Skip to content

PKI NSS CLI

Jump to bottom
Endi S. Dewata edited this page Oct 11, 2021 · 7 revisions

Overview

PKI NSS CLI is a collection of tools to access an NSS database and its contents.

Creating NSS Database

To create a new NSS database:

$ pki nss-create

By default it will create the NSS database in ~/.dogtag/nssdb.

Removing NSS Database

To remove the NSS database:

$ pki nss-remove

Certificate Management

Certificate extensions

PKI NSS CLI can be used to create certificates and certificate requests with extensions. The extensions can be defined in a file (e.g. /usr/share/pki/server/certs/sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    = 2.23.140.1.2.1, @cps_policy

cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

The format is similar to OpenSSL x509v3_config.

Importing a certificate

$ pki nss-cert-import [nickname] \
    --cert <filename> \
    --trust <attributes>

Availability: PKI 10.9

Creating a certificate

To issue a self-signed certificate:

$ pki nss-cert-issue \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

To issue a certificate signed by another certificate:

$ pki nss-cert-issue \
    --issuer ca_signing \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

Availability: PKI 10.9

Key Management

Listing Keys (Not Yet Implemented)

To list keys in internal token:

$ pki -c Secret.123 nss-key-find
  Key ID: 12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA
  Strength: 2048

  Key ID: 64594734139b4006527bc57c8792d90333e4263c
  Type: RSA
  Algorithm: RSA
  Strength: 2048

To list keys in HSM:

$ pki --token HSM -c Secret.123 nss-key-find
  Key ID: 12e1587cf58ab6e16a5d8cf9682252a8bdf7a591
  Type: RSA
  Algorithm: RSA
  Strength: 2048

  Key ID: 64594734139b4006527bc57c8792d90333e4263c
  Type: RSA
  Algorithm: RSA
  Strength: 2048

Deleting a key (Not Yet Implemented)

To delete a key in internal token:

$ pki -c Secret.123 nss-key-del e47e4cbd15fadbdd17eb865ce55031122c7c1b6

To delete a key in HSM:

$ pki --token HSM -c Secret.123 nss-key-del e47e4cbd15fadbdd17eb865ce55031122c7c1b6

Exporting a key

To export a shared secret to the standard output:

$ pki nss-key-export "TPS-localhost.localdomain-8443 sharedSecret" --wrapper kra_transport
{
  "wrappedPrivateData" : "s1mlQNrOsttJgBxJWURqM+j/nc9yPFlCnipH/AGvFo64evmqbZTtqbViQLK0i9jh5hFDhWYW4JuMdw6X2BIYuHadJ+QN4BHpxiWCZygyjJsj3t96zSMzTH+YVEsaktzP39nQKtkaA4iOYU3Rvy0Cfokvn01V1x+GbUXOgpblTOIeXySKa3PJ/LPJREz8MmYMT21GsnEyXsJ5Xq4t9lUYaK4hzE69IXFZeInude/3sdJFFl5SIjMlE1U59YDdkcKAFfD/dyESUwOEGw7k5PgQAJO3BSks0S83NHR9jfutxOpX3UeFXcqq90/HgJj8g18mzVttQYtQfY+6NO5pXoXcsA==",
  "additionalWrappedPrivateData" : "o7E/mZb8w/i7dLCaJ2OjsGtZCuP8uoXl"
}

The output can be stored into a file with a --output <path> option.

Importing a key

To import a shared secret from the standard input:

$ pki nss-key-import "TPS-localhost.localdomain-8443 sharedSecret" --wrapper kra_transport

The input can be loaded from a file with a --input <path> option.

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally