Network Security Services

To get list of all certificates:

$ certutil -d sql:$HOME/.pki/nssdb -L

To get details about certificate:

$ certutil -d sql:$HOME/.pki/nssdb -L -n certificate_nickname

$ certutil -G -d database_directory -g keysize -n nickname

$ certutil -S -s subject -n nickname -x -t C,C,C -o file

$ certutil -S -s subject -n nickname -x -t C,C,C -o file

To add a certificate specify the -A option:

$ certutil -d sql:$HOME/.pki/nssdb -A -t "TRUSTARGS" -n certificate_nickname -i /path/to/cert/filename

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas, for example: "TCu,Cu,Tuw". They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil documentation or Meena's blog post on trust flags.

To add a personal certificate and private key for SSL client authentication use the command:

$ pk12util -d sql:$HOME/.pki/nssdb -i /path/to/PKCS12/cert/filename.p12

This will import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to "u,u,u".

Call certutil with -M option to edit the certificate. For example, to edit the TRUSTARGS:

$ certutil -d sql:$HOME/.pki/nssdb -M -t "TRUSTARGS" -n certificate_nickname

Use -D option to remove the certificate:

$ certutil -d sql:$HOME/.pki/nssdb -D -n certificate_nickname

chromium, firefox, thunderbird, evolution, and use NSS to retrieve trusted CA certificates.

The nss has integrated , which will automatically install all certificates using system-wide. However, if you prefer to distribute "pure" NSS, you can install the certificates into your own browser profile.

certutil -d database -A -i myCA.cert -n "Honest Achmed's CA" -t C,,

chromium and evolution use a "shared" database located in -d "sql:$HOME/.pki/nssdb".

For firefox, thunderbird, and , make a browser-specific configuration file directory (e.g. ).