security/nss/doc/nroff/pk12util.1@6474c204b198
security/nss/doc/nroff/pk12util.1
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 '\" t
2 .\" Title: PK12UTIL
3 .\" Author: [see the "Authors" section]
4 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
5 .\" Date: 5 June 2014
6 .\" Manual: NSS Security Tools
7 .\" Source: nss-tools
8 .\" Language: English
9 .\"
10 .TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
11 .\" -----------------------------------------------------------------
12 .\" * Define some portability stuff
13 .\" -----------------------------------------------------------------
14 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15 .\" http://bugs.debian.org/507673
16 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
18 .ie \n(.g .ds Aq \(aq
19 .el .ds Aq '
20 .\" -----------------------------------------------------------------
21 .\" * set default formatting
22 .\" -----------------------------------------------------------------
23 .\" disable hyphenation
24 .nh
25 .\" disable justification (adjust text to left margin only)
26 .ad l
27 .\" -----------------------------------------------------------------
28 .\" * MAIN CONTENT STARTS HERE *
29 .\" -----------------------------------------------------------------
30 .SH "NAME"
31 pk12util \- Export and import keys and certificate to or from a PKCS #12 file and the NSS database
32 .SH "SYNOPSIS"
33 .HP \w'\fBpk12util\fR\ 'u
34 \fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-d\ [sql:]directory] [\-h\ tokenname] [\-P\ dbprefix] [\-r] [\-v] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword]
35 .SH "STATUS"
36 .PP
37 This documentation is still work in progress\&. Please contribute to the initial review in
38 \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
39 .SH "DESCRIPTION"
40 .PP
41 The PKCS #12 utility,
42 \fBpk12util\fR, enables sharing certificates among any server that supports PKCS#12\&. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys\&.
43 .SH "OPTIONS AND ARGUMENTS"
44 .PP
45 \fBOptions\fR
46 .PP
47 \-i p12file
48 .RS 4
49 Import keys and certificates from a PKCS#12 file into a security database\&.
50 .RE
51 .PP
52 \-l p12file
53 .RS 4
54 List the keys and certificates in PKCS#12 file\&.
55 .RE
56 .PP
57 \-o p12file
58 .RS 4
59 Export keys and certificates from the security database to a PKCS#12 file\&.
60 .RE
61 .PP
62 \fBArguments\fR
63 .PP
64 \-c keyCipher
65 .RS 4
66 Specify the key encryption algorithm\&.
67 .RE
68 .PP
69 \-C certCipher
70 .RS 4
71 Specify the key cert (overall package) encryption algorithm\&.
72 .RE
73 .PP
74 \-d [sql:]directory
75 .RS 4
76 Specify the database directory into which to import to or export from certificates and keys\&.
77 .sp
78 \fBpk12util\fR
79 supports two types of databases: the legacy security databases (cert8\&.db,
80 key3\&.db, and
81 secmod\&.db) and new SQLite databases (cert9\&.db,
82 key4\&.db, and
83 pkcs11\&.txt)\&. If the prefix
84 \fBsql:\fR
85 is not used, then the tool assumes that the given databases are in the old format\&.
86 .RE
87 .PP
88 \-h tokenname
89 .RS 4
90 Specify the name of the token to import into or export from\&.
91 .RE
92 .PP
93 \-k slotPasswordFile
94 .RS 4
95 Specify the text file containing the slot\*(Aqs password\&.
96 .RE
97 .PP
98 \-K slotPassword
99 .RS 4
100 Specify the slot\*(Aqs password\&.
101 .RE
102 .PP
103 \-m | \-\-key\-len keyLength
104 .RS 4
105 Specify the desired length of the symmetric key to be used to encrypt the private key\&.
106 .RE
107 .PP
108 \-n | \-\-cert\-key\-len certKeyLength
109 .RS 4
110 Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&.
111 .RE
112 .PP
113 \-n certname
114 .RS 4
115 Specify the nickname of the cert and private key to export\&.
116 .RE
117 .PP
118 \-P prefix
119 .RS 4
120 Specify the prefix used on the certificate and key databases\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
121 .RE
122 .PP
123 \-r
124 .RS 4
125 Dumps all of the data in raw (binary) form\&. This must be saved as a DER file\&. The default is to return information in a pretty\-print ASCII format, which displays the information about the certificates and public keys in the p12 file\&.
126 .RE
127 .PP
128 \-v
129 .RS 4
130 Enable debug logging when importing\&.
131 .RE
132 .PP
133 \-w p12filePasswordFile
134 .RS 4
135 Specify the text file containing the pkcs #12 file password\&.
136 .RE
137 .PP
138 \-W p12filePassword
139 .RS 4
140 Specify the pkcs #12 file password\&.
141 .RE
142 .SH "RETURN CODES"
143 .sp
144 .RS 4
145 .ie n \{\
146 \h'-04'\(bu\h'+03'\c
147 .\}
148 .el \{\
149 .sp -1
150 .IP \(bu 2.3
151 .\}
152 0 \- No error
153 .RE
154 .sp
155 .RS 4
156 .ie n \{\
157 \h'-04'\(bu\h'+03'\c
158 .\}
159 .el \{\
160 .sp -1
161 .IP \(bu 2.3
162 .\}
163 1 \- User Cancelled
164 .RE
165 .sp
166 .RS 4
167 .ie n \{\
168 \h'-04'\(bu\h'+03'\c
169 .\}
170 .el \{\
171 .sp -1
172 .IP \(bu 2.3
173 .\}
174 2 \- Usage error
175 .RE
176 .sp
177 .RS 4
178 .ie n \{\
179 \h'-04'\(bu\h'+03'\c
180 .\}
181 .el \{\
182 .sp -1
183 .IP \(bu 2.3
184 .\}
185 6 \- NLS init error
186 .RE
187 .sp
188 .RS 4
189 .ie n \{\
190 \h'-04'\(bu\h'+03'\c
191 .\}
192 .el \{\
193 .sp -1
194 .IP \(bu 2.3
195 .\}
196 8 \- Certificate DB open error
197 .RE
198 .sp
199 .RS 4
200 .ie n \{\
201 \h'-04'\(bu\h'+03'\c
202 .\}
203 .el \{\
204 .sp -1
205 .IP \(bu 2.3
206 .\}
207 9 \- Key DB open error
208 .RE
209 .sp
210 .RS 4
211 .ie n \{\
212 \h'-04'\(bu\h'+03'\c
213 .\}
214 .el \{\
215 .sp -1
216 .IP \(bu 2.3
217 .\}
218 10 \- File initialization error
219 .RE
220 .sp
221 .RS 4
222 .ie n \{\
223 \h'-04'\(bu\h'+03'\c
224 .\}
225 .el \{\
226 .sp -1
227 .IP \(bu 2.3
228 .\}
229 11 \- Unicode conversion error
230 .RE
231 .sp
232 .RS 4
233 .ie n \{\
234 \h'-04'\(bu\h'+03'\c
235 .\}
236 .el \{\
237 .sp -1
238 .IP \(bu 2.3
239 .\}
240 12 \- Temporary file creation error
241 .RE
242 .sp
243 .RS 4
244 .ie n \{\
245 \h'-04'\(bu\h'+03'\c
246 .\}
247 .el \{\
248 .sp -1
249 .IP \(bu 2.3
250 .\}
251 13 \- PKCS11 get slot error
252 .RE
253 .sp
254 .RS 4
255 .ie n \{\
256 \h'-04'\(bu\h'+03'\c
257 .\}
258 .el \{\
259 .sp -1
260 .IP \(bu 2.3
261 .\}
262 14 \- PKCS12 decoder start error
263 .RE
264 .sp
265 .RS 4
266 .ie n \{\
267 \h'-04'\(bu\h'+03'\c
268 .\}
269 .el \{\
270 .sp -1
271 .IP \(bu 2.3
272 .\}
273 15 \- error read from import file
274 .RE
275 .sp
276 .RS 4
277 .ie n \{\
278 \h'-04'\(bu\h'+03'\c
279 .\}
280 .el \{\
281 .sp -1
282 .IP \(bu 2.3
283 .\}
284 16 \- pkcs12 decode error
285 .RE
286 .sp
287 .RS 4
288 .ie n \{\
289 \h'-04'\(bu\h'+03'\c
290 .\}
291 .el \{\
292 .sp -1
293 .IP \(bu 2.3
294 .\}
295 17 \- pkcs12 decoder verify error
296 .RE
297 .sp
298 .RS 4
299 .ie n \{\
300 \h'-04'\(bu\h'+03'\c
301 .\}
302 .el \{\
303 .sp -1
304 .IP \(bu 2.3
305 .\}
306 18 \- pkcs12 decoder validate bags error
307 .RE
308 .sp
309 .RS 4
310 .ie n \{\
311 \h'-04'\(bu\h'+03'\c
312 .\}
313 .el \{\
314 .sp -1
315 .IP \(bu 2.3
316 .\}
317 19 \- pkcs12 decoder import bags error
318 .RE
319 .sp
320 .RS 4
321 .ie n \{\
322 \h'-04'\(bu\h'+03'\c
323 .\}
324 .el \{\
325 .sp -1
326 .IP \(bu 2.3
327 .\}
328 20 \- key db conversion version 3 to version 2 error
329 .RE
330 .sp
331 .RS 4
332 .ie n \{\
333 \h'-04'\(bu\h'+03'\c
334 .\}
335 .el \{\
336 .sp -1
337 .IP \(bu 2.3
338 .\}
339 21 \- cert db conversion version 7 to version 5 error
340 .RE
341 .sp
342 .RS 4
343 .ie n \{\
344 \h'-04'\(bu\h'+03'\c
345 .\}
346 .el \{\
347 .sp -1
348 .IP \(bu 2.3
349 .\}
350 22 \- cert and key dbs patch error
351 .RE
352 .sp
353 .RS 4
354 .ie n \{\
355 \h'-04'\(bu\h'+03'\c
356 .\}
357 .el \{\
358 .sp -1
359 .IP \(bu 2.3
360 .\}
361 23 \- get default cert db error
362 .RE
363 .sp
364 .RS 4
365 .ie n \{\
366 \h'-04'\(bu\h'+03'\c
367 .\}
368 .el \{\
369 .sp -1
370 .IP \(bu 2.3
371 .\}
372 24 \- find cert by nickname error
373 .RE
374 .sp
375 .RS 4
376 .ie n \{\
377 \h'-04'\(bu\h'+03'\c
378 .\}
379 .el \{\
380 .sp -1
381 .IP \(bu 2.3
382 .\}
383 25 \- create export context error
384 .RE
385 .sp
386 .RS 4
387 .ie n \{\
388 \h'-04'\(bu\h'+03'\c
389 .\}
390 .el \{\
391 .sp -1
392 .IP \(bu 2.3
393 .\}
394 26 \- PKCS12 add password itegrity error
395 .RE
396 .sp
397 .RS 4
398 .ie n \{\
399 \h'-04'\(bu\h'+03'\c
400 .\}
401 .el \{\
402 .sp -1
403 .IP \(bu 2.3
404 .\}
405 27 \- cert and key Safes creation error
406 .RE
407 .sp
408 .RS 4
409 .ie n \{\
410 \h'-04'\(bu\h'+03'\c
411 .\}
412 .el \{\
413 .sp -1
414 .IP \(bu 2.3
415 .\}
416 28 \- PKCS12 add cert and key error
417 .RE
418 .sp
419 .RS 4
420 .ie n \{\
421 \h'-04'\(bu\h'+03'\c
422 .\}
423 .el \{\
424 .sp -1
425 .IP \(bu 2.3
426 .\}
427 29 \- PKCS12 encode error
428 .RE
429 .SH "EXAMPLES"
430 .PP
431 \fBImporting Keys and Certificates\fR
432 .PP
433 The most basic usage of
434 \fBpk12util\fR
435 for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
436 \fB\-d\fR
437 for a directory or
438 \fB\-h\fR
439 for a token)\&.
440 .PP
441 pk12util \-i p12File [\-h tokenname] [\-v] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
442 .PP
443 For example:
444 .PP
446 .sp
447 .if n \{\
448 .RS 4
449 .\}
450 .nf
451 # pk12util \-i /tmp/cert\-files/users\&.p12 \-d sql:/home/my/sharednssdb
453 Enter a password which will be used to encrypt your keys\&.
454 The password should be at least 8 characters long,
455 and should contain at least one non\-alphabetic character\&.
457 Enter new password:
458 Re\-enter password:
459 Enter password for PKCS12 file:
460 pk12util: PKCS12 IMPORT SUCCESSFUL
461 .fi
462 .if n \{\
463 .RE
464 .\}
465 .PP
466 \fBExporting Keys and Certificates\fR
467 .PP
468 Using the
469 \fBpk12util\fR
470 command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
471 .PP
472 pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
473 .PP
474 For example:
475 .sp
476 .if n \{\
477 .RS 4
478 .\}
479 .nf
480 # pk12util \-o certs\&.p12 \-n Server\-Cert \-d sql:/home/my/sharednssdb
481 Enter password for PKCS12 file:
482 Re\-enter password:
483 .fi
484 .if n \{\
485 .RE
486 .\}
487 .PP
488 \fBListing Keys and Certificates\fR
489 .PP
490 The information in a
491 \&.p12
492 file are not human\-readable\&. The certificates and keys in the file can be printed (listed) in a human\-readable pretty\-print format that shows information for every certificate and any public keys in the
493 \&.p12
494 file\&.
495 .PP
496 pk12util \-l p12File [\-h tokenname] [\-r] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
497 .PP
498 For example, this prints the default ASCII output:
499 .sp
500 .if n \{\
501 .RS 4
502 .\}
503 .nf
504 # pk12util \-l certs\&.p12
506 Enter password for PKCS12 file:
507 Key(shrouded):
508 Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
510 Encryption algorithm: PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC
511 Parameters:
512 Salt:
513 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
514 Iteration Count: 1 (0x1)
515 Certificate:
516 Data:
517 Version: 3 (0x2)
518 Serial Number: 13 (0xd)
519 Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption
520 Issuer: "E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail C
521 A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
522 own,ST=Western Cape,C=ZA"
524 .fi
525 .if n \{\
526 .RE
527 .\}
528 .PP
529 Alternatively, the
530 \fB\-r\fR
531 prints the certificates and then exports them into separate DER binary files\&. This allows the certificates to be fed to another application that supports
532 \&.p12
533 files\&. Each certificate is written to a sequentially\-number file, beginning with
534 file0001\&.der
535 and continuing through
536 file000N\&.der, incrementing the number for every certificate:
537 .sp
538 .if n \{\
539 .RS 4
540 .\}
541 .nf
542 pk12util \-l test\&.p12 \-r
543 Enter password for PKCS12 file:
544 Key(shrouded):
545 Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
547 Encryption algorithm: PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC
548 Parameters:
549 Salt:
550 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
551 Iteration Count: 1 (0x1)
552 Certificate Friendly Name: Thawte Personal Freemail Issuing CA \- Thawte Consulting
554 Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
556 .fi
557 .if n \{\
558 .RE
559 .\}
560 .SH "PASSWORD ENCRYPTION"
561 .PP
562 PKCS#12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package\&. If no algorithm is specified, the tool defaults to using
563 \fBPKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc\fR
564 for private key encryption\&.
565 \fBPKCS12 V2 PBE with SHA1 and 40 Bit RC4\fR
566 is the default for the overall package encryption when not in FIPS mode\&. When in FIPS mode, there is no package encryption\&.
567 .PP
568 The private key is always protected with strong encryption by default\&.
569 .PP
570 Several types of ciphers are supported\&.
571 .PP
572 Symmetric CBC ciphers for PKCS#5 V2
573 .RS 4
574 .sp
575 .RS 4
576 .ie n \{\
577 \h'-04'\(bu\h'+03'\c
578 .\}
579 .el \{\
580 .sp -1
581 .IP \(bu 2.3
582 .\}
583 DES\-CBC
584 .RE
585 .sp
586 .RS 4
587 .ie n \{\
588 \h'-04'\(bu\h'+03'\c
589 .\}
590 .el \{\
591 .sp -1
592 .IP \(bu 2.3
593 .\}
594 RC2\-CBC
595 .RE
596 .sp
597 .RS 4
598 .ie n \{\
599 \h'-04'\(bu\h'+03'\c
600 .\}
601 .el \{\
602 .sp -1
603 .IP \(bu 2.3
604 .\}
605 RC5\-CBCPad
606 .RE
607 .sp
608 .RS 4
609 .ie n \{\
610 \h'-04'\(bu\h'+03'\c
611 .\}
612 .el \{\
613 .sp -1
614 .IP \(bu 2.3
615 .\}
616 DES\-EDE3\-CBC (the default for key encryption)
617 .RE
618 .sp
619 .RS 4
620 .ie n \{\
621 \h'-04'\(bu\h'+03'\c
622 .\}
623 .el \{\
624 .sp -1
625 .IP \(bu 2.3
626 .\}
627 AES\-128\-CBC
628 .RE
629 .sp
630 .RS 4
631 .ie n \{\
632 \h'-04'\(bu\h'+03'\c
633 .\}
634 .el \{\
635 .sp -1
636 .IP \(bu 2.3
637 .\}
638 AES\-192\-CBC
639 .RE
640 .sp
641 .RS 4
642 .ie n \{\
643 \h'-04'\(bu\h'+03'\c
644 .\}
645 .el \{\
646 .sp -1
647 .IP \(bu 2.3
648 .\}
649 AES\-256\-CBC
650 .RE
651 .sp
652 .RS 4
653 .ie n \{\
654 \h'-04'\(bu\h'+03'\c
655 .\}
656 .el \{\
657 .sp -1
658 .IP \(bu 2.3
659 .\}
660 CAMELLIA\-128\-CBC
661 .RE
662 .sp
663 .RS 4
664 .ie n \{\
665 \h'-04'\(bu\h'+03'\c
666 .\}
667 .el \{\
668 .sp -1
669 .IP \(bu 2.3
670 .\}
671 CAMELLIA\-192\-CBC
672 .RE
673 .sp
674 .RS 4
675 .ie n \{\
676 \h'-04'\(bu\h'+03'\c
677 .\}
678 .el \{\
679 .sp -1
680 .IP \(bu 2.3
681 .\}
682 CAMELLIA\-256\-CBC
683 .RE
684 .RE
685 .PP
686 PKCS#12 PBE ciphers
687 .RS 4
688 .sp
689 .RS 4
690 .ie n \{\
691 \h'-04'\(bu\h'+03'\c
692 .\}
693 .el \{\
694 .sp -1
695 .IP \(bu 2.3
696 .\}
697 PKCS #12 PBE with Sha1 and 128 Bit RC4
698 .RE
699 .sp
700 .RS 4
701 .ie n \{\
702 \h'-04'\(bu\h'+03'\c
703 .\}
704 .el \{\
705 .sp -1
706 .IP \(bu 2.3
707 .\}
708 PKCS #12 PBE with Sha1 and 40 Bit RC4
709 .RE
710 .sp
711 .RS 4
712 .ie n \{\
713 \h'-04'\(bu\h'+03'\c
714 .\}
715 .el \{\
716 .sp -1
717 .IP \(bu 2.3
718 .\}
719 PKCS #12 PBE with Sha1 and Triple DES CBC
720 .RE
721 .sp
722 .RS 4
723 .ie n \{\
724 \h'-04'\(bu\h'+03'\c
725 .\}
726 .el \{\
727 .sp -1
728 .IP \(bu 2.3
729 .\}
730 PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
731 .RE
732 .sp
733 .RS 4
734 .ie n \{\
735 \h'-04'\(bu\h'+03'\c
736 .\}
737 .el \{\
738 .sp -1
739 .IP \(bu 2.3
740 .\}
741 PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC
742 .RE
743 .sp
744 .RS 4
745 .ie n \{\
746 \h'-04'\(bu\h'+03'\c
747 .\}
748 .el \{\
749 .sp -1
750 .IP \(bu 2.3
751 .\}
752 PKCS12 V2 PBE with SHA1 and 128 Bit RC4
753 .RE
754 .sp
755 .RS 4
756 .ie n \{\
757 \h'-04'\(bu\h'+03'\c
758 .\}
759 .el \{\
760 .sp -1
761 .IP \(bu 2.3
762 .\}
763 PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non\-FIPS mode)
764 .RE
765 .sp
766 .RS 4
767 .ie n \{\
768 \h'-04'\(bu\h'+03'\c
769 .\}
770 .el \{\
771 .sp -1
772 .IP \(bu 2.3
773 .\}
774 PKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc
775 .RE
776 .sp
777 .RS 4
778 .ie n \{\
779 \h'-04'\(bu\h'+03'\c
780 .\}
781 .el \{\
782 .sp -1
783 .IP \(bu 2.3
784 .\}
785 PKCS12 V2 PBE with SHA1 and 2KEY Triple DES\-cbc
786 .RE
787 .sp
788 .RS 4
789 .ie n \{\
790 \h'-04'\(bu\h'+03'\c
791 .\}
792 .el \{\
793 .sp -1
794 .IP \(bu 2.3
795 .\}
796 PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC
797 .RE
798 .sp
799 .RS 4
800 .ie n \{\
801 \h'-04'\(bu\h'+03'\c
802 .\}
803 .el \{\
804 .sp -1
805 .IP \(bu 2.3
806 .\}
807 PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
808 .RE
809 .RE
810 .PP
811 PKCS#5 PBE ciphers
812 .RS 4
813 .sp
814 .RS 4
815 .ie n \{\
816 \h'-04'\(bu\h'+03'\c
817 .\}
818 .el \{\
819 .sp -1
820 .IP \(bu 2.3
821 .\}
822 PKCS #5 Password Based Encryption with MD2 and DES CBC
823 .RE
824 .sp
825 .RS 4
826 .ie n \{\
827 \h'-04'\(bu\h'+03'\c
828 .\}
829 .el \{\
830 .sp -1
831 .IP \(bu 2.3
832 .\}
833 PKCS #5 Password Based Encryption with MD5 and DES CBC
834 .RE
835 .sp
836 .RS 4
837 .ie n \{\
838 \h'-04'\(bu\h'+03'\c
839 .\}
840 .el \{\
841 .sp -1
842 .IP \(bu 2.3
843 .\}
844 PKCS #5 Password Based Encryption with SHA1 and DES CBC
845 .RE
846 .RE
847 .PP
848 With PKCS#12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
849 \fIno security module can perform the requested operation\fR\&.
850 .SH "NSS DATABASE TYPES"
851 .PP
852 NSS originally used BerkeleyDB databases to store security information\&. The last versions of these
853 \fIlegacy\fR
854 databases are:
855 .sp
856 .RS 4
857 .ie n \{\
858 \h'-04'\(bu\h'+03'\c
859 .\}
860 .el \{\
861 .sp -1
862 .IP \(bu 2.3
863 .\}
864 cert8\&.db for certificates
865 .RE
866 .sp
867 .RS 4
868 .ie n \{\
869 \h'-04'\(bu\h'+03'\c
870 .\}
871 .el \{\
872 .sp -1
873 .IP \(bu 2.3
874 .\}
875 key3\&.db for keys
876 .RE
877 .sp
878 .RS 4
879 .ie n \{\
880 \h'-04'\(bu\h'+03'\c
881 .\}
882 .el \{\
883 .sp -1
884 .IP \(bu 2.3
885 .\}
886 secmod\&.db for PKCS #11 module information
887 .RE
888 .PP
889 BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&.
890 .PP
891 In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance:
892 .sp
893 .RS 4
894 .ie n \{\
895 \h'-04'\(bu\h'+03'\c
896 .\}
897 .el \{\
898 .sp -1
899 .IP \(bu 2.3
900 .\}
901 cert9\&.db for certificates
902 .RE
903 .sp
904 .RS 4
905 .ie n \{\
906 \h'-04'\(bu\h'+03'\c
907 .\}
908 .el \{\
909 .sp -1
910 .IP \(bu 2.3
911 .\}
912 key4\&.db for keys
913 .RE
914 .sp
915 .RS 4
916 .ie n \{\
917 \h'-04'\(bu\h'+03'\c
918 .\}
919 .el \{\
920 .sp -1
921 .IP \(bu 2.3
922 .\}
923 pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
924 .RE
925 .PP
926 Because the SQLite databases are designed to be shared, these are the
927 \fIshared\fR
928 database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&.
929 .PP
930 By default, the tools (\fBcertutil\fR,
931 \fBpk12util\fR,
932 \fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the
933 \fBsql:\fR
934 prefix with the given security directory\&. For example:
935 .sp
936 .if n \{\
937 .RS 4
938 .\}
939 .nf
940 # pk12util \-i /tmp/cert\-files/users\&.p12 \-d sql:/home/my/sharednssdb
941 .fi
942 .if n \{\
943 .RE
944 .\}
945 .PP
946 To set the shared database type as the default type for the tools, set the
947 \fBNSS_DEFAULT_DB_TYPE\fR
948 environment variable to
949 \fBsql\fR:
950 .sp
951 .if n \{\
952 .RS 4
953 .\}
954 .nf
955 export NSS_DEFAULT_DB_TYPE="sql"
956 .fi
957 .if n \{\
958 .RE
959 .\}
960 .PP
961 This line can be set added to the
962 ~/\&.bashrc
963 file to make the change permanent\&.
964 .PP
965 Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
966 .sp
967 .RS 4
968 .ie n \{\
969 \h'-04'\(bu\h'+03'\c
970 .\}
971 .el \{\
972 .sp -1
973 .IP \(bu 2.3
974 .\}
975 https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
976 .RE
977 .PP
978 For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
979 .sp
980 .RS 4
981 .ie n \{\
982 \h'-04'\(bu\h'+03'\c
983 .\}
984 .el \{\
985 .sp -1
986 .IP \(bu 2.3
987 .\}
988 https://wiki\&.mozilla\&.org/NSS_Shared_DB
989 .RE
990 .SH "SEE ALSO"
991 .PP
992 certutil (1)
993 .PP
994 modutil (1)
995 .PP
996 The NSS wiki has information on the new database design and how to configure applications to use it\&.
997 .sp
998 .RS 4
999 .ie n \{\
1000 \h'-04'\(bu\h'+03'\c
1001 .\}
1002 .el \{\
1003 .sp -1
1004 .IP \(bu 2.3
1005 .\}
1006 https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
1007 .RE
1008 .sp
1009 .RS 4
1010 .ie n \{\
1011 \h'-04'\(bu\h'+03'\c
1012 .\}
1013 .el \{\
1014 .sp -1
1015 .IP \(bu 2.3
1016 .\}
1017 https://wiki\&.mozilla\&.org/NSS_Shared_DB
1018 .RE
1019 .SH "ADDITIONAL RESOURCES"
1020 .PP
1021 For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
1022 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
1023 .PP
1024 Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
1025 .PP
1026 IRC: Freenode at #dogtag\-pki
1027 .SH "AUTHORS"
1028 .PP
1029 The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&.
1030 .PP
1031 Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
1032 .SH "LICENSE"
1033 .PP
1034 Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&.
1035 .SH "NOTES"
1036 .IP " 1." 4
1037 Mozilla NSS bug 836477
1038 .RS 4
1039 \%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
1040 .RE
