summaryrefslogtreecommitdiffstats
path: root/security/nss/doc/rst/legacy/tools/crlutil/index.rst
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/doc/rst/legacy/tools/crlutil/index.rst')
-rw-r--r--security/nss/doc/rst/legacy/tools/crlutil/index.rst229
1 files changed, 229 insertions, 0 deletions
diff --git a/security/nss/doc/rst/legacy/tools/crlutil/index.rst b/security/nss/doc/rst/legacy/tools/crlutil/index.rst
new file mode 100644
index 0000000000..ee68b4dbfb
--- /dev/null
+++ b/security/nss/doc/rst/legacy/tools/crlutil/index.rst
@@ -0,0 +1,229 @@
+.. _mozilla_projects_nss_tools_crlutil:
+
+NSS tools : crlutil
+===================
+
+.. container::
+
+ | Name
+ | crlutil — List, generate, modify, or delete CRLs within the NSS security
+ | database file(s) and list, create, modify or delete certificates entries
+ | in a particular CRL.
+ | Synopsis
+ | crlutil [options] `arguments <arguments>`__
+ | Description
+ | The Certificate Revocation List (CRL) Management Tool, crlutil, is a
+ | command-line utility that can list, generate, modify, or delete CRLs
+ | within the NSS security database file(s) and list, create, modify or
+ | delete certificates entries in a particular CRL.
+ | The key and certificate management process generally begins with creating
+ | keys in the key database, then generating and managing certificates in the
+ | certificate database(see certutil tool) and continues with certificates
+ | expiration or revocation.
+ | This document discusses certificate revocation list management. For
+ | information on security module database management, see Using the Security
+ | Module Database Tool. For information on certificate and key database
+ | management, see Using the Certificate Database Tool.
+ | To run the Certificate Revocation List Management Tool, type the command
+ | crlutil option [arguments]
+ | where options and arguments are combinations of the options and arguments
+ | listed in the following section. Each command takes one option. Each
+ | option may take zero or more arguments. To see a usage string, issue the
+ | command without options, or with the -H option.
+ | Options and Arguments
+ | Options
+ | Options specify an action. Option arguments modify an action. The options
+ | and arguments for the crlutil command are defined as follows:
+ | -G
+ | Create new Certificate Revocation List(CRL).
+ | -D
+ | Delete Certificate Revocation List from cert database.
+ | -I
+ | Import a CRL to the cert database
+ | -E
+ | Erase all CRLs of specified type from the cert database
+ | -L
+ | List existing CRL located in cert database file.
+ | -M
+ | Modify existing CRL which can be located in cert db or in
+ | arbitrary file. If located in file it should be encoded in ASN.1
+ | encode format.
+ | -G
+ | Arguments
+ | Option arguments modify an action and are lowercase.
+ | -B
+ | Bypass CA signature checks.
+ | -P dbprefix
+ | Specify the prefix used on the NSS security database files (for
+ | example, my_cert8.db and my_key3.db). This option is provided as a
+ | special case. Changing the names of the certificate and key
+ | databases is not recommended.
+ | -a
+ | Use ASCII format or allow the use of ASCII format for input and
+ | output. This formatting follows RFC #1113.
+ | -c crl-gen-file
+ | Specify script file that will be used to control crl
+ | generation/modification. See crl-cript-file format below. If
+ | options -M|-G is used and -c crl-script-file is not specified,
+ | crlutil will read script data from standard input.
+ | -d directory
+ | Specify the database directory containing the certificate and key
+ | database files. On Unix the Certificate Database Tool defaults to
+ | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default
+ | is the current directory.
+ | The NSS database files must reside in the same directory.
+ | -i crl-import-file
+ | Specify the file which contains the CRL to import
+ | -f password-file
+ | Specify a file that will automatically supply the password to
+ | include in a certificate or to access a certificate database. This
+ | is a plain-text file containing one password. Be sure to prevent
+ | unauthorized access to this file.
+ | -l algorithm-name
+ | Specify a specific signature algorithm. List of possible
+ | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512
+ | -n nickname
+ | Specify the nickname of a certificate or key to list, create, add
+ | to a database, modify, or validate. Bracket the nickname string
+ | with quotation marks if it contains spaces.
+ | -o output-file
+ | Specify the output file name for new CRL. Bracket the output-file
+ | string with quotation marks if it contains spaces. If this
+ | argument is not used the output destination defaults to standard
+ | output.
+ | -t crl-type
+ | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -
+ | SEC_CRL_TYPE. This option is obsolete
+ | -u url
+ | Specify the url.
+ | CRL Generation script syntax
+ | CRL generation script file has the following syntax:
+ | \* Line with comments should have # as a first symbol of a line
+ | \* Set "this update" or "next update" CRL fields:
+ | update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ
+ | Field "next update" is optional. Time should be in GeneralizedTime format
+ | (YYYYMMDDhhmmssZ). For example: 20050204153000Z
+ | \* Add an extension to a CRL or a crl certificate entry:
+ | addext extension-name critical/non-critical [arg1[arg2 ...]]
+ | Where:
+ | extension-name: string value of a name of known extensions.
+ | critical/non-critical: is 1 when extension is critical and 0 otherwise.
+ | arg1, arg2: specific to extension type extension parameters
+ | addext uses the range that was set earlier by addcert and will install an
+ | extension to every cert entries within the range.
+ | \* Add certificate entries(s) to CRL:
+ | addcert range date
+ | range: two integer values separated by dash: range of certificates that
+ | will be added by this command. dash is used as a delimiter. Only one cert
+ | will be added if there is no delimiter. date: revocation date of a cert.
+ | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+ | \* Remove certificate entry(s) from CRL
+ | rmcert range
+ | Where:
+ | range: two integer values separated by dash: range of certificates that
+ | will be added by this command. dash is used as a delimiter. Only one cert
+ | will be added if there is no delimiter.
+ | \* Change range of certificate entry(s) in CRL
+ | range new-range
+ | Where:
+ | new-range: two integer values separated by dash: range of certificates
+ | that will be added by this command. dash is used as a delimiter. Only one
+ | cert will be added if there is no delimiter.
+ | Implemented Extensions
+ | The extensions defined for CRL provide methods for associating additional
+ | attributes with CRLs of theirs entries. For more information see RFC #3280
+ | \* Add The Authority Key Identifier extension:
+ | The authority key identifier extension provides a means of identifying the
+ | public key corresponding to the private key used to sign a CRL.
+ | authKeyId critical [key-id \| dn cert-serial]
+ | Where:
+ | authKeyIdent: identifies the name of an extension critical: value of 1 of
+ | 0. Should be set to 1 if this extension is critical or 0 otherwise.
+ | key-id: key identifier represented in octet string. dn:: is a CA
+ | distinguished name cert-serial: authority certificate serial number.
+ | \* Add Issuer Alternative Name extension:
+ | The issuer alternative names extension allows additional identities to be
+ | associated with the issuer of the CRL. Defined options include an rfc822
+ | name (electronic mail address), a DNS name, an IP address, and a URI.
+ | issuerAltNames non-critical name-list
+ | Where:
+ | subjAltNames: identifies the name of an extension should be set to 0 since
+ | this is non-critical extension name-list: comma separated list of names
+ | \* Add CRL Number extension:
+ | The CRL number is a non-critical CRL extension which conveys a
+ | monotonically increasing sequence number for a given CRL scope and CRL
+ | issuer. This extension allows users to easily determine when a particular
+ | CRL supersedes another CRL
+ | crlNumber non-critical number
+ | Where:
+ | crlNumber: identifies the name of an extension critical: should be set to
+ | 0 since this is non-critical extension number: value of long which
+ | identifies the sequential number of a CRL.
+ | \* Add Revocation Reason Code extension:
+ | The reasonCode is a non-critical CRL entry extension that identifies the
+ | reason for the certificate revocation.
+ | reasonCode non-critical code
+ | Where:
+ | reasonCode: identifies the name of an extension non-critical: should be
+ | set to 0 since this is non-critical extension code: the following codes
+ | are available:
+ | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged
+ | (3), superseded (4), cessationOfOperation (5), certificateHold (6),
+ | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10)
+ | \* Add Invalidity Date extension:
+ | The invalidity date is a non-critical CRL entry extension that provides
+ | the date on which it is known or suspected that the private key was
+ | compromised or that the certificate otherwise became invalid.
+ | invalidityDate non-critical date
+ | Where:
+ | crlNumber: identifies the name of an extension non-critical: should be set
+ | to 0 since this is non-critical extension date: invalidity date of a cert.
+ | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+ | Usage
+ | The Certificate Revocation List Management Tool's capabilities are grouped
+ | as follows, using these combinations of options and arguments. Options and
+ | arguments in square brackets are optional, those without square brackets
+ | are required.
+ | See "Implemented extensions" for more information regarding extensions and
+ | their parameters.
+ | \* Creating or modifying a CRL:
+ | crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg]
+ [-a] [-B]
+ | \* Listing all CRls or a named CRL:
+ | crlutil -L [-n crl-name] [-d krydir]
+ | \* Deleting CRL from db:
+ | crlutil -D -n nickname [-d keydir] [-P dbprefix]
+ | \* Erasing CRLs from db:
+ | crlutil -E [-d keydir] [-P dbprefix]
+ | \* Deleting CRL from db:
+ | crlutil -D -n nickname [-d keydir] [-P dbprefix]
+ | \* Erasing CRLs from db:
+ | crlutil -E [-d keydir] [-P dbprefix]
+ | \* Import CRL from file:
+ | crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
+ | See also
+ | certutil(1)
+ | See Also
+ | Additional Resources
+ | NSS is maintained in conjunction with PKI and security-related projects
+ | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
+ | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/.
+ | For information specifically about NSS, the NSS project wiki is located at
+ |
+ [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+ The NSS site relates
+ | directly to NSS code changes and releases.
+ | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com
+ | IRC: Freenode at #dogtag-pki
+ | Authors
+ | The NSS tools were written and maintained by developers with Netscape and
+ | now with Red Hat.
+ | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+ | <dlackey@redhat.com>.
+ | Copyright
+ | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
+ | References
+ | Visible links
+ | 1. http://pki.fedoraproject.org/wiki/
+ | 2.
+ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__ \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-22 12:25:57 +0000