Skip to content

NSS Database

Endi S. Dewata edited this page Jan 20, 2022 · 14 revisions

Creating Database

Modules

Listing Certificates

Displaying Certificate Info

Exporting Certificate

Decoding Certificate

Importing Certificate

Exporting Certificate Chain

To export a certificate chain, export each certificate (see Exporting Certificate), then create a PKCS #7 file:

$ openssl crl2pkcs7 -nocrl -certfile ca1.crt -certfile ca2.crt ... -out cert_chain.p7b

Verify with the following command:

$ openssl pkcs7 -print_certs -in cert_chain.p7b

Importing Certificate Chain

To import a certificate chain, import each certificate (see Importing Certificate):

$ certutil -A -d nssdb -a -i -n testcert -i testcert.pem -t CT,C,C

Alternatively, the entire certificate chain can be imported as a PKCS #7 file:

$ openssl pkcs7 -print_certs -in /tmp/cert_chain.p7b -out /tmp/cert_chain.pem
$ openssl pkcs12 -export -nokeys -in /tmp/cert_chain.pem -out /tmp/cert_chain.p12 -passout file:password.txt
$ pk12util -d nssdb -k password.txt -i /tmp/cert_chain.p12 -w password.txt
$ certutil -M -d nssdb -n <nickname> -t CT,C,C

Exporting into PKCS #12 File

To export the all keys and certificates in the database:

$ PKCS12Export -d nssdb -p password.internal -o output.p12 -w output.password

Importing from PKCS #12 File

Exporting from PKCS #12 File

Export Cert from a PKCS #12 file:

$ openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys

Export encrypted RSA key from a pkics#12 (.p12) file:

$ openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

Convert encrypted RSA key to unencrypted (pkcs#1):

$ openssl rsa -in newfile.key.pem -out newfile.key.pkcs1

Convert unencrypted RSA private key (pkcs#1) to pkcs#8 key:

$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in newfile.key.pkcs1 -out newfile.key

Verify the exported cert and key match

$ openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
$ openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum

The output from both commands must match.

Modifying a Certificate

Validating Certificate

Deleting Certificate

Listing Keys

Deleting a Key

Cloning Database

To clone an NSS database, export all certificates:

$ certutil -L -d nssdb -h HSM -n testcert -a > testcert.pem

Create the new database with the HSM modules if applicable:

$ mkdir clone
$ certutil -N -d nssdb

Then reimport all certificates:

$ certutil -A -d nssdb -h HSM -f password.HSM -n testcert -i testcert.pem -t "CT,C,C"

Generating Key Pair

Generate a key pair with the following command:

$ openssl rand -out noise.bin 2048
$ certutil -G -d nssdb -h internal -f password.internal -z nssdb/noise.bin


Generating key.  This may take a few moments...

Generating Certificate Request

Creating Noise File

$ openssl rand -out noise.bin 2048

Creating CSR File

Generate a CSR with the following command:

$ certutil -R \
 -d nssdb \
 -h internal \
 -f password.internal \
 -s "UID=testuser,O=EXAMPLE" \
 -z noise.bin \
 -o testuser.csr.der
$ BtoA testuser.csr.der testuser.csr.pem
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > testuser.csr
$ cat testuser.csr.pem >> testuser.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> testuser.csr
$ rm testuser.csr.der
$ rm testuser.csr.pem

Creating Certificates

See Also

Clone this wiki locally