Linux command
certutil 命令
文本
复制后可按需替换文件名、目录或参数。
常用示例
List certificates in database
certutil -L -d [~/.pki/nssdb]
Add certificate to database
certutil -A -n "[alias]" -t "CT,," -d [~/.pki/nssdb] -i [cert.pem]
Generate key pair
certutil -G -d [~/.pki/nssdb] -n "[keyname]"
Delete certificate
certutil -D -n "[alias]" -d [~/.pki/nssdb]
Create self-signed certificate
certutil -S -n "[alias]" -x -t "CT,," -d [~/.pki/nssdb] -s "CN=[hostname]"
Display certificate details
certutil -L -d [~/.pki/nssdb] -n "[alias]"
说明
certutil manages keys and certificates in NSS (Network Security Services) databases. It creates, modifies, lists, and deletes certificates and key pairs used by applications built on the NSS library, including Firefox, Thunderbird, and Chromium-based browsers. NSS databases store certificates in a directory-based format, with modern versions using SQLite (specified with the `sql:` prefix). The tool handles the full certificate lifecycle including generating key pairs, creating self-signed certificates, importing CA certificates, and managing trust flags that control how certificates are used for SSL, email signing, and code signing. Trust flags follow the format "SSL,Email,Object Signing" where `C` marks a trusted CA and `T` marks a certificate trusted for client authentication.
参数
- -A
- Add certificate to database
- -D
- Delete certificate from database
- -L
- List certificates
- -G
- Generate new key pair
- -S
- Create and add self-signed certificate
- -R
- Generate certificate request
- -C
- Create certificate from request
- -K
- List keys in database
- -d _dir_
- Database directory (use sql: prefix for SQLite)
- -n _name_
- Certificate nickname/alias
- -t _trust_
- Trust flags (e.g., "CT,,")
- -i _file_
- Input file
- -o _file_
- Output file
- -x
- Self-sign certificate
- -s _subject_
- Subject DN string
- -v _months_
- Validity period in months
FAQ
What is the certutil command used for?
certutil manages keys and certificates in NSS (Network Security Services) databases. It creates, modifies, lists, and deletes certificates and key pairs used by applications built on the NSS library, including Firefox, Thunderbird, and Chromium-based browsers. NSS databases store certificates in a directory-based format, with modern versions using SQLite (specified with the `sql:` prefix). The tool handles the full certificate lifecycle including generating key pairs, creating self-signed certificates, importing CA certificates, and managing trust flags that control how certificates are used for SSL, email signing, and code signing. Trust flags follow the format "SSL,Email,Object Signing" where `C` marks a trusted CA and `T` marks a certificate trusted for client authentication.
How do I run a basic certutil example?
Run `certutil -L -d [~/.pki/nssdb]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -A do in certutil?
Add certificate to database