logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

PKICertImport - Used to safely validate and import certificates into the NSS database.

Authors

       Alexander Scheel lt;ascheel@redhat.comgt;.

Description

       The certificate import utility validates signature, trust chain, trust, and usage flags before  importing
       a  certificate  into  the  specified  NSS  database.  This ensures that no certificate is used before its
       authenticity has been verified.  Unlike certutil, only one invocation is necessary to both  validate  and
       import certificates.

       See certutil for more information about the parameters to PKICertImport.

Environment

VERBOSE
           When specified, see all internal commands being executed as part of this command.

Examples

       To import a server certificate:

              PKICertImport -d . -n "example.com" -i example-com.crt -t ,, -u V

       To import a CA certificate (root or intermediate):

              PKICertImport -d . -n "MyCA Cert" -i ca-cert.crt -t CT,C,C -u L

       To import a leaf client certificate from a PKCS12 chain:

              PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --leaf

       To import the entire chain of a client certificate:

              PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --chain --chain-trust CT,C,C --chain-usage L

Name

       PKICertImport - Used to safely validate and import certificates into the NSS database.

Options

PKICertImport parameters:

       --ascii, -a
           The certificate is encoded in ASCII (PEM) format instead of binary format. Optional.

       --certificate, -icertificate
           Path to the certificate to import. Required.

       --chain, -c
           Import an entire PKCS12 chain; requires --pkcs12. Optional.

       --chain-trusttrust
           Trust flags to assign intermediate certificates; requires --chain.

       --chain-usageusage
           Usage to validate intermediate certificates against; requires --chain.

       --database, -dNSS-database
           The directory containing the NSS database. This is usually the client's personal directory. Required.

       --password, -fpassword-file
           The path to a file containing the password to the NSS database. Optional.

       --hsm, -htoken
           Name of the token. If not specified, the default token is the internal database slot. Optional.

       --leaf-only, -l
           Import only the leaf certificate from a PKCS12 chain; requiers --pkcs12. Optional.

       --nickname, -nnickname
           Nickname for the certificate in the NSS database. Required.

       --pkcs12, -p
           The input certificate is a .p12/PKCS12 file. Optional.

       --pkcs12-password, -wpassword-file
           Password file for the PKCS12 chain; requires --pkcs12.

       --trust, -ttrust
           Trust  flags  for the certificate. See certutil for more information about the available trust flags.
       Required.

       --usage, -uusage
           Usage to validate the certificate against. See certutil for more information  about  available  usage
       flags. Required.

Synopsis

PKICertImport-dNSS-database-icertificate-nnickname-ttrust-uusage [-htoken] [-fpassword-file]
       [-a]

       Validate and import a certificate into the specified NSS  database.   Verifies  signature,  trust  chain,
       trust,  and  usage  flags.   If  a  certificate is not valid, it will not be added to the NSS database or
       specified token.

Unsafe Options

--unsafe-keep-keys
           Keep the keys in the NSS DB in the event of a verification failure.

       --unsafe-trust-then-verify
           Specify  trust  when  importing the certificate instead of after verifying certificates. This enables
       importing a new root certificate instead of requiring the chain to have an existing, trusted root.

See Also