Skip to content

PKI NSS Certificate CLI

Jump to bottom
Endi S. Dewata edited this page Aug 26, 2024 · 13 revisions

Overview

The pki nss-cert commands can be used to manage certificates in an NSS database.

Finding Certificates in NSS Database

To find all certificates in NSS database:

$ pki nss-cert-find

Availability: Since PKI 11.1.

To find certificates with a specific subject DN or issuer DN, specify the following options:

$ pki nss-cert-find --subject <DN> --issuer <DN>

Availability: Since PKI 11.6.

Displaying Certificate Info

To display certificate info:

$ pki nss-cert-show caadmin
  Nickname: caadmin
  Serial Number: 0x844a78e9c0c7567b80da5343fb049110
  Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Aug 02 18:18:40 CDT 2023
  Not Valid After: Tue Jul 22 18:18:40 CDT 2025
  Trust Flags: u,u,u

To display certificate info in JSON format:

$ pki nss-cert-show caadmin --output-format json
{
  "nickname" : "caadmin",
  "serialNumber" : "0x844a78e9c0c7567b80da5343fb049110",
  "subjectDN" : "CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE",
  "issuerDN" : "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE",
  "notBefore" : 1691018320000,
  "notAfter" : 1753226320000,
  "trustFlags" : "u,u,u"
}

To display info of a certificate identified by its binary data:

$ pki nss-cert-show --cert-file caadmin.crt
  Nickname: caadmin
  Serial Number: 0x844a78e9c0c7567b80da5343fb049110
  Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Aug 02 18:18:40 CDT 2023
  Not Valid After: Tue Jul 22 18:18:40 CDT 2025
  Trust Flags: u,u,u

Generating Certificate Request in NSS Database

Issuing Certificate using NSS Database

Importing Certificate into NSS Database

To import a certificate into NSS database:

$ pki nss-cert-import [nickname] \
    --cert <filename> \
    --trust <attributes>

Availability: Since PKI 10.9.

Exporting Certificate from NSS Database

To export a certificate from NSS database:

$ pki nss-cert-export <nickname>

Removing Certificate from NSS Database

To remove a certificate from the internal token in NSS database:

$ pki nss-cert-del <nickname>

To remove a certificate from HSM, prepend the nickname with the token name: <token>:<nickname>. To remove the key of the certificate, specify a --remove-key option.

Availability: Since PKI 11.5.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally