-
Notifications
You must be signed in to change notification settings - Fork 137
PKI NSS Certificate CLI
The pki nss-cert
commands can be used to manage certificates in an NSS database.
To find all certificates in NSS database:
$ pki nss-cert-find
Availability: Since PKI 11.1.
To find certificates with a specific subject DN or issuer DN, specify the following options:
$ pki nss-cert-find --subject <DN> --issuer <DN>
Availability: Since PKI 11.6.
To display certificate info:
$ pki nss-cert-show caadmin Nickname: caadmin Serial Number: 0x844a78e9c0c7567b80da5343fb049110 Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Wed Aug 02 18:18:40 CDT 2023 Not Valid After: Tue Jul 22 18:18:40 CDT 2025 Trust Flags: u,u,u
To display certificate info in JSON format:
$ pki nss-cert-show caadmin --output-format json { "nickname" : "caadmin", "serialNumber" : "0x844a78e9c0c7567b80da5343fb049110", "subjectDN" : "CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE", "issuerDN" : "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE", "notBefore" : 1691018320000, "notAfter" : 1753226320000, "trustFlags" : "u,u,u" }
To display info of a certificate identified by its binary data:
$ pki nss-cert-show --cert-file caadmin.crt Nickname: caadmin Serial Number: 0x844a78e9c0c7567b80da5343fb049110 Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Wed Aug 02 18:18:40 CDT 2023 Not Valid After: Tue Jul 22 18:18:40 CDT 2025 Trust Flags: u,u,u
To import a certificate into NSS database:
$ pki nss-cert-import [nickname] \ --cert <filename> \ --trust <attributes>
Availability: Since PKI 10.9.
To export a certificate from NSS database:
$ pki nss-cert-export <nickname>
To remove a certificate from the internal token in NSS database:
$ pki nss-cert-del <nickname>
To remove a certificate from HSM, prepend the nickname with the token name: <token>:<nickname>
.
To remove the key of the certificate, specify a --remove-key
option.
Availability: Since PKI 11.5.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |