token=token]
          [dir=directory-path]
          [prefix=DBprefix]
    
    pktool setpin [ keystore=pkcs11]
          [token=token[:manuf[:serial]]]
    

    Changes the passphrase used to authenticate a user to the PKCS#11 or NSS token. Passphrases may be any string of characters with lengths between 1 and 256 with no nulls.

    setpin prompts the user for the old passphrase, if any. If the old passphrase matches, pktool prompts for the new passphrase twice. If the two entries of the new passphrases match, it becomes the current passphrase for the token.

    For the Sun Software PKCS#11 softtoken keystore (default), the user must use the setpin command with the default passphrase changeme as the old passphrase to change the passphrase of the object store. This action is needed to initialize and set the passphrase to a newly created token object store.

    signcsr

    The format for the signcsr subcommand is as follows:

    signcsr keystore=pkcs11
           signkey=label (label of key to use for signing)
           csr=CSR_filename
           serial=serial_number_hex_string_for_final_certificate
           outcert=filename_for_final_certificate
           issuer=issuer-DN
           [store=y|n] (store the new cert in NSS DB, default=n)
           [outlabel=certificate label]
           [format=pem|der] (certificate output format)
           [subject=subject-DN] (override the CSR subject name)
           [altname=subjectAltName] (add subjectAltName )
           [keyusage=[critical:]usage,...] (add key usage bits)
           [eku=[critical:]EKU_Name,...] (add Extended Key Usage )
           [lifetime=number-hour|number-day|number-year]
           [token=token[:manuf[:serial]]]
    signcsr keystore=file
           signkey=filename
           csr=CSR_filename
           serial=serial_number_hex_string_for_final_certificate
           outcert=filename_for_final_certificate
           issuer=issuer-DN
           [format=pem|der] (certificate output format)
           [subject=subject-DN] (override the CSR subject name)
           [altname=subjectAltName] (add a subjectAltName)
           [keyusage=[critical:]usage,...] (add key usage bits)
           [lifetime=number-hour|number-day|number-year]
           [eku=[critical:]EKU_ Name,...] (add Extended Key Usage)
    signcsr keystore=nss
           signkey=label (label of key to use for signing)
           csr=CSR_filename
           serial=serial_number_hex_string_for_final_certificate
           outcert=filename_for_final_certificate
           issuer=issuer-DN
           [store=y|n] (store the new cert in NSS DB, default=n)
           [outlabel=certificate label]
           [format=pem|der] (certificate output format)
           [subject=subject-DN] (override the CSR subject name)
           [altname=subjectAltName] (add a subjectAltName)
           [keyusage=[critical:]usage,...] (add key usage bits)
           [eku=[critical:]EKU_Name,...] (add Extended Key Usage)
           [lifetime=number-hour|number-day|number-year]
           [token=token[:manuf[:serial]]]
           [dir=directory-path]
           [prefix=DBprefix]
    

    tokens

    The format for the tokens subcommand is as follows:

    pktool tokens
    

    The tokens subcommand lists all visible PKCS#11 tokens.

    -?

    The format for the subcommand is as follows:

    pktool -?
    pktool --help
    

    The -? option displays usage and help information. --help is a synonym for -?.

     

    USAGE

    The pktool subcommands support the following options:

    altname=[critical:]subjectAltName

    Subject Alternative Names the certificate. The argument that follows the -A option should be in the form of tag=value. Valid tags are IP, DNS, EMAIL, URI, DN, KRB, UPN, and RID. The SubjectAltName extension is marked as critical if the altname string is pre-peneded with the

    Example 1: Add an IP address to the subjectAltName extension. altname="IP=1.2.3.4" Example 2: Add an email address to the subjectAltName extension, and mark it as being critical. altname="critical:EMAIL=first.last@company.com"

    dir=directory_path

    Specifies the NSS database directory, or OpenSSL keystore directory where the requested object is stored.

    eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]

    Specifies the extended key usage X.509v3 extension values to add to the certificate or certificate request.

    Specify EKU_Name as one of the following: serverAuth, clientAuth, codeSigning, emailProtection, ipsecEndSystem, ipsecTunnel, ipsecUser, timeStamping, OCSPSigning, KPClientAuth, KPKdc, or scLogon.

    An example is:

    eku=KPClientAuth,clientAuth
    

    extractable=y | n

    Specifies the resulting symmetric key in the PKCS#11 token is extractable or not extractable. The valid values are: y and n. The default value is y.

    format=pem | der | pkcs12

    For the gencert subcommand, this option only applies to the file based keystore such as OpenSSL. It is used to specify the output format of the key or certificate file to be created. The valid formats are: pem or der. The default format is pem.

    For the gencsr subcommand, this option specifies the output encoded format of the CSR file. The valid formats are: pem or der. The default format is pem.

    infile=input-fn

    Specifies the certificate filename for list and delete subcommands when objtype=cert and keystore=file. For the import subcommand, this option specifies the filename to be imported. Specifies the input CRL filename for list, delete and import subcommands when objtype=crl.

    issuer=issuer-DN

    Specifies the issuer of a certificate.

    keylen=key-size

    Specifies the size (bits) of the private or symmetric key to generate.

    For the gencert and gencsr subcommands, the default key length is 1024 bits.

    For the genkey subcommand, the minimum and maximum bits of the symmetric key to generate using AES algorithm are 128 and 256. Using the ARCFOUR algorithm, the minimum and maximum bits are 8 and 2048. The minimum bits for a generic secret key is 8 and the maximum bits is arbitrary. The default key length for the AES, ARCFOUR or generic secret keys is 128. For a DES key or a 3DES key, the key length is fixed and this option is ignored if specified.

    keystore=nss | pkcs11 | file

    Specifies the type of the underlying keystore: NSS token, PKCS#11 token, or file-based plugin.

    keytype=rsa | dsa | aes | arcfour | des | 3des | generic

    Specifies the type of the private or symmetric key to generate.

    For the gencert and gencsr subcommands, the valid private key types are: rsa, or dsa. The default key type is rsa.

    For the genkey subcommand, the valid symmetric key types are: aes, arcfour, des, 3des, or generic. The default key type is aes.

     keyusage=[critical:]usage,usage,usage,...
    

    Key Usage strings:
    * digitalSignature
    * nonRepudiation
    * keyEncipherment
    * dataEncipherment
    * keyAgreement
    * keyCertSign
    * cRLSign
    * encipherOnly
    * decipherOnly
    

    Example 1: Set the KeyUsage so that the cert (or csr) can be used for signing and verifying data other than certificates or CRLs (digitalSignature) and also can be used for encrypting and decrypting data other than cryptographic keys (dataEncipherment). keyusage=digitalSignature,dataEncipherment

    Example 2: The same as above (Example 1), but with the critical bit set. keyusage=critical:digitalSignature,dataEncipherment

    label=key-label | cert-label

    For the gencert subcommand, this option specifies the label of the private key and self-signed certificate in the PKCS#11 token.

    For the gencsr subcommand, this option specifies the label of the private key in the PKCS#11 token.

    For the list subcommand, this option specifies the label of the X.509 Certificate (when objtype=key) or the private key (when objtype=cert) in the PKCS#11 token to refine the list.

    For the delete subcommand, this option specifies the label of the X.509 Certificate (when objtype=key) or the private key (when objtype=cert) to delete a designated object from the PKCS#11 token.

    lifetime=number-hour|number-day|number-year

    Specifies the validity period a certificate is valid. The certificate life time can be specified by number-hour, number-day, or number-year. Only one format can be specified. The default is 1-year. Examples of this option might be: lifetime=1-hour, lifetime=2-day, lifetime=3-year

    nickname=cert-nickname

    For the gencert subcommand, this option is required to specify the certificate's nickname for NSS keystore.

    For the list subcommand, this option specifies the nickname of the certificate in the NSS token to display its content. For the delete subcommand, to delete a CRL from the NSS token, this option is used to specify the nickname of the issuer's certificate. For the delete subcommand, to delete a certificate from the NSS token, this option specifies the nickname of the certificate. For the import subcommand, to import a specified input file to the NSS token, this option is required to specify the nickname of the resulting certificate.

    objtype=cert | key | crl

    Specifies the class of the object: cert, key, or crl. For the download subcommand, if this option is not specified, default to crl.

    objtype=public | private | both

    Specifies the type of object: private object, public object, or both. This option only applies to list and delete subcommands for the PKCS#11 token when objtype=key is specified. The default value is public.

    For the list subcommand, the label option may be combined with this option to further refine the list of keys. For the delete subcommand, this option may used to narrow the keys to be deleted to only public, or private ones. Alternately, the label option may be omitted to indicate that all public, private, or both type of keys are to be deleted.The use of public, private and both as choices for the objtype parameter are only applicable with the PKCS#11 keystore in order to maintain compatibility with earlier versions of the pktool command.

    outcert=cert-fn

    Specifies the output certificate filename to write to. This option is required for the file based plugin such as OpenSSL. Option outkey=key-fn is required with this option.

    outcrl=output-crl-fn

    Specifies the output CRL filename to write to.

    outcsr=csr-fn

    Specifies the output CSR filename to write to.

    outfile=output-fn

    For the export subcommand, this option specifies the output filename to be created. For the import subcommand, this option specifies the output filename of the certificate or CRL. It only applies to the file based plugin such as OpenSSL. For the download subcommand, if this option is not specified, the downloaded file name is the basename of the URL string.

    outformat=pem | der | pkcs12

    For the import subcommand, this option specifies the output format of the certificate or key that is extracted from a specified PKCS#12 file into the file based plugin, The valid values are: pem or der. The default is pem. When importing a CRL to the CRL file based keystore, this option specifies the output format of the CRL. The valid values are: pem or der. The default is der. For the export subcommand, this option specifies the format of the specified output file to be created. The supported formats are: pem, der or pkcs12. The default is pkcs12.

    outkey=key-fn

    Specifies the output private key filename to which to write. This option is only required when using the files keystore.

    prefix=DBprefix

    Specifies the NSS database prefix. This option only applies to the NSS token.

    print=y | n

    This option is used in the genkey subcommand and it applies to the PKCS11 and File-based keystores. If print=y, the genkey subcommand prints out the key value of the generated key in a single line of hex. The default value is n. For the PKCS11 keystore, if a symmetric key is created with sensitive=y or extractable=n, the key value is not displayed, even the print option is set to y. The key is still created, but a warning like cannot reveal the key value is issued.

    sensitive=y | n

    Specifies the resulting symmetric key in the PKCS#11 token is sensitive or not sensitive. The valid values are: y and n. The default value is n.

    serial=hex-serial-number

    Specifies a unique serial number for a certificate. The serial number must be specified as a hex value. Example: 0x0102030405060708090a0b0c0d0e0f

    subject=subject-DN

    Specifies a particular certificate owner for a certificate or certificate request. An example subject= setting might be:

    subject=O=Sun Microsystems Inc., \ 
    OU=Solaris Security Technologies Group, \
    L=Ashburn, ST=VA, C=US, CN=John Smith
    

    token=token[:manuf[:serial]]

    When a token label contains trailing spaces, this option does not require them to be typed as a convenience to the user.

    Colon separate token identification string token:manuf:serial. If any of the parts have a literal : char then it needs to be escaped using a backslash (\). If no : is found then the entire string (up to 32 chars) is taken as the token label. If only one : is found then the string is the token label and the manufacturer. When keystore=nss is specified, default to NSS internal token if this option is not specified. When keystore=pkcs11 is specified, default to pkcs11_softtoken if this option is not specified.

    trust=trust-value

    Specifies the certificate trust attributes. This is only for NSS certificates and that the standard NSS syntax applies.

    url=url_string

    Specifies the URL to download a CRL or a certificate file.

    verifycrl=y | n

    When importing a CRL to NSS keystore, this option specifies whether the CRL verification is performed. The valid values are: y and n. The default value is n.

    http_proxy=proxy_str

    Specifies the proxy server hostname and port number. The format can be either http://hostname[:port] or hostname[:port]. If this option is not specified, the download subcommand checks the http_proxy environment variable. The command line option has a higher priority than the environment variable.

     

    EXAMPLES

    Example 1 Generating a Self-Signed Certificate

    The following example creates the certificate and stores it in the keystore indicated in the command:

     $ pktool gencert keystore=nss nickname=WebServerCert \
          subject="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, \
          L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \
          keytype=rsa keylen=2048
    

    Example 2 Generating a Certificate Signing Request

    The following example creates the CSR and stores it in the keystore indicated in the command:

     $ pktool gencsr keystore=nss subject="O=Sun Microsystems Inc., \
          OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \
          CN=John Smith" keytype=rsa keylen=2048 outcsr=csr.dat
    

    Example 3 Importing a Certificate

    The following example imports a certificate object from the specified input file into the keystore indicated in the command:

     $ pktool import keystore=nss objtype=cert infile=mycert.pem \
          nickname=mycert
    

     

    EXIT STATUS

    The following exit values are returned:

    0

    Successful completion.

    >0

    An error occurred.

     

    ATTRIBUTES

    See attributes(5) for descriptions of the following attributes:

    ATTRIBUTE TYPEATTRIBUTE VALUE

    AvailabilitySUNWcsu

    Interface Stability

     

    SEE ALSO

    attributes(5), pkcs11_softtoken(5)

    RSA PKCS#11 v2.11 http://www.rsasecurity.com

    RSA PKCS#12 v1.0 http://www.rsasecurity.com


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    OPTIONS
    SUBCOMMANDS
    USAGE
    EXAMPLES
    EXIT STATUS
    ATTRIBUTES
    SEE ALSO


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру