certutil • help

Note: help and version output are generated by a naïve script which tries a few variants of <command> --help, <command> -h etc. to find the command's help and version info. Sometimes it gets lucky, sometimes it doesn't; if the output below looks wrong, it probably is.

certutil -V (return code: 1)

certutil - Utility to manipulate NSS certificate databases Usage: certutil <command> -d <database-directory> <options> Valid commands: -A Add a certificate to the database (create if needed) -B Run a series of certutil commands from a batch file -E Add an Email certificate to the database (create if needed) -C Create a new binary certificate from a BINARY cert request -G Generate a new key pair -D Delete a certificate from the database --rename Change the database nickname of a certificate -F Delete a key from the database -U List all modules -K List all private keys -L List all certs, or print out a single named cert (or a subset) -M Modify trust attributes of certificate -N Create a new certificate database -T Reset the Key database or token -O Print the chain of a certificate -R Generate a certificate request (stdout) -V Validate a certificate -W Change the key database password --upgrade-merge Upgrade an old database and merge it into a new one --merge Merge source database into the target database -S Make a certificate and add to database certutil -H <command> : Print available options for the given command certutil -H : Print complete help output of all commands and options certutil --syntax : Print a short summary of all commands and options

certutil -HELP (return code: 1)

-A Add a certificate to the database (create if needed) All options under -E apply -B Run a series of certutil commands from a batch file -i batch-file Specify the batch file -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: trustargs is of the form x,y,z where x is for SSL, y is for S/MIME, and z is for code signing. Use ,, for no explicit trust. p prohibited (explicitly distrusted) P trusted peer c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin) -C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -Z hashAlg Specify the hash algorithm to use. Possible keywords: "MD2", "MD4", "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512" -1 | --keyUsage keyword,keyword,... Create key usage extension. Possible keywords: "digitalSignature", "nonRepudiation", "keyEncipherment", "dataEncipherment", "keyAgreement", "certSigning", "crlSigning", "critical" -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 | --nsCertType keyword,keyword,... Create netscape cert type extension. Possible keywords: "sslClient", "sslServer", "smime", "objectSigning", "sslCA", "smimeCA", "objectSigningCA", "critical". -6 | --extKeyUsage keyword,keyword,... Create extended key usage extension. Possible keywords: "serverAuth", "clientAuth","codeSigning", "emailProtection", "timeStamp","ocspResponder", "stepUp", "msTrustListSign", "critical" -7 emailAddrs Create an email subject alt name extension -8 dnsNames Create an dns subject alt name extension -a The input certificate request is encoded in ASCII (RFC1113) -G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "ec", "rsa" (default)) -g key-size Key size in bits, (min 512, max 8192, default 2048) (not for ec) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -q curve-name Elliptic curve name (ec only) One of nistp256, nistp384, nistp521, curve25519. If a custom token is present, the following curves are also supported: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2 sect131r1, sect131r2 -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix --keyAttrFlags attrflags PKCS #11 key Attributes. Comma separated list of key attribute attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} --keyOpFlagsOn opflags --keyOpFlagsOff opflags PKCS #11 key Operation Flags. Comma separated list of one or more of the following: encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap, derive -D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix --rename Change the database nickname of a certificate -n cert-name The old nickname of the cert to rename --new-n new-name The new nickname of the cert to rename -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -F Delete a key from the database -n cert-name The nickname of the key to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W -K List all private keys -h token-name Name of token to search ("all" for all tokens) -k key-type Key type ("all" (default), "dsa", "ec", "rsa") -n name The nickname of the key or associated certificate -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -L List all certs, or print out a single named cert (or a subset) -h token-name Name of token to search ("all" for all tokens) -n cert-name Pretty print named cert (list all if unspecified) --email email-address Pretty print cert with email address (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113) --dump-ext-val OID For single cert, print binary DER encoding of extension OID -M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -f password-file Specify the password file --empty-password use empty password when creating a new database -T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal) -0 SSO-password Set token's Site Security Officer password -O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -a Input the certificate in ASCII (RFC1113); default is binary -P dbprefix Cert & Key database prefix -X force the database to open R/W -R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default)) or nickname of the cert key to use -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 8192, default 2048) -q pqgfile Name of file containing PQG parameters (dsa only) -q curve-name Elliptic curve name (ec only) See the "-G" option for a full list of supported names. -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -Z hashAlg Specify the hash algorithm to use. Possible keywords: "MD2", "MD4", "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512" -a Output the cert request in ASCII (RFC1113); default is binary See -S for available extension options See -G for available key flag options -V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server L SSL CA A Any CA Y Verify CA S Email signer R Email Recipient O OCSP status responder J Object signer -d certdir Cert database directory (default is ~/.netscape) -a Input the certificate in ASCII (RFC1113); default is binary -P dbprefix Cert & Key database prefix -X force the database to open R/W -W Change the key database password -d certdir cert and key database directory -f pwfile Specify a file with the current password -@ newpwfile Specify a file with the new password in two lines --upgrade-merge Upgrade an old database and merge it into a new one -d certdir Cert database directory to merge into (default is ~/.netscape) -P dbprefix Cert & Key database prefix of the target database -f pwfile Specify the password file for the target database --source-dir certdir Cert database directory to upgrade from --source-prefix dbprefix Cert & Key database prefix of the upgrade database --upgrade-id uniqueID Unique identifier for the upgrade database --upgrade-token-name name Name of the token while it is in upgrade state -@ pwfile Specify the password file for the upgrade database --merge Merge source database into the target database -d certdir Cert database directory of target (default is ~/.netscape) -P dbprefix Cert & Key database prefix of the target database -f pwfile Specify the password file for the target database --source-dir certdir Cert database directory of the source database --source-prefix dbprefix Cert & Key database prefix of the source database -@ pwfile Specify the password file for the source database -S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 8192, default 2048) -q pqgfile Name of file containing PQG parameters (dsa only) -q curve-name Elliptic curve name (ec only) See the "-G" option for a full list of supported names. -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -Z hashAlg Specify the hash algorithm to use. Possible keywords: "MD2", "MD4", "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512" -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 emailAddrs Create an email subject alt name extension -8 DNS-names Create a DNS subject alt name extension --extAIA Create an Authority Information Access extension --extSIA Create a Subject Information Access extension --extCP Create a Certificate Policies extension --extPM Create a Policy Mappings extension --extPC Create a Policy Constraints extension --extIA Create an Inhibit Any Policy extension --extSKID Create a subject key ID extension See -G for available key flag options --extNC Create a name constraints extension --extSAN type:name[,type:name]... Create a Subject Alt Name extension with one or multiple names - type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. - OID (example): 1.2.3.4 - critical-flag: critical or not-critical - filename: full path to a file containing an encoded extension

certutil • help

certutil • help

certutil -V (return code: 1)

certutil -HELP (return code: 1)

Installed via

Path