certutil命令詳解

linux命令之certutil及mailx配置

1、certutil命令簡(jiǎn)介

certutil 是 Mozzila 基金會(huì) 發(fā)布用于管理 Netscape Communicator 與 格式的安全數(shù)據(jù)庫(kù)文件的命令行工具,用于列出,生成,修改和刪除 證書(shū)和更改證書(shū)密碼,生成新的公共和私有密鑰對(duì)。顯示密鑰證書(shū)內(nèi)容,或刪除 里的密鑰對(duì)。參見(jiàn)《使用安全模型數(shù)據(jù)庫(kù)工具》(英文),以獲得更多關(guān)于安全模型數(shù)據(jù)庫(kù)的信息,這里主要簡(jiǎn)單的介紹一下Certutil 工具的使用方法。

1.1 語(yǔ)法

所有命令可參見(jiàn)系統(tǒng)自帶幫助,通俗易懂。

certutil(選項(xiàng))(參數(shù))

[root@localhost lftshell]# certutil -H
-A              Add a certificate to the database        (create if needed)
   All options under -E apply
-B              Run a series of certutil commands from a batch file
   -i batch-file     Specify the batch file
-E              Add an Email certificate to the database (create if needed)
   -n cert-name      Specify the nickname of the certificate to add
   -t trustargs      Set the certificate trust attributes:
                          trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,
                          and z is for code signing. Use ,, for no explicit trust.
                          p      prohibited (explicitly distrusted)
                          P      trusted peer
                          c      valid CA
                          T      trusted CA to issue client certs (implies c)
                          C      trusted CA to issue server certs (implies c)
                          u      user cert
                          w      send warning
                          g      make step-up cert
   -f pwfile         Specify the password file
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -a                The input certificate is encoded in ASCII (RFC1113)
   -i input          Specify the certificate file (default is stdin)

-C              Create a new binary certificate from a BINARY cert request
   -c issuer-name    The nickname of the issuer cert
   -i cert-request   The BINARY certificate request file
   -o output-cert    Output binary cert to this file (default is stdout)
   -x                Self sign
   -m serial-number  Cert serial number
   -w warp-months    Time Warp
   -v months-valid   Months valid (default is 3)
   -f pwfile         Specify the password file
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -1 | --keyUsage keyword,keyword,... 
                     Create key usage extension. Possible keywords:
                     "digitalSignature", "nonRepudiation", "keyEncipherment",
                     "dataEncipherment", "keyAgreement", "certSigning",
                     "crlSigning", "critical"
   -2                Create basic constraint extension
   -3                Create authority key ID extension
   -4                Create crl distribution point extension
   -5 | --nsCertType keyword,keyword,...  
                     Create netscape cert type extension. Possible keywords:
                     "sslClient", "sslServer", "smime", "objectSigning",
                     "sslCA", "smimeCA", "objectSigningCA", "critical".
   -6 | --extKeyUsage keyword,keyword,... 
                     Create extended key usage extension. Possible keywords:
                     "serverAuth", "clientAuth","codeSigning",
                     "emailProtection", "timeStamp","ocspResponder",
                     "stepUp", "msTrustListSign", "critical"
   -7 emailAddrs     Create an email subject alt name extension
   -8 dnsNames       Create an dns subject alt name extension
   -a                The input certificate request is encoded in ASCII (RFC1113)

-G              Generate a new key pair
   -h token-name     Name of token in which to generate key (default is internal)
   -k key-type       Type of key pair to generate ("dsa", "ec", "rsa" (default))
   -g key-size       Key size in bits, (min 512, max 8192, default 1024) (not for ec)
   -y exp            Set the public exponent value (3, 17, 65537) (rsa only)
   -f password-file  Specify the password file
   -z noisefile      Specify the noise file to be used
   -q pqgfile        read PQG value from pqgfile (dsa only)
   -q curve-name     Elliptic curve name (ec only)
                     One of nistp256, nistp384, nistp521
                     sect163k1, nistk163, sect163r1, sect163r2,
                     nistb163, sect193r1, sect193r2, sect233k1, nistk233,
                     sect233r1, nistb233, sect239k1, sect283k1, nistk283,
                     sect283r1, nistb283, sect409k1, nistk409, sect409r1,
                     nistb409, sect571k1, nistk571, sect571r1, nistb571,
                     secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
                     nistp192, secp224k1, secp224r1, nistp224, secp256k1,
                     secp256r1, secp384r1, secp521r1,
                     prime192v1, prime192v2, prime192v3, 
                     prime239v1, prime239v2, prime239v3, c2pnb163v1, 
                     c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, 
                     c2tnb191v2, c2tnb191v3,  
                     c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, 
                     c2pnb272w1, c2pnb304w1, 
                     c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, 
                     secp112r2, secp128r1, secp128r2, sect113r1, sect113r2
                     sect131r1, sect131r2
   -d keydir         Key database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   --keyAttrFlags attrflags
                     PKCS #11 key Attributes.
                     Comma separated list of key attribute attribute flags,
                     selected from the following list of choices:
                     {token | session} {public | private} {sensitive | insensitive}
                     {modifiable | unmodifiable} {extractable | unextractable}
   --keyOpFlagsOn opflags
   --keyOpFlagsOff opflags
                     PKCS #11 key Operation Flags.
                     Comma separated list of one or more of the following:
                     encrypt, decrypt, sign, sign_recover, verify,
                     verify_recover, wrap, unwrap, derive

-D              Delete a certificate from the database
   -n cert-name      The nickname of the cert to delete
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix

-F              Delete a key from the database
   -n cert-name      The nickname of the key to delete
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix

-U              List all modules
   -d moddir         Module database directory (default is '~/.netscape')
   -P dbprefix       Cert & Key database prefix
   -X                force the database to open R/W

-K              List all private keys
   -h token-name     Name of token to search ("all" for all tokens)
   -k key-type       Key type ("all" (default), "dsa", "ec", "rsa")
   -n name           The nickname of the key or associated certificate
   -f password-file  Specify the password file
   -d keydir         Key database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -X                force the database to open R/W

-L              List all certs, or print out a single named cert (or a subset)
   -n cert-name      Pretty print named cert (list all if unspecified)
   --email email-address 
                     Pretty print cert with email address (list all if unspecified)
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -X                force the database to open R/W
   -r                For single cert, print binary DER encoding
   -a                For single cert, print ASCII encoding (RFC1113)
   --dump-ext-val OID 
                     For single cert, print binary DER encoding of extension OID

-M              Modify trust attributes of certificate
   -n cert-name      The nickname of the cert to modify
   -t trustargs      Set the certificate trust attributes (see -A above)
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix

-N              Create a new certificate database
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   --empty-password  use empty password when creating a new database

-T              Reset the Key database or token
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -h token-name     Token to reset (default is internal)
   -0 SSO-password   Set token's Site Security Officer password

-O              Print the chain of a certificate
   -n cert-name      The nickname of the cert to modify
   -d certdir        Cert database directory (default is ~/.netscape)
   -a                Input the certificate in ASCII (RFC1113); default is binary
   -P dbprefix       Cert & Key database prefix
   -X                force the database to open R/W

-R              Generate a certificate request (stdout)
   -s subject        Specify the subject name (using RFC1485)
   -o output-req     Output the cert request to this file
   -k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default))
                     or nickname of the cert key to use 
   -h token-name     Name of token in which to generate key (default is internal)
   -g key-size       Key size in bits, RSA keys only (min 512, max 8192, default 1024)
   -q pqgfile        Name of file containing PQG parameters (dsa only)
   -q curve-name     Elliptic curve name (ec only)
                     See the "-G" option for a full list of supported names.
   -f pwfile         Specify the password file
   -d keydir         Key database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -p phone          Specify the contact phone number ("123-456-7890")
   -a                Output the cert request in ASCII (RFC1113); default is binary
   See -S for available extension options 
   See -G for available key flag options 

-V              Validate a certificate
   -n cert-name      The nickname of the cert to Validate
   -b time           validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")
   -e                Check certificate signature 
   -u certusage      Specify certificate usage:
                          C      SSL Client
                          V      SSL Server
                          L      SSL CA
                          A      Any CA
                          Y      Verify CA
                          S      Email signer
                          R      Email Recipient
                          O      OCSP status responder
                          J      Object signer
   -d certdir        Cert database directory (default is ~/.netscape)
   -a                Input the certificate in ASCII (RFC1113); default is binary
   -P dbprefix       Cert & Key database prefix
   -X                force the database to open R/W

-W              Change the key database password
   -d certdir        cert and key database directory
   -f pwfile         Specify a file with the current password
   -@ newpwfile      Specify a file with the new password in two lines

--upgrade-merge Upgrade an old database and merge it into a new one
   -d certdir        Cert database directory to merge into (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix of the target database
   -f pwfile         Specify the password file for the target database
   --source-dir certdir 
                     Cert database directory to upgrade from
   --source-prefix dbprefix 
                     Cert & Key database prefix of the upgrade database
   --upgrade-id uniqueID 
                     Unique identifier for the upgrade database
   --upgrade-token-name name 
                     Name of the token while it is in upgrade state
   -@ pwfile         Specify the password file for the upgrade database

--merge         Merge source database into the target database
   -d certdir        Cert database directory of target (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix of the target database
   -f pwfile         Specify the password file for the target database
   --source-dir certdir 
                     Cert database directory of the source database
   --source-prefix dbprefix 
                     Cert & Key database prefix of the source database
   -@ pwfile         Specify the password file for the source database

-S              Make a certificate and add to database
   -n key-name       Specify the nickname of the cert
   -s subject        Specify the subject name (using RFC1485)
   -c issuer-name    The nickname of the issuer cert
   -t trustargs      Set the certificate trust attributes (see -A above)
   -k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default))
   -h token-name     Name of token in which to generate key (default is internal)
   -g key-size       Key size in bits, RSA keys only (min 512, max 8192, default 1024)
   -q pqgfile        Name of file containing PQG parameters (dsa only)
   -q curve-name     Elliptic curve name (ec only)
                     See the "-G" option for a full list of supported names.
   -x                Self sign
   -m serial-number  Cert serial number
   -w warp-months    Time Warp
   -v months-valid   Months valid (default is 3)
   -f pwfile         Specify the password file
   -d certdir        Cert database directory (default is ~/.netscape)
   -P dbprefix       Cert & Key database prefix
   -p phone          Specify the contact phone number ("123-456-7890")
   -1                Create key usage extension
   -2                Create basic constraint extension
   -3                Create authority key ID extension
   -4                Create crl distribution point extension
   -5                Create netscape cert type extension
   -6                Create extended key usage extension
   -7 emailAddrs     Create an email subject alt name extension
   -8 DNS-names      Create a DNS subject alt name extension
   --extAIA          Create an Authority Information Access extension
   --extSIA          Create a Subject Information Access extension
   --extCP           Create a Certificate Policies extension
   --extPM           Create a Policy Mappings extension
   --extPC           Create a Policy Constraints extension
   --extIA           Create an Inhibit Any Policy extension
   --extSKID         Create a subject key ID extension
   See -G for available key flag options 
   --extNC           Create a name constraints extension
   --extSAN type:name[,type:name]... 
                     Create a Subject Alt Name extension with one or multiple names
                     - type: directory, dn, dns, edi, ediparty, email, ip, ipaddr,
                             other, registerid, rfc822, uri, x400, x400addr
   --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... 
                     Add one or multiple extensions that certutil cannot encode yet,
                     by loading their encodings from external files.
                     - OID (example): 1.2.3.4
                     - critical-flag: critical or not-critical
                     - filename: full path to a file containing an encoded extension

1.2 部分使用

1.2.1 生成新的安全數(shù)據(jù)庫(kù)

在指定的目錄certdir里生成新的安全數(shù)據(jù)庫(kù)文件,如果要生成 key3.db 文件,你需要用到“密鑰數(shù)據(jù)工具”或其他指定的工具:

certutil -N -d certdir

1.2.2 列出安全數(shù)據(jù)庫(kù)中的證書(shū)

列出指定的目錄certdir的所有證書(shū):

certutil -L -d certdir

1.2.3 創(chuàng)建證書(shū)

一個(gè)有效的證書(shū)必須是受信任的根CA頒發(fā)的,如果一個(gè)CA密鑰對(duì)無(wú)效,你可以用參數(shù) -x 創(chuàng)建一個(gè)自簽名證書(shū)(目的是為了頒發(fā))。本例在指定的目錄 certdir 中創(chuàng)建一個(gè)名為 myissuer 的自簽名證書(shū):

certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234 -f password-file -d certdir

1.2.4 添加證書(shū)到數(shù)據(jù)庫(kù)中

添加一個(gè)證書(shū)到證書(shū)數(shù)據(jù)庫(kù)中:

certutil -A -n jsmith@netscape.com -t "p,p,p" -i mycert.crt -d certdir

1.3 配置mailx的實(shí)例使用

1、編輯mail的配置文件

[root@localhost ~]# vim /etc/mail.rc
set from=spendemail@qq.com                                      # 發(fā)送郵件后顯示的郵件發(fā)送方
set smtp=smtp.qq.com                                            # qq smtp郵件服務(wù)器
set smtp-auth-user=youremail@qq.com                             # 你的qq郵箱
set smtp-auth-password=yourpass                                 # 你的qq郵箱密碼(設(shè)置頁(yè)面加密后的授權(quán)碼)
set smtp-auth=login                                             # 動(dòng)作、登錄
set smtp-use-starttls                                           # 安全連接傳輸
set ssl-verify=ignore                                           # 忽略ssl驗(yàn)證
set nss-config-dir=/root/.certs                                 # 證書(shū)路徑

2、添加郵箱證書(shū)到本地

# 創(chuàng)建證書(shū)目錄
[root@localhost ~]# mkdir -p /root/.certs/
# 獲取證書(shū)內(nèi)容(可分開(kāi)執(zhí)行查看過(guò)程)                     
[root@localhost ~]# echo -n | openssl s_client -connect smtp.qq.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/qq.crt
# 添加證書(shū)到數(shù)據(jù)庫(kù)
[root@localhost ~]# certutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/qq.crt
[root@localhost ~]# certutil -A -n "GeoTrust Global CA" -t "C,," -d ~/.certs -i ~/.certs/qq.crt
# 列出指定目錄下的證書(shū)
[root@localhost ~]# certutil -L -d /root/.certs
# 指明受新人證書(shū)、防報(bào)錯(cuò)
[root@localhost ~]# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ~/.certs -i ~/.certs/qq.crt
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容