pktool - manage certificates and keys
pktool [-f option_file] [-i] subcommand subcommand_options ...
The pktool command allows users to manage the certificates and keys on multiple keystores including PKCS#11 tokens (that is, Cryptographic Framework), Netscape Security Services (NSS) tokens, and standard file based keystore for OpenSSL.
pktool also provides support to list, delete and import a Certificate Revocation List (CRL). pktool does not provide support for creating CRLs, signing CRLs, or exporting CRLs. The CRL support for the PKCS#11 keystore is file-based.
The following command options are supported:
-f option_file
This option is provided as a convenience for users because pktool can potentially have a large list of subcommands and associated options to be specified on the command line.
The format of the option_file is one option or value pair per-line.
An example option_file might looks as follows:
list keystore=nss dir=/export/foo objtype=key
-i
An example of using the -i option follows:
Country Name (2 letter code) [US]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Menlo Park Organization Name (eg, company):Sun Microsystems Inc. Organizational Unit Name (eg, section):OPG Common Name (eg, YOUR name):John Smith Email Address []: john.smith@sun.com
The resulting subject-DN is:
"C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\ OU=OPG, emailAddress=john.smith@sun.com, \ CN=John Smith"
The following subcommands are supported:
delete
pktool delete [token=token[:manuf[:serial]]] [objtype=private|public|both] [label=object-label] pktool delete keystore=pkcs11 objtype=cert[:public | private | both]] [token=token[:manuf[:serial]]] [label=cert-label] [serial=hex-serial-number] [issuer=issuer-DN] [subject=subject-DN] pktool delete keystore=nss objtype=cert [subject=subject-DN] [issuer=issuer-DN] [serial=hex-serial-number] [nickname=cert-nickname] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] pktool delete keystore=nss objtype=crl [nickname=cert-nickname] [subject=subject-DN] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] pktool delete keystore=pkcs11 objtype=key[:public | private | both]] [token=token[:manuf[:serial]]] [label=key-label] pktool delete keystore=pkcs11 objtype=crl infile=input-fn pktool delete keystore=file objtype=cert [infile=input-fn] [dir=directory-path] [serial=hex-serial-number] [issuer=issuer-DN] [subject=subject-DN] pktool delete keystore=file objtype=key [infile=input-fn] [dir=directory-path] pktool delete keystore=file objtype=crl infile=input-fn
Deletes a certificate, key, or certificate revocation list (CRL).
To delete a private certificate or key from PKCS#11 token, the user is prompted to authenticate to the PKCS#11 by entering the correct Personal Identification Number (PIN).
download
pktool download url=url_str [objtype=crl|cert] [http_proxy=proxy_str] [outfile=output-fn] [dir=directory-path]
Downloads a CRL file or a certificate file from the specified URL location. Once the file is successfully downloaded, checks the validity of the downloaded CRL or certificate file. If the CRL or the certificate is expired, download issues a warning.
export
pktool export [token=token[:manuf[:serial]]] outfile=output-fn pktool export keystore=pkcs11 outfile=output-fn [objtype=cert|key] [label=label] [subject=subject-DN] [issuer=issuer-DN] [serial=hex-serial-number] [outformat=pem|der|pkcs12|raw] [token=token[:manuf[:serial]]] pktool export keystore=nss outfile=output-fn [subject=subject-DN] [issuer=issuer-DN] [serial=hex-serial-number] [nickname=cert-nickname] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] [outformat=pem|der|pkcs12] pktool export keystore=file certfile=cert-input-fn keyfile=key-input-fn outfile=output-pkcs12-fn
Saves the contents of PKCS#11 token or certificates in the NSS token or file-based keystore to the specified file.
gencert
pktool gencert [-i] keystore=nss label=cert-nickname subject=subject-DN serial=hex_serial_number [altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] [keytype=rsa|dsa] [keylen=key-size] [trust=trust-value] [lifetime=number-hour|number-day|number-year] [eku=[critical:]EKU_name,...] pktool gencert [-i] [ keystore=pkcs11] label=key/cert-label subject=subject-DN serial=hex_serial_number [altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]] [keytype=rsa|dsa] [keylen=key-size] [lifetime=number-hour|number-day|number-year] [eku=[critical:]EKU_name,...] pktool gencert [-i] keystore=file outcert=cert-fn outkey=key-fn subject=subject-DN serial=hex_serial_number [altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [format=der|pem] [keytype=rsa|dsa] [keylen=key-size] [lifetime=number-hour|number-day|number-year] [eku=[critical:]EKU_name,...]
Generates a self-signed certificate and installs it and its associated private key to the specified keystore.
gencert prompts the user to enter a PIN for token-based keystore.
gencsr
pktool gencsr [-i] keystore=nss nickname=key-nickname outcsr=csr-fn subject=subject-DN [altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] [keytype=rsa|dsa] [keylen=key-size] [format=pem|der] [eku=[critical:]EKU_name,...] pktool gencsr [-i] keystore=pkcs11 label=key-label outcsr=csr-fn subject=subject-DN [altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]] [keytype=rsa|dsa] [keylen=key-size] [format=pem|der] [eku=[critical:]EKU_name,...] pktool gencsr [-i] keystore=file outcsr=csr-fn outkey=key-fn subject=subject-DN [altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [dir=directory-path] [keytype=rsa|dsa] [keylen=key-size] [format=pem|der] [eku=[critical:]EKU_name,...]
Creates a PKCS#10 certificate signing request (CSR) file. This CSR can be sent to a Certifying Authority (CA) for signing. The gencsr subcommand prompts the user to enter a PIN for token-based keystore.
genkey
pktool genkey [keystore=pkcs11] label=key-label [keytype=aes|arcfour|des|3des|generic] [keylen=key-size (for aes, arcfour, or \ generic keytypes only)] [token=token[:manuf[:serial]]] [sensitive=y|n] [extractable=y|n] [print=y|n] pktool genkey keystore=nss label=key-label [keytype=aes|arcfour|des|3des|generic] [keylen=key-size (for aes, arcfour, or \ generic keytypes only)] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] pktool genkey keystore=file outkey=key-fn [keytype=aes|arcfour|des|3des|generic] [keylen=key-size (for aes, arcfour, \ or generic keytypes only)] [print=y|n]
Generates a symmetric key in the specified keystore. The genkey subcommand prompts the user to enter a PIN for token-based keystore.
import
pktool import [token=token>[:manuf>[:serial>]]] infile=input-fn pktool import [keystore=pkcs11] infile=input-fn label=object-label [keytype=aes|arcfour|des|3des|generic] [sensitive=y|n] [extractable=y|n] [token=token[:manuf[:serial]]] [objtype=cert|key] pktool import keystore=pkcs11 objtype=crl infile=input-fn outcrl=output-crl-fn outformat=pem|der pktool import keystore=nss objtype=cert infile=input-fn label=cert-label [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] [trust=trust-value] pktool import keystore=nss objtype=crl infile=input-fn [verifycrl=y|n] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] pktool import keystore=file infile=input-fn outkey=output-key-fn outcert=output-key-fn [outformat=pem|der] pktool import keystore=file objtype=crl infile=input-fn outcrl=output-crl-fn outformat=pem|der
Loads certificates, keys, or CRLs from the specified input file into the specified keystore.
list
pktool list [token=token[:manuf[:serial]]] [objtype=private|public|both] [label=label] pktool list [keystore=pkcs11] [objtype=cert[:public | private | both]] [token=token[:manuf[:serial]]] [label=cert-label] [serial=hex-serial-number] [issuer=issuer-DN] [subject=subject-DN] pktool list [keystore=pkcs11] objtype=key[:public | private | both]] [token=token[:manuf[:serial]]] [label=key-label] pktool list keystore=pkcs11 objtype=crl infile=input-fn pktool list keystore=nss objtype=cert [subject=subject-DN] [issuer=issuer-DN] [serial=hex-serial-number] [nickname=cert-nickname] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] pktool list keystore=nss objtype=key [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix] pktool list keystore=file objtype=cert [infile=input-fn] [dir=directory-path] [serial=hex-serial-number] [issuer=issuer-DN] [subject=subject-DN] pktool list keystore=file objtype=key [infile=input-fn] [dir=directory-path]
Lists certificates, list keys, or list certificate revocation lists (CRL). When displaying a private certificate or key in PKCS#11 token, the user is prompted to authenticate to the PKCS#11 token by entering the correct PIN.
setpin
pktool setpin keystore=nss [token=token] [dir=directory-path] [prefix=DBprefix] pktool setpin [ keystore=pkcs11] [token=token[:manuf[:serial]]]
Changes the passphrase used to authenticate a user to the PKCS#11 or NSS token. Passphrases may be any string of characters with lengths between 1 and 256 with no nulls.
setpin prompts the user for the old passphrase, if any. If the old passphrase matches, pktool prompts for the new passphrase twice. If the two entries of the new passphrases match, it becomes the current passphrase for the token.
For the Sun Software PKCS#11 softtoken keystore (default), the user must use the setpin command with the default passphrase changeme as the old passphrase to change the passphrase of the object store. This action is needed to initialize and set the passphrase to a newly created token object store.
signcsr
signcsr keystore=pkcs11 signkey=label (label of key to use for signing) csr=CSR_filename serial=serial_number_hex_string_for_final_certificate outcert=filename_for_final_certificate issuer=issuer-DN [store=y|n] (store the new cert in NSS DB, default=n) [outlabel=certificate label] [format=pem|der] (certificate output format) [subject=subject-DN] (override the CSR subject name) [altname=subjectAltName] (add subjectAltName ) [keyusage=[critical:]usage,...] (add key usage bits) [eku=[critical:]EKU_Name,...] (add Extended Key Usage ) [lifetime=number-hour|number-day|number-year] [token=token[:manuf[:serial]]] signcsr keystore=file signkey=filename csr=CSR_filename serial=serial_number_hex_string_for_final_certificate outcert=filename_for_final_certificate issuer=issuer-DN [format=pem|der] (certificate output format) [subject=subject-DN] (override the CSR subject name) [altname=subjectAltName] (add a subjectAltName) [keyusage=[critical:]usage,...] (add key usage bits) [lifetime=number-hour|number-day|number-year] [eku=[critical:]EKU_ Name,...] (add Extended Key Usage) signcsr keystore=nss signkey=label (label of key to use for signing) csr=CSR_filename serial=serial_number_hex_string_for_final_certificate outcert=filename_for_final_certificate issuer=issuer-DN [store=y|n] (store the new cert in NSS DB, default=n) [outlabel=certificate label] [format=pem|der] (certificate output format) [subject=subject-DN] (override the CSR subject name) [altname=subjectAltName] (add a subjectAltName) [keyusage=[critical:]usage,...] (add key usage bits) [eku=[critical:]EKU_Name,...] (add Extended Key Usage) [lifetime=number-hour|number-day|number-year] [token=token[:manuf[:serial]]] [dir=directory-path] [prefix=DBprefix]
tokens
pktool tokens
The tokens subcommand lists all visible PKCS#11 tokens.
-?
pktool -? pktool --help
The -? option displays usage and help information. --help is a synonym for -?.
The pktool subcommands support the following options:
altname=[critical:]subjectAltName
Example 1: Add an IP address to the subjectAltName extension. altname="IP=1.2.3.4" Example 2: Add an email address to the subjectAltName extension, and mark it as being critical. altname="critical:EMAIL=first.last@company.com"
dir=directory_path
eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]
Specify EKU_Name as one of the following: serverAuth, clientAuth, codeSigning, emailProtection, ipsecEndSystem, ipsecTunnel, ipsecUser, timeStamping, OCSPSigning, KPClientAuth, KPKdc, or scLogon.
An example is:
eku=KPClientAuth,clientAuth
extractable=y | n
format=pem | der | pkcs12
For the gencsr subcommand, this option specifies the output encoded format of the CSR file. The valid formats are: pem or der. The default format is pem.
infile=input-fn
issuer=issuer-DN
keylen=key-size
For the gencert and gencsr subcommands, the default key length is 1024 bits.
For the genkey subcommand, the minimum and maximum bits of the symmetric key to generate using AES algorithm are 128 and 256. Using the ARCFOUR algorithm, the minimum and maximum bits are 8 and 2048. The minimum bits for a generic secret key is 8 and the maximum bits is arbitrary. The default key length for the AES, ARCFOUR or generic secret keys is 128. For a DES key or a 3DES key, the key length is fixed and this option is ignored if specified.
keystore=nss | pkcs11 | file
keytype=rsa | dsa | aes | arcfour | des | 3des | generic
For the gencert and gencsr subcommands, the valid private key types are: rsa, or dsa. The default key type is rsa.
For the genkey subcommand, the valid symmetric key types are: aes, arcfour, des, 3des, or generic. The default key type is aes.
keyusage=[critical:]usage,usage,usage,...
Key Usage strings: * digitalSignature * nonRepudiation * keyEncipherment * dataEncipherment * keyAgreement * keyCertSign * cRLSign * encipherOnly * decipherOnly
Example 1: Set the KeyUsage so that the cert (or csr) can be used for signing and verifying data other than certificates or CRLs (digitalSignature) and also can be used for encrypting and decrypting data other than cryptographic keys (dataEncipherment). keyusage=digitalSignature,dataEncipherment
Example 2: The same as above (Example 1), but with the critical bit set. keyusage=critical:digitalSignature,dataEncipherment
label=key-label | cert-label
For the gencsr subcommand, this option specifies the label of the private key in the PKCS#11 token.
For the list subcommand, this option specifies the label of the X.509 Certificate (when objtype=key) or the private key (when objtype=cert) in the PKCS#11 token to refine the list.
For the delete subcommand, this option specifies the label of the X.509 Certificate (when objtype=key) or the private key (when objtype=cert) to delete a designated object from the PKCS#11 token.
lifetime=number-hour|number-day|number-year
nickname=cert-nickname
For the list subcommand, this option specifies the nickname of the certificate in the NSS token to display its content. For the delete subcommand, to delete a CRL from the NSS token, this option is used to specify the nickname of the issuer's certificate. For the delete subcommand, to delete a certificate from the NSS token, this option specifies the nickname of the certificate. For the import subcommand, to import a specified input file to the NSS token, this option is required to specify the nickname of the resulting certificate.
objtype=cert | key | crl
objtype=public | private | both
For the list subcommand, the label option may be combined with this option to further refine the list of keys. For the delete subcommand, this option may used to narrow the keys to be deleted to only public, or private ones. Alternately, the label option may be omitted to indicate that all public, private, or both type of keys are to be deleted.The use of public, private and both as choices for the objtype parameter are only applicable with the PKCS#11 keystore in order to maintain compatibility with earlier versions of the pktool command.
outcert=cert-fn
outcrl=output-crl-fn
outcsr=csr-fn
outfile=output-fn
outformat=pem | der | pkcs12
outkey=key-fn
prefix=DBprefix
print=y | n
sensitive=y | n
serial=hex-serial-number
subject=subject-DN
subject=O=Sun Microsystems Inc., \ OU=Solaris Security Technologies Group, \ L=Ashburn, ST=VA, C=US, CN=John Smith
token=token[:manuf[:serial]]
Colon separate token identification string token:manuf:serial. If any of the parts have a literal : char then it needs to be escaped using a backslash (\). If no : is found then the entire string (up to 32 chars) is taken as the token label. If only one : is found then the string is the token label and the manufacturer. When keystore=nss is specified, default to NSS internal token if this option is not specified. When keystore=pkcs11 is specified, default to pkcs11_softtoken if this option is not specified.
trust=trust-value
url=url_string
verifycrl=y | n
http_proxy=proxy_str
Example 1 Generating a Self-Signed Certificate
The following example creates the certificate and stores it in the keystore indicated in the command:
$ pktool gencert keystore=nss nickname=WebServerCert \ subject="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, \ L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \ keytype=rsa keylen=2048
Example 2 Generating a Certificate Signing Request
The following example creates the CSR and stores it in the keystore indicated in the command:
$ pktool gencsr keystore=nss subject="O=Sun Microsystems Inc., \ OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \ CN=John Smith" keytype=rsa keylen=2048 outcsr=csr.dat
Example 3 Importing a Certificate
The following example imports a certificate object from the specified input file into the keystore indicated in the command:
$ pktool import keystore=nss objtype=cert infile=mycert.pem \ nickname=mycert
The following exit values are returned:
0
>0
See attributes(5) for descriptions of the following attributes:
|
attributes(5), pkcs11_softtoken(5)
RSA PKCS#11 v2.11 http://www.rsasecurity.com
RSA PKCS#12 v1.0 http://www.rsasecurity.com
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |