User Commands pktool(1)
NAME
pktool - manage certificates and keys
SYNOPSIS
pktool [-f option_file] [-i] subcommand subcommand_options ...
DESCRIPTION
The pktool command allows users to manage the certificates
and keys on multiple keystores including PKCS#11 tokens
(that is, Cryptographic Framework), Netscape Security Ser-
vices (NSS) tokens, and standard file based keystore for OpenSSL.pktool also provides support to list, delete and import a
Certificate Revocation List (CRL). pktool does not provide
support for creating CRLs, signing CRLs, or exporting CRLs.The CRL support for the PKCS#11 keystore is file-based.
OPTIONS The following command options are supported:-f option_file Allows the user to set up the options in a
file instead of entering the options on the command line. This option is provided as a conveniencefor users because pktool can potentially
have a large list of subcommands and asso-
ciated options to be specified on the com-
mand line.The format of the option_file is one
option or value pair per-line.
An example option_file might looks as fol-
lows: list keystore=nss dir=/export/foo objtype=key-i Allows the user to specify the subject-DN
interactively for the gencert and gencsrsubcommands. When -i is specified, the
user is prompted to input some data toform a subject-DN.
SunOS 5.11 Last change: 22 Mar 2010 1
User Commands pktool(1)
An example of using the -i option follows:
Country Name (2 letter code) [US]:USState or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Menlo Park Organization Name (eg, company):Sun Microsystems Inc. Organizational Unit Name (eg, section):OPG Common Name (eg, YOUR name):John Smith Email Address []: john.smith@sun.comThe resulting subject-DN is:
"C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\ OU=OPG, emailAddress=john.smith@sun.com, \ CN=John Smith" SUBCOMMANDS The following subcommands are supported: delete The format for the delete subcommand is as follows:pktool delete [token=token[:manuf[:serial]]]
[objtype=private|public|both][label=object-label]
pktool delete keystore=pkcs11
objtype=cert[:public | private | both]] [token=token[:manuf[:serial]]][label=cert-label]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool delete keystore=nss
objtype=cert[subject=subject-DN]
[issuer=issuer-DN]
[serial=hex-serial-number]
[nickname=cert-nickname]
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix]pktool delete keystore=nss
objtype=crl[nickname=cert-nickname]
SunOS 5.11 Last change: 22 Mar 2010 2
User Commands pktool(1)
[subject=subject-DN]
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix]pktool delete keystore=pkcs11
objtype=key[:public | private | both]] [token=token[:manuf[:serial]]][label=key-label]
pktool delete keystore=pkcs11
objtype=crlinfile=input-fn
pktool delete keystore=file
objtype=cert[infile=input-fn]
[dir=directory-path]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool delete keystore=file
objtype=key[infile=input-fn]
[dir=directory-path]
pktool delete keystore=file
objtype=crlinfile=input-fn
Deletes a certificate, key, or certificate revocation list (CRL).To delete a private certificate or key from PKCS#11
token, the user is prompted to authenticate to thePKCS#11 by entering the correct Personal Identification
Number (PIN). download The format for the download subcommand is as follows:pktool download url=url_str
[objtype=crl|cert][http_proxy=proxy_str]
[outfile=output-fn]
[dir=directory-path]
SunOS 5.11 Last change: 22 Mar 2010 3
User Commands pktool(1)
Downloads a CRL file or a certificate file from the specified URL location. Once the file is successfully downloaded, checks the validity of the downloaded CRL or certificate file. If the CRL or the certificate is expired, download issues a warning. export The format for the export subcommand is as follows:pktool export [token=token[:manuf[:serial]]]
outfile=output-fn
pktool export keystore=pkcs11
outfile=output-fn
[objtype=cert|key] [label=label][subject=subject-DN]
[issuer=issuer-DN]
[serial=hex-serial-number]
[outformat=pem|der|pkcs12|raw] [token=token[:manuf[:serial]]]pktool export keystore=nss
outfile=output-fn
[subject=subject-DN]
[issuer=issuer-DN]
[serial=hex-serial-number]
[nickname=cert-nickname]
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix] [outformat=pem|der|pkcs12]pktool export keystore=file
certfile=cert-input-fn
keyfile=key-input-fn
outfile=output-pkcs12-fn
Saves the contents of PKCS#11 token or certificates in
the NSS token or file-based keystore to the specified
file. gencert The format for the gencert subcommand is as follows:pktool gencert [-i] keystore=nss
label=cert-nickname
SunOS 5.11 Last change: 22 Mar 2010 4
User Commands pktool(1)
subject=subject-DN
serial=hex_serial_number
[altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix] [keytype=rsa | ec [curve=ECC Curve Name] [hash= md5 | sha1 | sha256 | sha384 | sha512] [keytype=dsa [hash=sha1 ][keylen=key-size]
[trust=trust-value]
[eku=[critical:]EKU_name,...]
[listcurves ][lifetime=number-hour|number-day|number-year]
pktool gencert [-i] [ keystore=pkcs11]
label=key/cert-label
subject=subject-DN
serial=hex_serial_number
[altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]] [ keytype=rsa | ec [curve=ECC Curve Name] [hash=md5 | sha1 | sha256 | sha384 | sha512]] [ keytype=dsa [hash=sha1 | sha256 ]][keylen=key-size]
[eku=[critical:]EKU_name,...]
[listcurves][lifetime=number-hour|number-day|number-year]
pktool gencert [-i] keystore=file
outcert=cert-fn
outkey=key-fn
subject=subject-DN
serial=hex_serial_number
[altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [format=der|pem] [ keytype=rsa [hash=md5 | sha1 | sha256 | sha384 | sha512]] [ keytype=dsa [hash=sha1 | sha256 ]][keylen=key-size]
[eku=[critical:]EKU_name,...]
[lifetime=number-hour|number-day|number-year]
Generates a self-signed certificate and installs it and
its associated private key to the specified keystore.gencert prompts the user to enter a PIN for token-based
keystore.SunOS 5.11 Last change: 22 Mar 2010 5
User Commands pktool(1)
gencsr The format for the gencsr subcommand is as follows:pktool gencsr [-i] keystore=nss
nickname=key-nickname
outcsr=csr-fn
subject=subject-DN
[altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix] [keytype=rsa | ec [curve=ECC Curve Name] [hash= md5 | sha1 | sha256 | sha384 | sha512] [keytype=dsa [hash=sha1 ][keylen=key-size]
[format=pem|der][eku=[critical:]EKU_name,...]
[listcurves]pktool gencsr [-i] keystore=pkcs11
label=key-label
outcsr=csr-fn
subject=subject-DN
[altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...] [token=token[:manuf[:serial]]] [ keytype=rsa | ec [curve=ECC Curve Name] [hash=md5 | sha1 | sha256 | sha384 | sha512]][keylen=key-size]
[format=pem|der][eku=[critical:]EKU_name,...]
[listcurves]pktool gencsr [-i] keystore=file
outcsr=csr-fn
outkey=key-fn
subject=subject-DN
[altname=[critical:]subjectAltName] [keyusage=[critical:]usage,usage...][dir=directory-path]
[ keytype=rsa [hash=md5 | sha1 | sha256 | sha384 | sha512]] [ keytype=dsa [hash=sha1 | sha256 ]][keylen=key-size]
[format=pem|der][eku=[critical:]EKU_name,...]
Creates a PKCS#10 certificate signing request (CSR)
file. This CSR can be sent to a Certifying Authority (CA) for signing. The gencsr subcommand prompts the userto enter a PIN for token-based keystore.
SunOS 5.11 Last change: 22 Mar 2010 6
User Commands pktool(1)
genkey The format for the genkey subcommand is as follows:pktool genkey [keystore=pkcs11]
label=key-label
[keytype=aes|arcfour|des|3des|generic][keylen=key-size (for aes, arcfour, or \
generic keytypes only)] [token=token[:manuf[:serial]]] [sensitive=y|n] [extractable=y|n] [print=y|n]pktool genkey keystore=nss
label=key-label
[keytype=aes|arcfour|des|3des|generic][keylen=key-size (for aes, arcfour, or \
generic keytypes only)] [token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix]pktool genkey keystore=file
outkey=key-fn
[keytype=aes|arcfour|des|3des|generic][keylen=key-size (for aes, arcfour, \
or generic keytypes only)] [print=y|n] Generates a symmetric key in the specified keystore. The genkey subcommand prompts the user to enter a PIN fortoken-based keystore.
genkeypair The format for the genkeypair subcommand is as follows:pktool genkeypair keystore=nss
label=key-nickname
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix] [keytype=rsa|dsa|ec [curve=ECC Curve Name]][keylen=key-size]
[listcurves]pktool genkeypair [keystore=pkcs11]
SunOS 5.11 Last change: 22 Mar 2010 7
User Commands pktool(1)
label=key-label
[token=token[:manuf[:serial]]] [keytype=rsa|dsa|ec [curve=ECC Curve Name]][keylen=key-size]
[listcurves]pktool genkeypair keystore=file
outkey=key_filename
[format=der|pem] [keytype=rsa|dsa][keylen=key-size]
import The format for the import subcommand is as follows:pktool import [token=token>[:manuf>[:serial>]]]
infile=input-fn
pktool import [keystore=pkcs11]
infile=input-fn
label=object-label
[keytype=aes|arcfour|des|3des|generic] [sensitive=y|n] [extractable=y|n] [token=token[:manuf[:serial]]] [objtype=cert|key]pktool import keystore=pkcs11
objtype=crlinfile=input-fn
outcrl=output-crl-fn
outformat=pem|derpktool import keystore=nss
objtype=certinfile=input-fn
label=cert-label
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix][trust=trust-value]
pktool import keystore=nss
objtype=crlinfile=input-fn
[verifycrl=y|n] [token=token[:manuf[:serial]]][dir=directory-path]
SunOS 5.11 Last change: 22 Mar 2010 8
User Commands pktool(1)
[prefix=DBprefix]pktool import keystore=file
infile=input-fn
outkey=output-key-fn
outcert=output-key-fn
[outformat=pem|der]pktool import keystore=file
objtype=crlinfile=input-fn
outcrl=output-crl-fn
outformat=pem|der Loads certificates, keys, or CRLs from the specified input file into the specified keystore. inittoken The format for the inittoken subcommand is as follows:pktool inittoken [ slotid=slot number ]
[ currlabel=token[:manuf[:serial]]] [ newlabel=new token label ]This command initializes a PKCS#11 token using
C_InitToken API. The preferred method of locating a
token is to specify its default label. Optionally, a new label can be assigned to the token by using the newlabel argument. If newlabel is not present, the token label is not modified. The user is prompted to enter the security officer (SO) PIN for this command to proceed. list The format for the list subcommand is as follows:pktool list [token=token[:manuf[:serial]]]
[objtype=private|public|both] [label=label]pktool list [keystore=pkcs11]
[objtype=cert[:public | private | both]] [token=token[:manuf[:serial]]][label=cert-label]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
SunOS 5.11 Last change: 22 Mar 2010 9
User Commands pktool(1)
pktool list [keystore=pkcs11]
objtype=key[:public | private | both]] [token=token[:manuf[:serial]]][label=key-label]
pktool list keystore=pkcs11
objtype=crlinfile=input-fn
pktool list keystore=nss
objtype=cert[subject=subject-DN]
[issuer=issuer-DN]
[serial=hex-serial-number]
[nickname=cert-nickname]
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix]pktool list keystore=nss
objtype=key [token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix]pktool list keystore=file
objtype=cert[infile=input-fn]
[dir=directory-path]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool list keystore=file
objtype=key[infile=input-fn]
[dir=directory-path]
Lists certificates, list keys, or list certificate revo-
cation lists (CRL). When displaying a private certifi-
cate or key in PKCS#11 token, the user is prompted to
authenticate to the PKCS#11 token by entering the
correct PIN. setpin The format for the setpin subcommand is as follows:pktool setpin keystore=nss
[token=token]SunOS 5.11 Last change: 22 Mar 2010 10
User Commands pktool(1)
[dir=directory-path]
[prefix=DBprefix]pktool setpin [ keystore=pkcs11]
[token=token[:manuf[:serial]]] [usertype=user | so] Changes the passphrase used to authenticate a user tothe PKCS#11 or NSS token. Passphrases can be any string
of characters with lengths between 1 and 256 with no nulls. setpin prompts the user for the old passphrase, if any.If the old passphrase matches, pktool prompts for the
new passphrase twice. If the two entries of the new passphrases match, it becomes the current passphrase for the token.For the Sun Software PKCS#11 softtoken keystore
(default), the user must use the setpin command with the default passphrase changeme as the old passphrase to change the passphrase of the object store. This action is needed to initialize and set the passphrase to a newly created token object store.If the usertype=so option is specified for PKCS#11 based
tokens, the Security Officer (SO) user PIN is changed as opposed to the normal user PIN. By default the usertype is assumed to be user. signcsr The format for the signcsr subcommand is as follows: signcsr keystore=pkcs11 signkey=label (label of key to use for signing)csr=CSR_filename
serial=serial_number_hex_string_for_final_certificate
outcert=filename_for_final_certificate
issuer=issuer-DN
[store=y|n] (store the new cert in NSS DB, default=n) [outlabel=certificate label] [format=pem|der] (certificate output format)[subject=subject-DN] (override the CSR subject name)
[altname=subjectAltName] (add subjectAltName ) [keyusage=[critical:]usage,...] (add key usage bits)[eku=[critical:]EKU_Name,...] (add Extended Key Usage )
[lifetime=number-hour|number-day|number-year]
[token=token[:manuf[:serial]]] signcsr keystore=fileSunOS 5.11 Last change: 22 Mar 2010 11
User Commands pktool(1)
signkey=filenamecsr=CSR_filename
serial=serial_number_hex_string_for_final_certificate
outcert=filename_for_final_certificate
issuer=issuer-DN
[format=pem|der] (certificate output format)[subject=subject-DN] (override the CSR subject name)
[altname=subjectAltName] (add a subjectAltName) [keyusage=[critical:]usage,...] (add key usage bits)[lifetime=number-hour|number-day|number-year]
[eku=[critical:]EKU_ Name,...] (add Extended Key Usage)
signcsr keystore=nss signkey=label (label of key to use for signing)csr=CSR_filename
serial=serial_number_hex_string_for_final_certificate
outcert=filename_for_final_certificate
issuer=issuer-DN
[store=y|n] (store the new cert in NSS DB, default=n) [outlabel=certificate label] [format=pem|der] (certificate output format)[subject=subject-DN] (override the CSR subject name)
[altname=subjectAltName] (add a subjectAltName) [keyusage=[critical:]usage,...] (add key usage bits)[eku=[critical:]EKU_Name,...] (add Extended Key Usage)
[lifetime=number-hour|number-day|number-year]
[token=token[:manuf[:serial]]][dir=directory-path]
[prefix=DBprefix] tokens The format for the tokens subcommand is as follows:pktool tokens
The tokens subcommand lists all visible PKCS#11 tokens.
-?
The format for the subcommand is as follows:pktool -?
pktool --help
The -? option displays usage and help information. --
help is a synonym for -?.
SunOS 5.11 Last change: 22 Mar 2010 12
User Commands pktool(1)
USAGE
The pktool subcommands support the following options:
altname=[critical:]subjectAltName Subject Alternative Names the certificate. The argumentthat follows the -A option should be in the form of
tag=value. Valid tags are IP, DNS, EMAIL, URI, DN, KRB, UPN, and RID. The SubjectAltName extension is marked ascritical if the altname string is pre-peneded with the
Example 1: Add an IP address to the subjectAltName extension. altname="IP=1.2.3.4" Example 2: Add an email address to the subjectAltName extension, and mark it as being critical. altname="critical:EMAIL=first.last@company.com" currlabel=token label This option is only used by the inittoken command. Thisis used to locate the default token that is being ini-
tialized. See the token option for details about the format of the token name to be used.curve=Elliptic_Curve_Name
This option is for specifying the Elliptic Curve parame-
ters to be used when generating an X.509 certificate orcertificate signing request or when generating an Ellip-
tic Curve keypair. The following named curves are supported: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1 secp160r1, secp160r2, secp192k1, secp192r1, secp224k1 secp224r1, secp256k1, secp256r1, secp384r1, secp521r1 sect113r1, sect113r2, sect131r1, sect131r2, sect163k1 sect163r1, sect163r2, sect193r1, sect193r2, sect233k1 sect233r1, sect239k1, sect283k1, sect283r1, sect409k1 sect409r1, sect571k1, sect571r1, c2pnb163v1, c2pnb163v2 c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3 c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1 c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v2 prime192v3 The list of named curves can also be seen by using the listcurves option with the gencert, gencsr, or genkeypair subcommands.SunOS 5.11 Last change: 22 Mar 2010 13
User Commands pktool(1)
dir=directory_path
Specifies the NSS database directory, or OpenSSL key-
store directory where the requested object is stored.eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]
Specifies the extended key usage X.509v3 extension values to add to the certificate or certificate request.Specify EKU_Name as one of the following: serverAuth,
clientAuth, codeSigning, emailProtection, ipsecEndSys-
tem, ipsecTunnel, ipsecUser, timeStamping, OCSPSigning, KPClientAuth, KPKdc, or scLogon. An example is: eku=KPClientAuth,clientAuth extractable=y | nSpecifies the resulting symmetric key in the PKCS#11
token is extractable or not extractable. The valid values are: y and n. The default value is y. format=pem | der | pkcs12 For the gencert subcommand, this option only applies to the file based keystore such as OpenSSL. It is used to specify the output format of the key or certificate file to be created. The valid formats are: pem or der. The default format is pem. For the gencsr subcommand, this option specifies the output encoded format of the CSR file. The valid formats are: pem or der. The default format is pem. hash=md5 | sha1 | sha256 | sha384 | sha512 For the gencert and gencsr subcommands, this option allows the caller to specify the hash algorithm to be use for generating the X.509 certificate signature.This can be used when creating EC or RSA based certifi-
cates using the NSS or PKCS#11 keystores. Elliptic
Curve support is not available when using the OpenSSLfile-based keystore.
SunOS 5.11 Last change: 22 Mar 2010 14
User Commands pktool(1)
infile=input-fn
Specifies the certificate filename for list and delete subcommands when objtype=cert and keystore=file. For the import subcommand, this option specifies the filename to be imported. Specifies the input CRL filename for list, delete and import subcommands when objtype=crl.issuer=issuer-DN
Specifies the issuer of a certificate.keylen=key-size
Specifies the size (bits) of the private or symmetric key to generate. For the gencert and gencsr subcommands, the default key length is 1024 bits. For the genkey subcommand, the minimum and maximum bits of the symmetric key to generate using AES algorithm are 128 and 256. Using the ARCFOUR algorithm, the minimum and maximum bits are 8 and 2048. The minimum bits for ageneric secret key is 8 and the maximum bits is arbi-
trary. The default key length for the AES, ARCFOUR or generic secret keys is 128. For a DES key or a 3DES key, the key length is fixed and this option is ignored if specified. keystore=nss | pkcs11 | file Specifies the type of the underlying keystore: NSStoken, PKCS#11 token, or file-based plugin.
keytype=rsa | dsa | ec | aes | arcfour | des | 3des | gen-
eric Specifies the type of the private or symmetric key to generate. For the gencert and gencsr subcommands, the valid private key types are: rsa, ecor dsa. The default key type is rsa. For the genkey subcommand, the valid symmetric key types are: aes, arcfour, des, 3des, or generic. The default key type is aes.SunOS 5.11 Last change: 22 Mar 2010 15
User Commands pktool(1)
keyusage=[critical:]usage,usage,usage,... Key Usage strings: * digitalSignature * nonRepudiation * keyEncipherment * dataEncipherment * keyAgreement * keyCertSign * cRLSign * encipherOnly * decipherOnly Example 1: Set the KeyUsage so that the cert (or csr) can be used for signing and verifying data other than certificates or CRLs (digitalSignature) and also can beused for encrypting and decrypting data other than cryp-
tographic keys (dataEncipherment). keyusage=digitalSignature,dataEncipherment Example 2: The same as above (Example 1), but with the critical bit set. keyusage=critical:digitalSignature,dataEnciphermentlabel=key-label | cert-label
For the gencert subcommand, this option specifies thelabel of the private key and self-signed certificate in
the PKCS#11 token.
For the gencsr subcommand, this option specifies thelabel of the private key in the PKCS#11 token.
For the list subcommand, this option specifies the label of the X.509 Certificate (when objtype=key) or theprivate key (when objtype=cert) in the PKCS#11 token to
refine the list. For the delete subcommand, this option specifies the label of the X.509 Certificate (when objtype=key) or the private key (when objtype=cert) to delete a designatedobject from the PKCS#11 token.
listcurves This causes the list of supported Elliptic Curve names to be displayed. This option is only available with theSunOS 5.11 Last change: 22 Mar 2010 16
User Commands pktool(1)
gencert, gencsr, or genkeypair subcommands.lifetime=number-hour|number-day|number-year
Specifies the validity period a certificate is valid.The certificate life time can be specified by number-
hour, number-day, or number-year. Only one format can be
specified. The default is 1-year. Examples of this
option might be: lifetime=1-hour, lifetime=2-day,
lifetime=3-year
newlabel=token label This option is only used by the inittoken command. This is used to change the label assigned to the token that is being initialized. See the token option for details about the format of the token name to be used.nickname=cert-nickname
For the gencert subcommand, this option is required to specify the certificate's nickname for NSS keystore.For the list subcommand, this option specifies the nick-
name of the certificate in the NSS token to display its content. For the delete subcommand, to delete a CRL fromthe NSS token, this option is used to specify the nick-
name of the issuer's certificate. For the delete subcom-
mand, to delete a certificate from the NSS token, this option specifies the nickname of the certificate. For the import subcommand, to import a specified input file to the NSS token, this option is required to specify the nickname of the resulting certificate. objtype=cert | key | crl Specifies the class of the object: cert, key, or crl. For the download subcommand, if this option is not specified, default to crl. objtype=public | private | both Specifies the type of object: private object, public object, or both. This option only applies to list anddelete subcommands for the PKCS#11 token when
objtype=key is specified. The default value is public.SunOS 5.11 Last change: 22 Mar 2010 17
User Commands pktool(1)
For the list subcommand, the label option can be com-
bined with this option to further refine the list of keys. For the delete subcommand, this option can used to narrow the keys to be deleted to only public, or private ones. Alternately, the label option can be omitted to indicate that all public, private, or both type of keys are to be deleted.The use of public, private and both as choices for the objtype parameter are only applicablewith the PKCS#11 keystore in order to maintain compati-
bility with earlier versions of the pktool command.
outcert=cert-fn
Specifies the output certificate filename to write to. This option is required for the file based plugin suchas OpenSSL. Option outkey=key-fn is required with this
option.outcrl=output-crl-fn
Specifies the output CRL filename to write to.outcsr=csr-fn
Specifies the output CSR filename to write to.outfile=output-fn
For the export subcommand, this option specifies theoutput filename to be created. For the import subcom-
mand, this option specifies the output filename of the certificate or CRL. It only applies to the file based plugin such as OpenSSL. For the download subcommand, if this option is not specified, the downloaded file name is the basename of the URL string. outformat=pem | der | pkcs12 For the import subcommand, this option specifies the output format of the certificate or key that isextracted from a specified PKCS#12 file into the file
based plugin, The valid values are: pem or der. The default is pem. When importing a CRL to the CRL file based keystore, this option specifies the output format of the CRL. The valid values are: pem or der. The default is der. For the export subcommand, this option specifies the format of the specified output file to beSunOS 5.11 Last change: 22 Mar 2010 18
User Commands pktool(1)
created. The supported formats are: pem, der or pkcs12. The default is pkcs12.outkey=key-fn
Specifies the output private key filename to which to write. This option is only required when using the files keystore. prefix=DBprefix Specifies the NSS database prefix. This option only applies to the NSS token. print=y | n This option is used in the genkey subcommand and itapplies to the PKCS11 and File-based keystores. If
print=y, the genkey subcommand prints out the key value of the generated key in a single line of hex. Thedefault value is n. For the PKCS11 keystore, if a sym-
metric key is created with sensitive=y or extractable=n, the key value is not displayed, even the print option is set to y. The key is still created, but a warning like cannot reveal the key value is issued. sensitive=y | nSpecifies the resulting symmetric key in the PKCS#11
token is sensitive or not sensitive. The valid values are: y and n. The default value is n.serial=hex-serial-number
Specifies a unique serial number for a certificate. The serial number must be specified as a hex value. Example: 0x0102030405060708090a0b0c0d0e0fsubject=subject-DN
Specifies a particular certificate owner for a certifi-
cate or certificate request. An example subject= setting might be: subject=O=Sun Microsystems Inc., \ OU=Solaris Security Technologies Group, \SunOS 5.11 Last change: 22 Mar 2010 19
User Commands pktool(1)
L=Ashburn, ST=VA, C=US, CN=John Smith token=token[:manuf[:serial]] When a token label contains trailing spaces, this option does not require them to be typed as a convenience to the user. Colon separate token identification string token:manuf:serial. If any of the parts have a literal : char then it needs to be escaped using a backslash (\). If no : is found then the entire string (up to 32 chars) is taken as the token label. If only one : is found then the string is the token label and the manufacturer. When keystore=nss is specified, default to NSS internal token if this option is not specified. When keystore=pkcs11 isspecified, default to pkcs11_softtoken if this option is
not specified.trust=trust-value
Specifies the certificate trust attributes. This is only for NSS certificates and that the standard NSS syntax applies. usertype=user | so Specifies the type of user for which the setpin command is being performed. The default is for a standard user, but so can be specified in order to set the PIN for the security officer of the token.url=url_string
Specifies the URL to download a CRL or a certificate file. verifycrl=y | nWhen importing a CRL to NSS keystore, this option speci-
fies whether the CRL verification is performed. The valid values are: y and n. The default value is n.SunOS 5.11 Last change: 22 Mar 2010 20
User Commands pktool(1)
http_proxy=proxy_str
Specifies the proxy server hostname and port number. The format can be either http://hostname[:port] or hostname[:port]. If this option is not specified, thedownload subcommand checks the http_proxy environment
variable. The command line option has a higher priority than the environment variable.EXAMPLES
Example 1 Generating a Self-Signed Certificate
The following example creates the certificate and stores it in the keystore indicated in the command:$ pktool gencert keystore=nss nickname=WebServerCert \
subject="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, \ L=Ashburn, ST=VA, C=US, CN=John Smith" dir=/etc/certs \ keytype=rsa keylen=2048 hash=sha512 Example 2 Generating a Certificate Signing Request The following example creates the CSR and stores it in the keystore indicated in the command:$ pktool gencsr keystore=nss subject="O=Sun Microsystems Inc., \
OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, \ CN=John Smith" keytype=rsa keylen=2048 hash=sha256 outcsr=csr.dat Example 3 Importing a Certificate The following example imports a certificate object from thespecified input file into the keystore indicated in the com-
mand:$ pktool import keystore=nss objtype=cert infile=mycert.pem \
nickname=mycertSunOS 5.11 Last change: 22 Mar 2010 21
User Commands pktool(1)
EXIT STATUS The following exit values are returned: 0 Successful completion. >0 An error occurred.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
attributes(5), pkcs11_softtoken(5)
RSA PKCS#11 v2.11 http://www.rsasecurity.com
RSA PKCS#12 v1.0 http://www.rsasecurity.com
SECG Recommended Elliptic Curve Domain Parameters http://www.secg.orgSunOS 5.11 Last change: 22 Mar 2010 22