aboutsummaryrefslogtreecommitdiff
path: root/files/zh-cn/nss
diff options
context:
space:
mode:
authorPeter Bengtsson <mail@peterbe.com>2020-12-08 14:40:17 -0500
committerPeter Bengtsson <mail@peterbe.com>2020-12-08 14:40:17 -0500
commit33058f2b292b3a581333bdfb21b8f671898c5060 (patch)
tree51c3e392513ec574331b2d3f85c394445ea803c6 /files/zh-cn/nss
parent8b66d724f7caf0157093fb09cfec8fbd0c6ad50a (diff)
downloadtranslated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.gz
translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.bz2
translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.zip
initial commit
Diffstat (limited to 'files/zh-cn/nss')
-rw-r--r--files/zh-cn/nss/building/index.html116
-rw-r--r--files/zh-cn/nss/index.html172
-rw-r--r--files/zh-cn/nss/introduction_to_network_security_services/index.html148
-rw-r--r--files/zh-cn/nss/key_log_format/index.html20
-rw-r--r--files/zh-cn/nss/overview/index.html71
-rw-r--r--files/zh-cn/nss/tools/index.html89
-rw-r--r--files/zh-cn/nss/tools/nss_工具_certutil/index.html924
7 files changed, 1540 insertions, 0 deletions
diff --git a/files/zh-cn/nss/building/index.html b/files/zh-cn/nss/building/index.html
new file mode 100644
index 0000000000..2d7adf09b2
--- /dev/null
+++ b/files/zh-cn/nss/building/index.html
@@ -0,0 +1,116 @@
+---
+title: Building NSS
+slug: NSS/Building
+translation_of: Mozilla/Projects/NSS/Building
+---
+<p><font face="x-locale-heading-primary, zillaslab, Palatino, Palatino Linotype, x-locale-heading-secondary, serif"><span style="font-size: 37.33327865600586px;"><strong>介绍</strong></span></font></p>
+
+
+
+<p>此页包含有关如何构建NSS的详细信息。因为NSS是一个跨平台的库,它构建在许多不同的平台上,并且有许多选项,所以构建起来可能很复杂。在尝试构建之前,请仔细阅读这些说明。</p>
+
+<h2 id="Build_环境">Build 环境</h2>
+
+<p>NSS需要一个C和C++编译器。它有最小的依赖关系,包括标准的C和C++库,再加上ZLIB。</p>
+
+<p>For building, you also need <a href="https://www.gnu.org/software/make/">make</a>.  Ideally, also install <a href="https://gyp.gsrc.io/">gyp</a> and <a href="https://ninja-build.org/">ninja</a> and put them on your path.  This is recommended, as the build is faster and more reliable.</p>
+
+<h3 id="Windows">Windows</h3>
+
+<p>Windows上的NSS编译使用与Mozilla Firefox相同的共享生成系统。 你必须先安装 <a href="/en-US/docs/Developer_Guide/Build_Instructions/Windows_Prerequisites">Windows Prerequisites</a>, 包括 <strong>MozillaBuild</strong>.</p>
+
+<p>您还可以在Windows子系统上为Linux构建NSS,但是生成的二进制文件不能被其他Windows应用程序使用。</p>
+
+<p><font face="x-locale-heading-primary, zillaslab, Palatino, Palatino Linotype, x-locale-heading-secondary, serif"><span style="font-size: 37.33327865600586px;"><strong>获取源码</strong></span></font></p>
+
+
+
+<p>NSS和NSPR像其他Mozilla项目一样使用Mercurial进行源代码管理。 要查看NSS和NSPR的最新源(可能不是稳定版本的一部分),请使用以下命令:</p>
+
+<pre>hg clone https://hg.mozilla.org/projects/nspr
+hg clone https://hg.mozilla.org/projects/nss
+</pre>
+
+<p>To get the source of a specific release, see <a href="/en-US/docs/Mozilla/Projects/NSS/NSS_Releases">NSS Releases</a>.</p>
+
+<dl>
+ <dd>
+ <dl>
+ </dl>
+ </dd>
+</dl>
+
+<h2 id="Build">Build</h2>
+
+<p>Build NSS using our build script:</p>
+
+<pre>nss/build.sh
+</pre>
+
+<p>This builds both NSPR and NSS.</p>
+
+<h2 id="Build_with_make">Build with make</h2>
+
+<p>Alternatively, there is a <code>make</code> target called "nss_build_all", which produces a similar result.  This supports some alternative options, but can be a lot slower.</p>
+
+<pre>make -C nss nss_build_all USE_64=1
+</pre>
+
+<p>The make-based build system for NSS uses a variety of variables to control the build. Below are some of the variables, along with possible values they may be set to.</p>
+
+<dl>
+ <dt>BUILD_OPT</dt>
+ <dd>
+ <dl>
+ <dt>0</dt>
+ <dd>Build a debug (non-optimized) version of NSS. <em>This is the default.</em></dd>
+ <dt>1</dt>
+ <dd>Build an optimized (non-debug) version of NSS.</dd>
+ </dl>
+ </dd>
+ <dt>USE_64</dt>
+ <dd>
+ <dl>
+ <dt>0</dt>
+ <dd>Build for a 32-bit environment/ABI. <em>This is the default.</em></dd>
+ <dt>1</dt>
+ <dd>Build for a 64-bit environment/ABI. <em>This is recommended.</em></dd>
+ </dl>
+ </dd>
+ <dt>USE_ASAN</dt>
+ <dd>
+ <dl>
+ <dt>0</dt>
+ <dd>Do not create an <a href="http://clang.llvm.org/docs/AddressSanitizer.html">AddressSanitizer</a> build. <em>This is the default.</em></dd>
+ <dt>1</dt>
+ <dd>Create an AddressSanitizer build.</dd>
+ </dl>
+ </dd>
+</dl>
+
+<h2 id="单元测试">单元测试</h2>
+
+<p>NSS包含大量的单元测试。运行这些测试的脚本可以在测试目录中找到。 通过以下方式运行标准套件:</p>
+
+<pre>HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh</pre>
+
+<h3 id="单元测试配置">单元测试配置</h3>
+
+<p>NSS测试是使用环境变量配置的。<br>
+ 脚本将尝试推断主机和DOMSUF的值,但可能会失败。 用主机名和域后缀替换localhost和localdomain。 您需要能够连接到$HOST.$DOMSUF。</p>
+
+<p>如果没有域后缀,则可以将条目添加到/etc/hosts (on Windows,<code> c:\Windows\System32\drivers\etc\hosts</code>) as follows:</p>
+
+<pre><code>127.0.0.1 localhost.localdomain</code></pre>
+
+<p>验证是否打开命令shell并键入: <code>ping localhost.localdomain</code>.</p>
+
+<p>Remove the <code>USE_64=1</code> override if using a 32-bit build.</p>
+
+<h3 id="测试结果">测试结果</h3>
+
+<p>运行所有测试可能需要相当长的时间。</p>
+
+<p>测试输出存储在tests_results/security/$HOST.$NUMBER/中。 文件results.html概要结果,output.log捕获所有测试输出。</p>
+
+<p>nss/tests的其他子目录包含运行完整套件子集的脚本。 它们可以直接运行,而不是all.sh,这可能会节省一些时间,但会降低覆盖率。</p>
diff --git a/files/zh-cn/nss/index.html b/files/zh-cn/nss/index.html
new file mode 100644
index 0000000000..d12ceec9a1
--- /dev/null
+++ b/files/zh-cn/nss/index.html
@@ -0,0 +1,172 @@
+---
+title: Network Security Services
+slug: NSS
+tags:
+ - JSS
+ - NSS
+ - NeedsMigration
+ - NeedsTranslation
+ - TopicStub
+translation_of: Mozilla/Projects/NSS
+---
+<p><strong>网络安全服务</strong> (<strong>NSS</strong>) 是一组旨在支持支持安全的客户端和服务器应用程序跨平台开发的库。使用NSS构建的应用程序可以支持 SSL v2 和 v3 、TLS 、 PKCS #5 、 PKCS #7 、 PKCS #11 、 PKCS #12 、 S/MIME 、 X.509 v3 证书以及其他安全标准。</p>
+
+<p>有关支持的标准的详细信息,请参阅<a href="/en-US/docs/Overview_of_NSS" title="Overview_of_NSS">NSS概述</a>。有关常见问题的列表,请参阅<a href="/en-US/docs/NSS_FAQ" title="NSS_FAQ">FAQ</a>。</p>
+
+<p>NSS可在Mozilla公共许可证下使用。有关将NSS发布版本下载为tar文件的信息,请参阅<a href="https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing">下载PKI源文件</a>。</p>
+
+<p>如果您是一名开发人员,并希望为NSS做出贡献,您可能需要阅读<a href="/en-US/docs/An_overview_of_NSS_Internals" title="/en-US/docs/An_overview_of_NSS_Internals">NSS内部详细信息的文档高级概述</a>,并<a href="/en-US/docs/Getting_Started_With_NSS" title="/en-US/docs/Getting_Started_With_NSS">开始使用NSS</a>。</p>
+
+<table class="topicpage-table">
+ <tbody>
+ <tr>
+ <td>
+ <h2 class="Documentation" id="Documentation" name="Documentation">文档</h2>
+
+ <h3 id="背景信息">背景信息</h3>
+
+ <dl>
+ <dt><a href="Overview_of_NSS">NSS概况</a></dt>
+ <dd>NSS简介及功能说明</dd>
+ <dt><a href="NSS_FAQ">NSS答疑</a></dt>
+ <dd>常见基础问题解答</dd>
+ <dt><a href="Introduction_to_Public-Key_Cryptography">公钥加密技术简介</a></dt>
+ <dd>解释NSS背后公钥加密技术的基础概念</dd>
+ <dt><a href="Introduction_to_SSL">SSL简介</a></dt>
+ <dd>介绍SSL协议,包括其支持的加密密码相关的信息以及SSL握手过程中的相关步骤</dd>
+ </dl>
+
+ <h3 id="开始使用">开始使用</h3>
+
+ <dl>
+ <dt><a href="/en-US/docs/NSS/NSS_Releases" title="NSS_releases">NSS发布版本页面</a></dt>
+ <dd>页面中包含最新以及历史版本的NSS发布版的内容。</dd>
+ <dt><a href="NSS_Sources_Building_Testing">获取并运行源代码</a></dt>
+ <dd>说明如何在不同支持的平台上构建NSS</dd>
+ <dt><a href="Developer_Guide/Source_Code/Mercurial">使用Mercurial获取Mozilla的源代码</a></dt>
+ <dd>说明如何使用Mercurial进行工作</dd>
+ <dt><a href="Mozilla_Source_Code_Via_CVS">使用CVS获取Mozilla的源代码(已弃用)</a></dt>
+ <dd>已废弃的旧版本CVS文档</dd>
+ </dl>
+
+ <h3 id="NSS_API文档">NSS API文档</h3>
+
+ <dl>
+ <dt><a href="Introduction_to_Network_Security_Services">网络安全服务介绍</a></dt>
+ <dd>提供NSS库的概览与使用他们所需的前置知识</dd>
+ <dt><a href="NSS/SSL_functions">NSS SSL公用函数</a></dt>
+ <dd>总结NSS共享库暴露的SSL API</dd>
+ <dt><a href="NSS_reference">NSS Reference</a></dt>
+ <dd>API used to invoke SSL operations.</dd>
+ <dt><a href="NSS/NSS_API_GUIDELINES">NSS API Guidelines</a></dt>
+ <dd>Explains how the libraries and code are organized, and guidelines for developing code (naming conventions, error handling, thread safety, etc.)</dd>
+ <dt><a href="NSS/nss_tech_notes">NSS Technical Notes</a></dt>
+ <dd>Links to NSS technical notes, which provide latest information about new NSS features and supplementary documentation for advanced topics in programming with NSS.</dd>
+ </dl>
+
+ <h3 id="工具、测试和其他技术细节"><span class="short_text" id="result_box" lang="zh-CN"><span>工具、测试和其他技术细节</span></span></h3>
+
+ <dl>
+ <dt><a href="NSS_Sources_Building_Testing">Build Instructions for NSS</a></dt>
+ <dd>Describe how to check out and build NSS releases.</dd>
+ <dt><a href="NSS/Tools">NSS Tools</a></dt>
+ <dd>Tools for developing, debugging, and managing applications that use NSS.</dd>
+ <dt><a href="NSS/NSS_Sample_Code">Sample Code</a></dt>
+ <dd>Demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc.</dd>
+ <dt><a href="http://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html">NSS 3.2 Test Suite</a></dt>
+ <dd><strong>Archived version.</strong> Describes how to run the standard NSS tests.</dd>
+ <dt><a href="http://www-archive.mozilla.org/projects/security/pki/nss/performance_reports.html">NSS Performance Reports</a></dt>
+ <dd><strong>Archived version.</strong> Links to performance reports for NSS 3.2 and later releases.</dd>
+ <dt><a href="http://www-archive.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html">Encryption Technologies Available in NSS 3.11</a></dt>
+ <dd><strong>Archived version.</strong> Lists the cryptographic algorithms used by NSS 3.11.</dd>
+ <dt><a href="http://www-archive.mozilla.org/projects/security/pki/nss/loadable_certs.html">NSS 3.1 Loadable Root Certificates</a></dt>
+ <dd><strong>Archived version.</strong> Describes the scheme for loading root CA certificates.</dd>
+ <dt><a href="http://www-archive.mozilla.org/projects/security/pki/nss/db_formats.html">cert7.db</a></dt>
+ <dd><strong>Archived version.</strong> General format of the cert7.db database.</dd>
+ </dl>
+
+ <h3 id="PKCS_11_information">PKCS #11 information</h3>
+
+ <ul>
+ <li><a href="/en-US/docs/PKCS11" title="PKCS11">Documentation on PKCS #11 modules</a></li>
+ <li><a href="en/PKCS11_Implement">Implementing PKCS #11 for NSS</a></li>
+ <li><a href="/en-US/docs/PKCS11_Module_Specs" title="PKCS11_Module_Specs">The strings NSS uses to load PKCS #11 modules</a></li>
+ <li><a href="en/PKCS11_FAQ">PKCS #11 FAQ</a></li>
+ <li><a href="en/PKCS11_Jar_Install">Using the JAR Installation Manager to Install a PKCS #11 Cryptographic Module</a></li>
+ <li><a href="http://www-archive.mozilla.org/projects/security/pki/pkcs11/">PKCS #11 Conformance Testing - Archived version</a></li>
+ </ul>
+
+ <dl>
+ </dl>
+
+ <h3 id="CA_certificates_pre-loaded_into_NSS">CA certificates pre-loaded into NSS</h3>
+
+ <ul>
+ <li><a href="http://www.mozilla.org/projects/security/certs/policy/">Mozilla CA certificate policy</a></li>
+ <li><a href="http://www.mozilla.org/projects/security/certs/included/">List of pre-loaded CA certificates</a></li>
+ </ul>
+
+ <dl>
+ </dl>
+
+ <h3 id="NSS_is_built_on_top_of_Netscape_Portable_Runtime_(NSPR)">NSS is built on top of Netscape Portable Runtime (NSPR)</h3>
+
+ <dl>
+ <dt><a href="NSPR">Netscape Portable Runtime</a></dt>
+ <dd>NSPR project page.</dd>
+ <dt><a href="NSPR_API_Reference">NSPR Reference</a></dt>
+ <dd>NSPR API documentation.</dd>
+ </dl>
+
+ <h3 id="附加信息"><span class="short_text" id="result_box" lang="zh-CN"><span>附加信息</span></span></h3>
+
+ <ul>
+ <li><a href="/en-US/docs/JavaScript_crypto" title="JavaScript_crypto">Using the window.crypto object from JavaScript</a></li>
+ <li><a href="/en-US/docs/HTTP_Delegation" title="HTTP_Delegation">Delegation of HTTP download for OCSP</a></li>
+ <li><a href="/en-US/docs/TLS_Cipher_Suite_Discovery" title="TLS_Cipher_Suite_Discovery">TLS Cipher Suite Discovery</a></li>
+ <li><a href="/en-US/docs/NSS_Certificate_Download_Specification" title="NSS_Certificate_Download_Specification">NSS Certificate Download Specification</a></li>
+ <li><a href="/en-US/docs/NSS/FIPS_Mode_-_an_explanation" title="FIPS Mode - an explanation">FIPS Mode - an explanation</a></li>
+ <li><a href="/en-US/docs/NSS_Key_Log_Format" style="text-decoration: none; color: rgb(4, 137, 183) !important; cursor: default;" title="NSS Key Log Format">Format of key log files</a></li>
+ <li>View <a href="/en-US/docs/tag/NSS" title="/en-US/docs/tag/NSS">all NSS-related articles on MDC</a></li>
+ </ul>
+
+ <h3 id="测试"><span class="short_text" id="result_box" lang="zh-CN"><span>测试</span></span></h3>
+
+ <ul>
+ <li><a href="/en-US/docs/Testing_third-party_PKCS#11_modules.2Ftokens_with_NSS" title="Testing_third-party_PKCS#11_modules.2Ftokens_with_NSS">Testing third-party PKCS #11 modules/tokens with NSS</a></li>
+ </ul>
+
+ <h3 id="计划">计划</h3>
+
+ <p>Information on NSS planning can be found at <a class="external" href="http://wiki.mozilla.org/NSS">wiki.mozilla.org</a>, including:</p>
+
+ <ul>
+ <li><a class="external" href="http://wiki.mozilla.org/FIPS_Validation">FIPS Validation</a></li>
+ <li><a class="external" href="http://wiki.mozilla.org/NSS:Roadmap">NSS Roadmap page</a></li>
+ <li><a href="https://fedoraproject.org/wiki/User:Mitr/NSS:DeveloperFriendliness" title="https://fedoraproject.org/wiki/User:Mitr/NSS:DeveloperFriendliness">NSS Improvement Project</a></li>
+ </ul>
+ </td>
+ <td>
+ <h2 class="Community" id="Community" name="Community">社区</h2>
+
+ <ul>
+ <li>查看Mozilla安全论坛...</li>
+ </ul>
+
+ <p>{{ DiscussionList("dev-security", "mozilla.dev.security") }}</p>
+
+ <ul>
+ <li>查看Mozilla加密论坛...</li>
+ </ul>
+
+ <p>{{ DiscussionList("dev-tech-crypto", "mozilla.dev.tech.crypto") }}</p>
+
+ <h2 class="Related_Topics" id="Related_Topics" name="Related_Topics">相关话题</h2>
+
+ <ul>
+ <li><a href="/en-US/docs/Security" title="Security">安全</a></li>
+ </ul>
+ </td>
+ </tr>
+ </tbody>
+</table>
diff --git a/files/zh-cn/nss/introduction_to_network_security_services/index.html b/files/zh-cn/nss/introduction_to_network_security_services/index.html
new file mode 100644
index 0000000000..a65951eb1f
--- /dev/null
+++ b/files/zh-cn/nss/introduction_to_network_security_services/index.html
@@ -0,0 +1,148 @@
+---
+title: Introduction to Network Security Services
+slug: NSS/Introduction_to_Network_Security_Services
+translation_of: Mozilla/Projects/NSS/Introduction_to_Network_Security_Services
+---
+<p><strong>Network Security Services (NSS)</strong> 是被设计为支持跨平台开发支持SSL,S/MIME和他气网络安全标准一组库。有关NSS及其支持的标准的概述,请参见<a href="/en-US/docs/Mozilla/Projects/NSS/Overview">Overview of NSS</a>.</p>
+
+<h3 id="Shared_Libraries" name="Shared_Libraries">共享库</h3>
+
+<p>网络安全服务提供静态库和共享库。 使用共享库的应用程序必须只使用它们导出的api。 三个共享库导出公共功能:</p>
+
+<ul>
+ <li>SSL库支持核心SSL操作。</li>
+ <li>S/MIME库支持核心S/MIME操作。</li>
+ <li>NSS库支持核心加密操作。</li>
+</ul>
+
+<p>We guarantee that applications using the exported APIs will remain compatible with future versions of those libraries. For a complete list of public functions exported by these shared libraries in NSS 3.2, see <a href="/en-US/docs/NSS_functions">NSS functions</a>.</p>
+
+<p>For information on which static libraries in NSS 3.1.1 are replaced by each of the above shared libraries in NSS 3.2 , see <a class="external" href="https://www-archive.mozilla.org/projects/security/pki/nss/release_notes_32.html#migration">Migration from NSS 3.1.1</a>.</p>
+
+<p>Figure 1, below, shows a simplified view of the relationships among the three shared libraries listed above and NSPR, which provides low-level cross platform support for operations such as threading and I/O. (Note that NSPR is a separate Mozilla project; see <a href="/en-US/docs/Mozilla/Projects/NSPR">Netscape Portable Runtime</a> for details.)</p>
+
+<dl>
+ <dt>Figure 1 Relationships among core NSS libraries and NSPR</dt>
+</dl>
+
+<p><img alt="Diagram showing the relationships among core NSS libraries and NSPR." src="/files/577/Nss.gif"></p>
+
+<h3 id="Naming_Conventions_and_Special_Libraries" name="Naming_Conventions_and_Special_Libraries">Naming conventions and special libraries</h3>
+
+<p>Windows and Unix use different naming conventions for static and dynamic libraries:</p>
+
+<table class=" standard-table">
+ <tbody>
+ <tr>
+ <th></th>
+ <th>Windows</th>
+ <th>Unix</th>
+ </tr>
+ <tr>
+ <th>static</th>
+ <td><code>.lib</code></td>
+ <td><code>.a</code></td>
+ </tr>
+ <tr>
+ <th>dynamic</th>
+ <td><code>.dll</code></td>
+ <td><code>.so</code> or <code>.sl</code></td>
+ </tr>
+ </tbody>
+</table>
+
+<p>In addition, Windows has "import" libraries that bind to dynamic libraries. So the NSS library has the following forms:</p>
+
+<ul>
+ <li><code>libnss3.so</code> - Unix shared library</li>
+ <li><code>libnss3.sl</code> - HP-UX shared library</li>
+ <li><code>libnss.a</code> - Unix static library</li>
+ <li><code>nss3.dll</code> - Windows shared library</li>
+ <li><code>nss3.lib</code> - Windows import library binding to <code>nss3.dll</code></li>
+ <li><code>nss.lib</code> - Windows static library</li>
+</ul>
+
+<p>NSS, SSL, and S/MIME have all of the above forms.</p>
+
+<p>The following static libaries aren't included in any shared libraries</p>
+
+<ul>
+ <li><code>libcrmf.a</code>/<code>crmf.lib</code> provides an API for CRMF operations.</li>
+ <li><code>libjar.a</code>/<code>jar.lib</code> provides an API for creating JAR files.</li>
+</ul>
+
+<p>The following static libaries are included only in external loadable PKCS #11 modules:</p>
+
+<ul>
+ <li><code>libnssckfw.a</code>/<code>nssckfw.lib</code> provides an API for writing PKCS #11 modules.</li>
+ <li><code>libswfci.a</code>/<code>swfci.lib</code> provides support for software FORTEZZA.</li>
+</ul>
+
+<p>The following shared libraries are standalone loadable modules, not meant to be linked with directly:</p>
+
+<ul>
+ <li><code>libfort.so</code>/<code>libfort.sl</code>/<code>fort32.dll</code> provides support for hardware FORTEZZA.</li>
+ <li><code>libswft.so</code>/<code>libswft.sl</code>/<code>swft32.dll</code> provides support for software FORTEZZA.</li>
+ <li><code>libnssckbi.so</code>/<code>libnssckbi.sl</code>/<code>nssckbi.dll</code> defines the default set of trusted root certificates.</li>
+</ul>
+
+<h3 id="Support_for_ILP32" name="Support_for_ILP32">Support for ILP32</h3>
+
+<p>In NSS 3.2 and later versions, there are two new shared libraries for the platforms HP-UX for PARisc CPUs and Solaris for (Ultra)Sparc (not x86) CPUs. These HP and Solaris platforms allow programs that use the ILP32 program model to run on both 32-bit CPUs and 64-bit CPUs. The two libraries exist to provide optimal performance on each of the two types of CPUs.</p>
+
+<p>These two extra shared libraries are not supplied on any other platforms. The names of these libraries are platform-dependent, as shown in the following table.</p>
+
+<table class="standard-table" style="width: 100%;">
+ <tbody>
+ <tr>
+ <th>Platform</th>
+ <th>for 32-bit CPUs</th>
+ <th>for 64-bit CPUs</th>
+ </tr>
+ <tr>
+ <td>Solaris/Sparc</td>
+ <td><code>libfreebl_pure32_3.so</code></td>
+ <td><code>libfreebl_hybrid_3.so</code></td>
+ </tr>
+ <tr>
+ <td>HPUX/PARisc</td>
+ <td><code>libfreebl_pure32_3.sl</code></td>
+ <td><code>libfreebl_hybrid_3.sl</code></td>
+ </tr>
+ <tr>
+ <td>AIX (planned for a future release)</td>
+ <td><code>libfreebl_pure32_3_shr.a</code></td>
+ <td><code>libfreebl_hybrid_3_shr.a</code></td>
+ </tr>
+ </tbody>
+</table>
+
+<p>An application should not link against these libraries, because they are dynamically loaded by NSS at run time. Linking the application against one or the other of these libraries may produce an application program that can only run on one type of CPU (e.g. only on 64-bit CPUs, not on 32-bit CPUs) or that doesn't use the more efficient 64-bit code on 64-bit CPUs, which defeats the purpose of having these shared libraries.</p>
+
+<p>On platforms for which these shared libraries exist, NSS 3.2 will fail if these shared libs are not present. So, an application must include these files in its distribution of NSS shared libraries. These shared libraries should be installed in the same directory where the other NSS shared libraries (such as <code>libnss3.so</code>) are installed. Both shared libs should always be installed whether the target system has a 32-bit CPU or a 64-bit CPU. NSS will pick the right one for the local system at run time.</p>
+
+<p>Note that NSS 3.x is also available in the LP64 model for these platforms, but the LP64 model of NSS 3.x does not have these two extra shared libraries.</p>
+
+<h3 id="What_You_Should_Already_Know" name="What_You_Should_Already_Know">What you should already know</h3>
+
+<p>在使用NSS之前,您应该熟悉以下主题:</p>
+
+<ul>
+ <li>公钥密码的概念和技术</li>
+ <li>安全套接字层(SSL)协议</li>
+ <li>PKCS#11加密令牌接口标准</li>
+ <li>跨平台开发问题和技术</li>
+</ul>
+
+<h3 id="Where_to_Find_More_Information" name="Where_to_Find_More_Information">Where to find more information</h3>
+
+<p>For information about PKI and SSL that you should understand before using NSS, see the following:</p>
+
+<ul>
+ <li><a href="/en-US/docs/Introduction_to_Public-Key_Cryptography">Introduction to Public-Key Cryptography</a></li>
+ <li><a href="/en-US/docs/Introduction_to_SSL">Introduction to SSL</a></li>
+</ul>
+
+<p>For links to API documentation, build instructions, and other useful information, see the <a href="/en-US/docs/Mozilla/Projects/NSS">NSS Project Page</a>.</p>
+
+<p>As mentioned above, NSS is built on top of NSPR. The API documentation for NSPR is available at <a href="/en-US/docs/Mozilla/Projects/NSPR/Reference">NSPR API Reference</a>.</p>
diff --git a/files/zh-cn/nss/key_log_format/index.html b/files/zh-cn/nss/key_log_format/index.html
new file mode 100644
index 0000000000..a997036b31
--- /dev/null
+++ b/files/zh-cn/nss/key_log_format/index.html
@@ -0,0 +1,20 @@
+---
+title: NSS Key Log Format
+slug: NSS/Key_Log_Format
+tags:
+ - NSS Key Log Format
+translation_of: Mozilla/Projects/NSS/Key_Log_Format
+---
+<div class="note">
+<p>Starting with <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes">NSS 3.24</a> (around Firefox 48), the <code>SSLKEYLOGFILE</code> approach is disabled by default. Distributors can re-enable it at compile time though which is done for the official Firefox binaries. (See <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1188657">bug 1188657</a>.)  it should work again on Firefox &gt;= 50</p>
+</div>
+
+<p>Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find the key file via <em>Edit→Preferences→Protocols→SSL→(Pre)-Master-Secret log filename</em>.</p>
+
+<p>Key logging is enabled by setting the environment variable <code>SSLKEYLOGFILE &lt;</code>FILE&gt; to point to a file. This file is a series of lines. Comment lines begin with a sharp character ('#'). Otherwise the line takes one of these formats.</p>
+
+<p><code>RSA</code> &lt;space&gt; &lt;16 bytes of hex encoded encrypted pre master secret&gt; &lt;space&gt; &lt;96 bytes of hex encoded pre master secret&gt;</p>
+
+<p><code>CLIENT_RANDOM</code> &lt;space&gt; &lt;64 bytes of hex encoded <code>client_random</code>&gt; &lt;space&gt; &lt;96 bytes of hex encoded master secret&gt;</p>
+
+<p>The <code>RSA</code> form allows ciphersuites using RSA key-agreement to be logged and is supported in shipping versions of Wireshark. The <code>CLIENT_RANDOM</code> format allows other key-agreement algorithms to be logged but is only supported starting with Wireshark 1.8.0. For Wireshark usage, see <a href="https://wiki.wireshark.org/SSL">SSL - Wireshark Wiki</a>.</p>
diff --git a/files/zh-cn/nss/overview/index.html b/files/zh-cn/nss/overview/index.html
new file mode 100644
index 0000000000..d452abed79
--- /dev/null
+++ b/files/zh-cn/nss/overview/index.html
@@ -0,0 +1,71 @@
+---
+title: Overview of NSS
+slug: NSS/Overview
+translation_of: Mozilla/Projects/NSS/Overview
+---
+<h1 id="Open_Source_Crypto_Libraries">Open Source Crypto Libraries</h1>
+
+<h3 id="Proven_Application_Security_Architecture" name="Proven_Application_Security_Architecture">Proven Application Security Architecture</h3>
+
+<p>If you want to add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to implement all your security features. NSS provides a complete open-source implementation of the crypto libraries used by AOL, Red Hat, Google, and other companies in a variety of products, including the following:</p>
+
+<ul>
+ <li><a class="external" href="https://www.mozilla.org/products/">Mozilla products</a>, including <a class="external" href="https://www.mozilla.com/firefox/">Firefox</a>, <a class="external" href="https://www.mozilla.com/thunderbird/">Thunderbird</a>, <a href="https://seamonkey-project.org/">SeaMonkey</a>, and <a href="https://support.mozilla.org/en-US/products/firefox-os">Firefox OS</a>.</li>
+ <li>AOL Instant Messenger (AIM)</li>
+ <li>Open source client applications such as <a class="external" href="https://wiki.gnome.org/Apps/Evolution">Evolution</a>, <a href="https://pidgin.im/">Pidgin</a>, <a href="https://www.openoffice.org/">Apache OpenOffice</a>, and <a href="https://www.libreoffice.org">LibreOffice</a>.</li>
+ <li>Server products from <a class="external" href="https://www.redhat.com/en/technologies">Red Hat</a>: <a class="external" href="https://www.redhat.com/en/technologies/cloud-computing/directory-server">Red Hat Directory Server</a>, <a class="external" href="https://www.redhat.com/en/technologies/cloud-computing/certificate-system">Red Hat Certificate System</a>, and the <a class="external" href="https://directory.fedoraproject.org/docs/389ds/administration/mod-nss.html">mod_nss</a> SSL module for the Apache web server.</li>
+ <li>Server products from Oracle (formerly Sun Java Enterprise System), including <a href="https://www.oracle.com/industries/communications/enterprise/products/messaging-server/index.html">Oracle Communications Messaging Server</a> and <a href="http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-085178.html">Oracle Directory Server Enterprise Edition</a>.</li>
+ <li><a href="https://www.suse.com/products/server/">SUSE Linux Enterprise Server</a> supports NSS and the <a class="external" href="https://documentation.suse.com/sles/11-SP4/html/SLES-all/cha-apache2.html#sec-apache2-nss">mod_nss</a> SSL module for the Apache web server.</li>
+</ul>
+
+<p>NSS includes a framework to which developers and OEMs can contribute patches, such as assembler code, to optimize performance on their platforms. NSS 3.x has been certified on 18 platforms.</p>
+
+<p>For more detailed information about NSS, see <a class="external" href="https://wiki.mozilla.org/NSS">wiki.mozilla.org</a> and <a href="NSS_FAQ">NSS FAQ</a>.</p>
+
+<p>Source code for a Java interface to NSS is available in the Mozilla CVS tree. For details, see <a class="external" href="JSS">Network Security Services for Java</a>.</p>
+
+<p>NSS makes use of Netscape Portable Runtime (<a href="/en-US/docs/Mozilla/Projects/NSPR">NSPR</a>), a platform-neutral open-source API for system functions designed to facilitate cross-platform development. Like NSS, NSPR has been battle-tested in multiple products. For more information, see the <a class="external" href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR">NSPR Project Page</a>.</p>
+
+<h3 id="Interoperability_and_Open_Standards" name="Interoperability_and_Open_Standards">互操作性和开放标准</h3>
+
+<p>你可以使用NSS去支持一系列安全标准在你的应用中,包括如下:</p>
+
+<ul>
+ <li><a href="en/Glossary#SSL">SSL v3</a>. 安全套接层协议允许在客户端和服务端相互认证,并且是一个被认证和编码的链接建立.</li>
+ <li>TLS v1.3 (<a href="https://tools.ietf.org/html/rfc8446">RFC 8446</a>), <a href="https://tools.ietf.org/html/rfc5246">TLS v1.2 (RFC 5246</a>), <a href="https://tools.ietf.org/html/rfc4346">TLS v1.1 (RFC 4346</a>), <a class="external" href="https://www.ietf.org/rfc/rfc2246.txt">TLS v1 (</a><a class="external" href="https://tools.ietf.org/html/rfc2246" title="https://tools.ietf.org/html/rfc2246">RFC 2246</a>). IETF中取代SSL的传输层安全(TLS)协议.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/index.html">PKCS #1</a>. 提供基于RSA算法的公钥密码的实现.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-3/index.html">PKCS #3</a>. 提供Diffie-Hellman密钥协议的实现.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html">PKCS #5</a>. 提供基于密码学的加密技术RSA标准,例如加密用于存储私钥.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/index.html">PKCS #7</a>. 提供密码学数据的应用,例如数字签名和数字信封.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-8/index.html">PKCS #8</a>. 提供私钥存储和加密.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-9/index.html">PKCS #9</a>. 管理选定的属性类型,包括与PKCS#7、PKCS#8和PKCS#10一起使用的属性类型.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-10/index.html">PKCS #10</a>. 提供证书请求语法.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html">PKCS #11</a>. 提供加密令牌(如硬件加速器和智能卡)的通信,并与许应用独立特定算法和实现.</li>
+ <li><a class="external" href="https://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html">PKCS #12</a>. 提供存储和传输私钥,证书和其他机密格式的标准.</li>
+ <li><a href="en/Glossary#S.2FMIME">S/MIME (RFC 2311 and RFC 2633)</a>. IETF message specification (based on the popular Internet MIME standard) that provides a consistent way to send and receive signed and encrypted MIME data.</li>
+ <li><a href="https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates">X.509 v3</a>. 管理公钥密码中用于身份验证的证书格式的ITU标准.</li>
+ <li><a href="en/Glossary#OCSP">OCSP (RFC 2560)</a>. The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity.</li>
+ <li><a class="external" href="https://www.ietf.org/rfc/rfc3280.txt">PKIX Certificate and CRL Profile (</a><a class="external" href="https://tools.ietf.org/html/rfc3280" title="https://tools.ietf.org/html/rfc3280">RFC 3280</a>). The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known at PKIX) for a public-key infrastructure for the Internet.</li>
+ <li>RSA, DSA, ECDSA, Diffie-Hellman, EC Diffie-Hellman, <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES</a>, Triple DES, DES, RC2, RC4, SHA-1, SHA-256, SHA-384, SHA-512, MD2, MD5, HMAC: Common cryptographic algorithms used in public-key and symmetric-key cryptography.</li>
+ <li>FIPS 186-2 伪随机数发生器.</li>
+</ul>
+
+<p>For complete details, see <a class="external" href="https://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html">Encryption Technologies</a>.</p>
+
+<h3 id="FIPS_140_Validation_and_NISCC_Testing" name="FIPS_140_Validation_and_NISCC_Testing">FIPS 140 Validation and NISCC Testing</h3>
+
+<p>The NSS software crypto module has been validated three times for conformance to FIPS 140 at Security Levels 1 and 2. For more information, see the <a href="FIPS_Mode_-_an_explanation">NSS FIPS</a> page (<a class="external" href="https://wiki.mozilla.org/FIPS_Validation">Or this one</a>).</p>
+
+<p>The NSS libraries passed the NISCC <a class="external" href="https://www.niscc.gov.uk/niscc/docs/re-20030930-00749.pdf?lang=en">TLS/SSL</a> and <a class="external" href="https://www.uniras.gov.uk/niscc/docs/re-20031104-00752.pdf?lang=en">S/MIME</a> test suites (1.6 million test cases of invalid input data).</p>
+
+<h3 id="Complete_Software_Development_Kit" name="Complete_Software_Development_Kit">Complete Software Development Kit</h3>
+
+<p>除了开发库和APIs,NSS还提供了<a href="https://developer.mozilla.org/en-US/docs/NSS/Tools">security tools</a>工具以提供调试,诊断,证书和密钥管理,密码学模块管理和其他开发任务.</p>
+
+<p>NSS comes with an extensive and growing set of <a href="/docs/Mozilla/Projects/NSS#Documentation">documentation</a>, including introductory material, API references, man pages for command-line tools, and <a class="external" href="https://developer.mozilla.org/en-US/docs/NSS/NSS_Sample_Code">sample code</a>.</p>
+
+<p>NSS is available as source and shared (dynamic) libraries. Every NSS release is backward compatible with previous releases, allowing NSS users to upgrade to the new NSS shared libraries without recompiling or relinking their applications.</p>
+
+<h3 id="Open-Source_Licensing_and_Distribution" name="Open-Source_Licensing_and_Distribution">Open-Source Licensing and Distribution</h3>
+
+<p>NSS is available under the <a href="https://www.mozilla.org/MPL/">Mozilla Public License</a>, version 2. The latest source code is available for free worldwide from <a class="external" href="https://www.mozilla.org" rel="freelink">https://www.mozilla.org</a> and its mirror sites.</p>
diff --git a/files/zh-cn/nss/tools/index.html b/files/zh-cn/nss/tools/index.html
new file mode 100644
index 0000000000..b0971d9bae
--- /dev/null
+++ b/files/zh-cn/nss/tools/index.html
@@ -0,0 +1,89 @@
+---
+title: NSS Tools
+slug: NSS/tools
+tags:
+ - NSS
+ - NeedsTranslation
+ - TopicStub
+translation_of: Mozilla/Projects/NSS/tools
+---
+<h2 id="NSS_Security_Tools">NSS Security Tools</h2>
+<p>Newsgroup: <a href="news://news.mozilla.org/mozilla.dev.tech.crypto">mozilla.dev.tech.crypto</a></p>
+<h3 id="Overview">Overview</h3>
+<p>The NSS Security Tools allow developers to test, debug, and manage applications that use NSS. The <a href="#Tools">Tools Information</a> table below describes both the tools that are currently working and those that are still under development. The links for each tool take you to the source code, documentation, plans, and related links for each tool. The links will become active when information is available.</p>
+<p>Currently, you must download the NSS 3.1 source and build it to create binary files for the NSS tools. For information about downloading the NSS source, see <a href="https://developer.mozilla.org/NSS/Building">https://developer.mozilla.org/NSS/Building</a>.</p>
+<p>If you have feedback or questions, please feel free to post to <a href="news://news.mozilla.org/mozilla.dev.tech.crypto"> mozilla.dev.tech.crypto</a>. This newsgroup is the preferred forum for all questions about NSS and NSS tools.</p>
+<h3 id="Overall_Objectives">Overall Objectives</h3>
+<ol>
+ <li>Provide a tool for analyzing and repairing certificate databases (<a href="#dbck">dbck</a>).</li>
+ <li>Migrate tools from secutil.h interface to PKCS #11 interface.</li>
+ <li>Eliminate redundant functionality in tools. Many tools implement private versions of PKCS11Init(), OpenCertDB(), etc.</li>
+ <li>Eliminate use of getopt() and replace with NSPR calls to get command options (to eliminate platform dependencies with getopt()).</li>
+</ol>
+<h3 id="Tools_Information"><a name="Tools">Tools Information</a></h3>
+<table>
+ <tbody>
+ <tr>
+ <th><b>Tool</b></th>
+ <th><b>Description</b></th>
+ <th><b>Links</b></th>
+ </tr>
+ <tr>
+ <td><a name="certutil">certutil 2.0</a></td>
+ <td>Manage certificate and key databases (cert7.db and key3.db).</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certutil/">Source</a>, <a href="tools/NSS_Tools_certutil">Documentation</a>, <a href="tools/NSS_Tools_certutil-tasks">Tasks/Plans</a> </font></td>
+ </tr>
+ <tr>
+ <td><a name="cmsutil">cmsutil 1.0</a></td>
+ <td>Performs basic CMS operations such as encrypting, decrypting, and signing messages.</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/smimetools/">Source</a>, <a href="tools/NSS_Tools_cmsutil">Documentation</a> </font></td>
+ </tr>
+ <tr>
+ <td><a name="crlutil">crlutil</a></td>
+ <td>Manage certificate revocation lists (CRLs).</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/crlutil/">Source</a>, <a href="tools/NSS_Tools_crlutil">Documentation</a>, </font></td>
+ </tr>
+ <tr>
+ <td><a name="dbck">dbck 1.0</a></td>
+ <td>Analyze and repair certificate databases (not working in NSS 3.2)</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/dbck/">Source</a>, <a href="tools/NSS_Tools_dbck-tasks">Tasks/Plans</a> </font></td>
+ </tr>
+ <tr>
+ <td><a name="modutil">modutil 1.1</a></td>
+ <td>Manage the database of PKCS11 modules (secmod.db). Add modules and modify the properties of existing modules (such as whether a module is the default provider of some crypto service).</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/modutil/">Source</a>, <a href="tools/NSS_Tools_modutil">Documentation</a>, <a href="tools/NSS_Tools_modutil-tasks">Tasks/Plans</a> </font></td>
+ </tr>
+ <tr>
+ <td><a name="pk12util">pk12util 1.0</a></td>
+ <td>Import and export keys and certificates between the cert/key databases and files in PKCS12 format.</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/pk12util/">Source</a>, <a href="tools/NSS_Tools_pk12util">Documentation</a>, <a href="tools/NSS_Tools_pk12util-tasks">Tasks/Plans</a> </font></td>
+ </tr>
+ <tr>
+ <td><a name="signtool">signtool 1.3</a></td>
+ <td>Create digitally-signed jar archives containing files and/or code.</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/signtool/">Source</a>, <a href="http://docs.sun.com/source/816-5531-10/app_sign.htm"> Documentation</a>, </font></td>
+ </tr>
+ <tr>
+ <td><a name="signver">signver 1.1</a></td>
+ <td>Verify signatures on digitally-signed objects.</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/signver/">Source</a>, <a href="http://docs.sun.com/source/816-6153-10/signver.htm"> Documentation</a>, <a href="tools/NSS_Tools_signver-tasks">Tasks/Plans</a> </font></td>
+ </tr>
+ <tr>
+ </tr>
+ <tr>
+ <td><a name="sslstrength">sslstrength</a></td>
+ <td>SSL Strength</td>
+ <td><font size="-1"><a href="tools/NSS_Tools_sslstrength">Documentation</a> </font></td>
+ </tr>
+ <tr>
+ <td><a name="ssltap">ssltap 3.2</a></td>
+ <td>Proxy requests for an SSL server and display the contents of the messages exchanged between the client and server. The ssltap tool does not decrypt data, but it shows things like the type of SSL message (clientHello, serverHello, etc) and connection data (protocol version, cipher suite, etc). This tool is very useful for debugging.</td>
+ <td><font size="-1"><a href="http://lxr.mozilla.org/mozilla/source/security/nss/cmd/ssltap/">Source</a>, <a href="tools/NSS_Tools_ssltap">Documentation</a> </font></td>
+ </tr>
+ </tbody>
+</table>
+<p> </p>
+<ol>
+ <li><font size="-1"><a name="note1"></a> Currently points to the Netscape Certificate Management System Administration Guide on docs.sun.com. For additional information about this tool, see <a href="http://developer.netscape.com/docs/manuals/security.html#OBJ">Object Signing</a>. </font></li>
+ <li><font size="-1"><a name="note2"></a> Currently points to the signver documentation on developer.netscape.com. For additional information about this tool, see <a href="http://developer.netscape.com/docs/manuals/security.html#FORM">Form Signing</a> </font></li>
+</ol>
diff --git a/files/zh-cn/nss/tools/nss_工具_certutil/index.html b/files/zh-cn/nss/tools/nss_工具_certutil/index.html
new file mode 100644
index 0000000000..7707907d64
--- /dev/null
+++ b/files/zh-cn/nss/tools/nss_工具_certutil/index.html
@@ -0,0 +1,924 @@
+---
+title: NSS 工具 certutil
+slug: NSS/tools/NSS_工具_certutil
+translation_of: Mozilla/Projects/NSS/tools/NSS_Tools_certutil
+---
+<h2 id="证书数据库工具使用说明">证书数据库工具使用说明</h2>
+<p>Newsgroup: <a href="news://news.mozilla.org/mozilla.dev.tech.crypto">mozilla.dev.tech.crypto</a></p>
+<p>证书数据库工具是基于命令行的工具,能创建和修改Netscape Communicator cerct8.db 和 key3.db 数据库文件。该工具也能列出,生成,修改或者删除cert8.db里的证书,并且可以创建或修改密码,生成新的公钥和私钥对,显示秘钥数据库的内容,或者删除key3.db的秘钥对。</p>
+<p>秘钥和证书管理流程一般由两部分组成:1) 在秘钥数据库里创建秘钥 2) 在证书数据库中生成并管理证书</p>
+<p>该文档主要描述了证书和秘钥数据库的管理。对于信息安全模块数据库管理,请看<a href="http://modutil.html">安全模块数据库工具使用</a></p>
+<h2 id="可用性"><a name="Availability"></a> <a name="1031698">可用性 </a></h2>
+<p><a name="1037781"> 请查看 </a><a href="../release_notes.html">release notes</a> 以了解该工具在哪些平台可用</p>
+<h2 id="语法"><a name="Syntax"></a> <a name="1028268">语法 </a></h2>
+<p><a name="1033678"> 使用如下命令运行数据库工具</a></p>
+<p><a name="1033679"> <code>certutil</code><var> </var>
+ <i>
+ option</i>
+ <var>[</var>
+ <i>
+ arguments</i>
+ <var>]</var></a></p>
+<p><a name="1028271"> 本例例举的Option 和 arguments是下述列表的option和arguments的结合 . 每个命令可以指定一个option.每个option可以携带0或多个arguments. 查看命令用法可以通过两种方式: 输入没有option的命令或者输入命令制定 option -H.</a></p>
+<h3 id="Options_和_Arguments"><a name="Head2;"></a> <a name="1027593"> Options 和 Arguments </a></h3>
+<p><a name="1028291"> Options 是大写的字符,主要指定命令要完成的操作. Option arguments 是小写的字符,主要修改操作的细节. 证书数据库工具命令 options 和其的arguments定义如下:</a></p>
+<p> </p>
+<table>
+ <tbody>
+ <tr>
+ <td><a name="1038207"></a><a name="1028291"> <b>Options </b></a></td>
+ <td>
+ <p><a name="1038205"> </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1032245"> <code>-N</code></a></p>
+ </td>
+ <td>
+ <p><a name="1032247"> 创建新的证书和秘钥数据库. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1032249"> <code>-S</code></a></p>
+ </td>
+ <td>
+ <p><a name="1032251"> 创建单独的证书,并且将证书加入证书数据库.</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033985"> <code>-R</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033987"> 创建 一个 certificate-request 文件, 该证书可以提交到Certificate Authority(CA) 以生成完整证书. 如果不指定option -O <em>output-file</em> argument,输出默认到标准输出</a></p>
+ <p><a name="1038712"> </a></p>
+ <p><a name="1038714"> 使用-a argument 以指定ASCII编码输出</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033981"> <code>-C</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033983"> Create a new binary certificate file from a binary certificate-request file. Use the <code>-i</code> argument to specify the certificate-request file. If this argument is not used Certificate Database Tool prompts for a filename. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039087"> <code>-G</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039109"> Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default. </a></p>
+ <p><a name="1039110"> </a></p>
+ <p><a name="1039111"> Some smart cards (for example, the Litronic card) can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039083"> <code>-F</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039125"> Delete a private key from a key database. Specify the key to delete with the <code>-n</code> argument. Specify the database from which to delete the key with the <code>-d</code> argument. </a></p>
+ <p><a name="1039126"> </a></p>
+ <p><a name="1039127"> Use the <code>-k</code> argument to specify explicitly whether to delete a DSA or an RSA key. If you don't use the <code>-k</code> argument, the option looks for an RSA key matching the specified nickname.</a></p>
+ <p><a name="1039128"> </a></p>
+ <p><a name="1039129"> When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using <code>-D</code>.</a></p>
+ <p><a name="1039130"> </a></p>
+ <p><a name="1039131"> Some smart cards (for example, the Litronic card) do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command <code>certutil -K -h</code>
+ <i>
+ tokenname</i>
+ . </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039079"> <code>-K</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039161"> List the keyID of keys in the key database. A keyID is the modulus of the RSA key or the <code>publicValue</code> of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033977"> <code>-A</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033979"> Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this option will initialize one by default. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039193"> <code>-D</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039187"> Delete a certificate from the certificate database.</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033973"> <code>-L</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033975"> List all the certificates, or display information about a named certificate, in a certificate database. </a></p>
+ <p><a name="1038718"> </a></p>
+ <p><a name="1038719"> Use the <code>-h</code>
+ <i>
+ tokenname</i>
+ argument to specify the certificate database on a particular hardware or software token.</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033969"> <code>-V</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033971"> Check the validity of a certificate and its attributes. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033965"> <code>-M</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033967"> Modify a certificate's trust attributes using the values of the <code>-t</code> argument. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033957"> <code>-H</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033959"> Display a list of the options and arguments used by the Certificate Database Tool. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039217"> <code>-W</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039207"> Change the password to a key database.</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039225"> <code>-U</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039203"> List all available modules or print a single named module. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1038213"> <b>Arguments</b></a></p>
+ </td>
+ <td>
+ <p><a name="1038156"> </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033953"> <code>-a</code></a></p>
+ </td>
+ <td>
+ <p><a name="1033955"> Use ASCII format or allow the use of ASCII format for input or output. This formatting follows </a><a href="http://andrew2.andrew.cmu.edu/rfc/rfc1113.html">RFC #1113</a>. For certificate requests, ASCII output defaults to standard output unless redirected.</p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033949"> <code>-b </code>
+ <i>
+ validity-time</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034296"> Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code>-V</code> option. The format of the
+ <i>
+ validity-time</i>
+ argument is "YYMMDDHHMMSS[+HHMM|-HHMM|Z]". Specifying seconds (SS) is optional. When specifying an explicit time, use "YYMMDDHHMMSSZ". When specifying an offset time, use "YYMMDDHHMMSS+HHMM" or "YYMMDDHHMMSS-HHMM". If this option is not used, the validity check defaults to the current system time. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033945"> <code>-c </code>
+ <i>
+ issuer</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034332"> Identify the certificate of the CA from which a new certificate will derive its authenticity. Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the
+ <i>
+ issuer</i>
+ string with quotation marks if it contains spaces. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033941"> <code>-d </code>
+ <i>
+ directory</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1038653"> Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to <code>$HOME/.netscape</code> (that is, <code>~/.netscape</code>). On Windows NT the default is the current directory.</a></p>
+ <p><a name="1038660"> </a></p>
+ <p><a name="1038654"> The <code>cert8.db</code> and <code>key3.db</code> database files must reside in the same directory.</a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1033941"> <code>-P </code>
+ <i>
+ dbprefix</i>
+ </a></p>
+ </td>
+ <td>
+ <p>Specify the prefix used on the <code>cert8.db</code> and <code>key3.db</code> files (for example, <code>my_cert8.db</code> and <code>my_key3.db</code>). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034106"> <code>-e</code></a></p>
+ </td>
+ <td>
+ <p><a name="1034108"> Check a certificate's signature during the process of validating a certificate. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034102"> <code>-f </code>
+ <i>
+ password-file</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034396"> Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039243"> <code>-g </code>
+ <i>
+ keysize</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1039260"> Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size that is a multiple of 8 between the minimum and maximum is allowed. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034098"> <code>-h </code>
+ <i>
+ tokenname</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034444"> Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot (specifically, internal slot 2). This slot can also be explicitly named with the string <code>"internal"</code>. An internal slots is a virtual slot maintained in software, rather than a hardware device. Internal slot 2 is used by key and certificate services. Internal slot 1 is used by cryptographic services. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034094"> <code>-i </code>
+ <i>
+ cert|cert-request-file</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1038301"> Specify a specific certificate, or a certificate-request file. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034090"> <code>-k rsa|dsa|all</code></a></p>
+ </td>
+ <td>
+ <p><a name="1039301"> Specify the type of a key: RSA, DSA or both. The default value is <code>rsa</code>. By specifying the type of key you can avoid mistakes caused by duplicate nicknames. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034086"> <code>-l</code></a></p>
+ </td>
+ <td>
+ <p><a name="1034088"> Display detailed information when validating a certificate with the <code>-V</code> option. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034082"> <code>-m </code>
+ <i>
+ serial-number</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034084"> Assign a unique serial number to a certificate being created. This operation should be performed by a CA. The default serial number is 0 (zero). Serial numbers are limited to integers. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034078"> <code>-n </code>
+ <i>
+ nickname</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034080"> Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the
+ <i>
+ nickname</i>
+ string with quotation marks if it contains spaces. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034074"> <code>-o </code>
+ <i>
+ output-file</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034076"> Specify the output file name for new certificates or binary certificate requests. Bracket the
+ <i>
+ output-file</i>
+ string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034070"> <code>-p </code>
+ <i>
+ phone</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034072"> Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039311"> <code>-q </code>
+ <i>
+ pqgfile</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1039313"> Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, the Key Database Tool generates its own PQG value. PQG files are created with a separate DSA utility. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034066"> <code>-r</code></a></p>
+ </td>
+ <td>
+ <p><a name="1034068"> Display a certificate's binary DER encoding when listing information about that certificate with the <code>-L</code> option. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034062"> <code>-s </code>
+ <i>
+ subject</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034064"> Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows </a><a href="http://andrew2.andrew.cmu.edu/rfc/rfc1485.html">RFC #1485</a>.</p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034193"> <code>-t </code>
+ <i>
+ trustargs</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034595"> Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. </a></p>
+ <p><a name="1038474"> </a></p>
+ <p><a name="1038470"> There are three available trust categories for each certificate, expressed in this order: "
+ <i>
+ SSL</i>
+ ,
+ <i>
+ email</i>
+ ,
+ <i>
+ object signing</i>
+ ". In each category position use zero or more of the following attribute codes: </a></p>
+ <p><a name="1038241"> </a></p>
+ <p><a name="1038242"> <code>p</code>    Valid peer<br>
+ <code>P</code>    Trusted peer (implies <code>p</code>)<br>
+ <code>c</code>    Valid CA<br>
+ <code>T</code>    Trusted CA to issue client certificates (implies <code>c</code>)<br>
+ <code>C</code>    Trusted CA to issue server certificates (SSL only)<br>
+       (implies <code>c</code>)<br>
+ <code>u</code>    Certificate can be used for authentication or signing<br>
+ <code>w</code>    Send warning (use with other attributes to include a warning when the certificate is used in that context)</a></p>
+ <p><a name="1038190"> </a></p>
+ <p><a name="1038479"> The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:</a></p>
+ <p><a name="1038480"> <code>-t "TCu,Cu,Tuw"</code></a></p>
+ <p><a name="1038082"> </a></p>
+ <p><a name="1038484"> Use the <code>-L</code> option to see a list of the current certificates and trust attributes in a certificate database. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034189"> <code>-u </code>
+ <i>
+ certusage</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034631"> Specify a usage context to apply when validating a certificate with the <code>-V</code> option. The contexts are the following:</a></p>
+ <p><a name="1038507"> </a></p>
+ <p><a name="1038508"> <code>C</code> (as an SSL client)<br>
+ <code>V</code> (as an SSL server)<br>
+ <code>S</code> (as an email signer)<br>
+ <code>R</code> (as an email recipient) </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1037458"> <code>-v </code>
+ <i>
+ valid-months</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1037460"> Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code>-w</code> option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the
+ <i>
+ valid-month</i>
+ argument. For example, using this option to set a value of <code>3</code> would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of <code>-2</code> would subtract 2 from the default and create a validity period of one month. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034185"> <code>-w </code>
+ <i>
+ offset-months</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1034187"> Set an offset from the current system time, in months, for the beginning of a certificate's validity period. Use when creating the certificate or adding it to a database. Express the offset in integers, using a minus sign (<code>-</code>) to indicate a negative offset. If this argument is not used, the validity period begins at the current system time. The length of the validity period is set with the <code>-v</code> argument. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034181"> <code>-x</code></a></p>
+ </td>
+ <td>
+ <p><a name="1034183"> Use the Certificate Database Tool to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034177"> <code>-y </code>
+ <i>
+ exp</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1039386"> Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039319"> <code>-z </code>
+ <i>
+ noise-file</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1039321"> Read a seed value from the specified binary file to use in generating a new RSA private and public key pair. This argument makes it possible to use hardware-generated seed values and unnecessary to manually create a value from the keyboard. The minimum file size is 20 bytes. </a></p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034173"> <code>-1</code></a></p>
+ </td>
+ <td>
+ <p><a name="1034175"> Add a key usage extension to a certificate that is being created or added to a database. This extension allows a certificate's key to be dedicated to supporting specific operations such as SSL server or object signing. The Certificate Database Tool will prompt you to select a particular usage for the certificate's key. These usages are described under </a><a href="http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_and_CRL_Extensions-Standard_X.509_v3_Certificate_Extensions.html">Standard X.509 v3 Certificate Extensions</a> in Appendix A.3 of the
+ <i>
+ Red Hat Certificate System Administration Guide.</i>
+ </p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034169"> <code>-2</code></a></p>
+ </td>
+ <td>
+ <p><a name="1038749"> Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. The Certificate Database Tool will prompt you to select the certificate constraint extension. Constraint extensions are described in </a><a href="http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_and_CRL_Extensions-Standard_X.509_v3_Certificate_Extensions.html">Standard X.509 v3 Certificate Extensions</a> in Appendix A.3 of the
+ <i>
+ Red Hat Certificate System Administration Guide.</i>
+ </p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034165"> <code>-3</code></a></p>
+ </td>
+ <td>
+ <p><a name="1034167"> Add an authority keyID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority keyID extension. Authority key ID extensions are described under </a><a href="http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_and_CRL_Extensions-Standard_X.509_v3_Certificate_Extensions.html">Standard X.509 v3 Certificate Extensions</a> in Appendix A.3 of the
+ <i>
+ Red Hat Certificate System Administration Guide.</i>
+ </p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1034161"> <code>-4</code></a></p>
+ </td>
+ <td>
+ <p><a name="1040255"> Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). The Certificate Database Tool prompts you to enter the URL. CRL distribution point extensions are described in </a><a href="http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_and_CRL_Extensions-Standard_X.509_v3_Certificate_Extensions.html">Standard X.509 v3 Certificate Extensions</a> in Appendix A.3 of the
+ <i>
+ Red Hat Certificate System Administration Guide.</i>
+ </p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039329"> <code>-5</code></a></p>
+ </td>
+ <td>
+ <p><a name="1040231"> Add a Netscape certificate type extension to a certificate that is being created or added to the database. Netscape certificate type extensions are described in </a><a href="http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_and_CRL_Extensions-Standard_X.509_v3_Certificate_Extensions.html">Standard X.509 v3 Certificate Extensions</a> in Appendix A.3 of the
+ <i>
+ Red Hat Certificate System Administration Guide.</i>
+ </p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039325"> <code>-6</code></a></p>
+ </td>
+ <td>
+ <p><a name="1040242"> Add an extended key usage extension to a certificate that is being created or added to the database. Extended key usage extensions are described in </a><a href="http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_and_CRL_Extensions-Standard_X.509_v3_Certificate_Extensions.html">Standard X.509 v3 Certificate Extensions</a> in Appendix A.3 of the
+ <i>
+ Red Hat Certificate System Administration Guide.</i>
+ </p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039326"> <code>-7 </code>
+ <i>
+ emailAddrs</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1040243"> Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of </a><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>.</p>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <p><a name="1039327"> <code>-8 </code>
+ <i>
+ dns-names</i>
+ </a></p>
+ </td>
+ <td>
+ <p><a name="1040244"> Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of </a><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>.</p>
+ </td>
+ </tr>
+ </tbody>
+</table>
+<table>
+ <tbody>
+ <tr>
+ <td> </td>
+ </tr>
+ </tbody>
+</table>
+<p> </p>
+<h2 id="Usage_2"><a name="Usage"></a> <a name="1028519"> Usage </a></h2>
+<p><a name="1037923"> The Certificate Database Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required. </a></p>
+<p> </p>
+<p> </p>
+<blockquote>
+ <a name="1037925"> <code>-N [-d </code>
+ <i>
+ certdir</i>
+ <code>] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037927"> <code>-S -k rsa|dsa -n </code>
+ <i>
+ certname</i>
+ <code>-s </code>
+ <i>
+ subject</i>
+ <br>
+ <code>[-c </code>
+ <i>
+ issuer</i>
+ <code>|-x] -t </code>
+ <i>
+ trustargs</i>
+ <code>[-h </code>
+ <i>
+ tokenname</i>
+ <code>]<br>
+ [-m </code>
+ <i>
+ serial-number</i>
+ <code>] [-v </code>
+ <i>
+ valid-months</i>
+ <code>] [-w </code>
+ <i>
+ offset-months</i>
+ <code>]<br>
+ [-d </code>
+ <i>
+ certdir</i>
+ <code>] [-p </code>
+ <i>
+ phone</i>
+ <code>] [-f </code>
+ <i>
+ password-file</i>
+ <code>] [-1] [-2] [-3] [-4] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037929"> <code>-R -k rsa|dsa -s </code>
+ <i>
+ subject</i>
+ <code>[-h </code>
+ <i>
+ tokenname</i>
+ <code>]<br>
+ [-d </code>
+ <i>
+ certdir</i>
+ <code>] [-p </code>
+ <i>
+ phone</i>
+ <code>] [-o </code>
+ <i>
+ output-file</i>
+ <code>] [-f </code>
+ <i>
+ password-file</i>
+ <code>] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037931"> <code>-C -c </code>
+ <i>
+ issuer</i>
+ <code>[-f </code>
+ <i>
+ password-file</i>
+ <code>]<br>
+ [-h </code>
+ <i>
+ tokenname</i>
+ <code>] -i </code>
+ <i>
+ cert-request-file</i>
+ <code>-o </code>
+ <i>
+ output-file</i>
+ <code>[-m </code>
+ <i>
+ serial-number</i>
+ <code>]<br>
+ [-v </code>
+ <i>
+ valid-months</i>
+ <code>] [-w </code>
+ <i>
+ offset-months</i>
+ <code>] [-d </code>
+ <i>
+ certdir</i>
+ <code>] [-1] [-2] [-3]<br>
+ [-4] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037933"> <code>-A -n </code>
+ <i>
+ certname</i>
+ <code>-t </code>
+ <i>
+ trustargs</i>
+ <code>[-h </code>
+ <i>
+ tokenname</i>
+ <code>] [-d </code>
+ <i>
+ certdir</i>
+ <code>] [-a]<br>
+ [-i </code>
+ <i>
+ cert-request-file</i>
+ <code>] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037935"> <code>-L [-n </code>
+ <i>
+ certname</i>
+ <code>] [-d </code>
+ <i>
+ certdir</i>
+ <code>] [-r] [-a] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037937"> <code>-V -n </code>
+ <i>
+ certname</i>
+ <code>-b </code>
+ <i>
+ validity-time</i>
+ <code>-u </code>
+ <i>
+ certusage</i>
+ <code>[-e] [-l] [-d </code>
+ <i>
+ certdir</i>
+ <code>] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037939"> <code>-M -n </code>
+ <i>
+ certname</i>
+ <code>-t </code>
+ <i>
+ trustargs</i>
+ <code>[-d </code>
+ <i>
+ certdir</i>
+ <code>] </code></a></blockquote>
+<p> </p>
+<blockquote>
+ <a name="1037941"> <code>-H </code></a></blockquote>
+<ul>
+ <li><a name="1037924"> Creating a new <code>cert8.db</code> file: </a></li>
+ <li><a name="1037926"> Creating a new certificate and adding it to the database with one command: </a></li>
+ <li><a name="1037928"> Making a separate certificate request: </a></li>
+ <li><a name="1037930"> Creating a new binary certificate from a binary certificate request: </a></li>
+ <li><a name="1037932"> Adding a certificate to an existing database: </a></li>
+ <li><a name="1037934"> Listing all certificates or a named certificate: </a></li>
+ <li><a name="1037936"> Validating a certificate: </a></li>
+ <li><a name="1037938"> Modifying a certificate's trust attribute: </a></li>
+ <li><a name="1037940"> Displaying a list of the options and arguments used by the Certificate Database Tool: </a></li>
+</ul>
+<h2 id="Examples_2"><a name="Examples"></a> <a name="1037918"> Examples </a></h2>
+<p><a name="1038537"> </a><a href="certutil.html#1028724">Creating a New Certificate Database</a><br>
+ <a href="certutil.html#1034026">Listing Certificates in a Database</a><br>
+ <a href="certutil.html#1028731">Creating a Certificate Request</a><br>
+ <a href="certutil.html#1034020">Creating a Certificate</a><br>
+ <a href="certutil.html#1034010">Adding a Certificate to the Database</a><br>
+ <a href="certutil.html#1035544">Validating a Certificate</a></p>
+<p> </p>
+<h3 id="Creating_a_New_Certificate_Database"><a name="Head2;"></a> <a name="1028724"> Creating a New Certificate Database </a></h3>
+<p><a name="1034720"> This example creates a new certificate database (<code>cert8.db</code> file) in the specified directory: </a></p>
+<p> </p>
+<p><a name="1034722"> <code>certutil -N -d </code>
+ <i>
+ certdir</i>
+ </a></p>
+<p> </p>
+<p><a name="1034726"> You must generate the associated <code>key3.db</code> and <code>secmod.db</code> files by using the Key Database Tool or other tools. </a></p>
+<p> </p>
+<h3 id="Listing_Certificates_in_a_Database"><a name="Head2;"></a> <a name="1034026"> Listing Certificates in a Database </a></h3>
+<p><a name="1034749"> This example lists all the certificates in the <code>cert8.db</code> file in the specified directory: </a></p>
+<p> </p>
+<p><a name="1034751"> <code>certutil -L -d </code>
+ <i>
+ certdir</i>
+ </a></p>
+<p> </p>
+<p><a name="1034753"> The Certificate Database Tool displays output similar to the following: </a></p>
+<p> </p>
+<p><a name="1034755"> <code>Certificate Name              Trust Attributes </code></a><br>
+ <a name="1037237"> <code>Uptime Group Plc. Class 1 CA        C,C,<br>
+ VeriSign Class 1 Primary CA         ,C,<br>
+ VeriSign Class 2 Primary CA         C,C,C<br>
+ AT&amp;T Certificate Services           C,C,<br>
+ GTE CyberTrust Secure Server CA     C,,<br>
+ Verisign/RSA Commercial CA          C,C,<br>
+ AT&amp;T Directory Services             C,C,<br>
+ BelSign Secure Server CA            C,,<br>
+ Verisign/RSA Secure Server CA       C,C,<br>
+ GTE CyberTrust Root CA              C,C,<br>
+ Uptime Group Plc. Class 4 CA        ,C,<br>
+ VeriSign Class 3 Primary CA         C,C,C<br>
+ Canada Post Corporation CA          C,C,<br>
+ Integrion CA                        C,C,C<br>
+ IBM World Registry CA               C,C,C<br>
+ GTIS/PWGSC, Canada Gov. Web CA      C,C,<br>
+ GTIS/PWGSC, Canada Gov. Secure CA   C,C,C<br>
+ MCI Mall CA                         C,C,<br>
+ VeriSign Class 4 Primary CA         C,C,C<br>
+ KEYWITNESS, Canada CA               C,C,<br>
+ BelSign Object Publishing CA        ,,C<br>
+ BBN Certificate Services CA Root 1  C,C,<br>
+ p    Valid peer<br>
+ P    Trusted peer (implies p)<br>
+ c    Valid CA<br>
+ T    Trusted CA to issue client certs (implies c)<br>
+ C    Trusted CA to issue server certs(for ssl only) (implies c)<br>
+ u    User cert<br>
+ w    Send warning </code></a></p>
+<p> </p>
+<h3 id="Creating_a_Certificate_Request"><a name="Head2;"></a> <a name="1028731"> Creating a Certificate Request </a></h3>
+<p><a name="1035439"> This example generates a binary certificate request file named <code>e95c.req</code> in the specified directory: </a><br>
+ <a name="1035441"> <code>certutil -R -s "CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US" -p "650-555-8888" -o mycert.req -d </code>
+ <i>
+ certdir</i>
+ </a><br>
+ <a name="1035468"> Before it creates the request file, the Certificate Database Tool prompts you for a password: </a><br>
+ <a name="1035445"> <code>Enter Password or Pin for "Communicator Certificate DB": </code></a></p>
+<p> </p>
+<h3 id="Creating_a_Certificate"><a name="Head2;"></a> <a name="1034020"> Creating a Certificate </a></h3>
+<p><a name="1038600"> A valid certificate must be issued by a trusted CA. If a CA key pair is not available, you can create a self-signed certificate (for purposes of illustration) with the <code>-x</code> argument. This example creates a new binary, self-signed CA certificate named <code>myissuer</code>, in the specified directory.</a><br>
+ <a name="1035482"> <code>certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234 -f </code>
+ <i>
+ password-file</i>
+ <code>-d </code>
+ <i>
+ certdir</i>
+ </a><br>
+ <a name="1035502"> The following example creates a new binary certificate named <code>mycert.crt</code>, from a binary certificate request named <code>mycert.req</code>, in the specified directory. It is issued by the self-signed certificate created above, <code>myissuer</code>. </a><br>
+ <a name="1034013"> <code>certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d </code>
+ <i>
+ certdir</i>
+ </a></p>
+<p> </p>
+<p> </p>
+<h3 id="Adding_a_Certificate_to_the_Database"><a name="Head2;"></a> <a name="1034010"> Adding a Certificate to the Database </a></h3>
+<p><a name="1035548"> This example adds a certificate to the certificate database: </a><br>
+ <a name="1035550"> <code>certutil -A -n jsmith@netscape.com -t "p,p,p" -i mycert.crt -d </code>
+ <i>
+ certdir</i>
+ </a><br>
+ <a name="1035552"> You can see this certificate in the database with this command: </a><br>
+ <a name="1035554"> <code>certutil -L -n jsmith@netscape.com -d </code>
+ <i>
+ certdir</i>
+ </a><br>
+ <a name="1035556"> The Certificate Database Tool displays output similar to the following: </a><br>
+ <a name="1035557"> <code>Certificate:<br>
+   Data:<br>
+     Version: 3 (0x2)<br>
+     Serial Number: 0 (0x0)<br>
+     Signature Algorithm: PKCS #1 MD5 With RSA Encryption<br>
+     Issuer: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US<br>
+     Validity:<br>
+         Not Before: Thu Mar 12 00:10:40 1998<br>
+         Not After: Sat Sep 12 00:10:40 1998<br>
+ Subject: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US </code></a><br>
+ <a name="1035568"> <code>Subject Public Key Info:<br>
+   Public Key Algorithm: PKCS #1 RSA Encryption<br>
+   RSA Public Key:<br>
+     Modulus:<br>
+         00:da:53:23:58:00:91:6a:d1:a2:39:26:2f:06:3a:<br>
+         38:eb:d4:c1:54:a3:62:00:b9:f0:7f:d6:00:76:aa:<br>
+         18:da:6b:79:71:5b:d9:8a:82:24:07:ed:49:5b:33:<br>
+         bf:c5:79:7c:f6:22:a7:18:66:9f:ab:2d:33:03:ec:<br>
+         63:eb:9d:0d:02:1b:da:32:ae:6c:d4:40:95:9f:b3:<br>
+         44:8b:8e:8e:a3:ae:ad:08:38:4f:2e:53:e9:e1:3f:<br>
+         8e:43:7f:51:61:b9:0f:f3:a6:25:1e:0b:93:74:8f:<br>
+         c6:13:a3:cd:51:40:84:0e:79:ea:b7:6b:d1:cc:6b:<br>
+         78:d0:5d:da:be:2b:57:c2:6f<br>
+     Exponent: 65537 (0x10001)<br>
+ Signature Algorithm: PKCS #1 MD5 With RSA Encryption<br>
+ Signature:<br>
+   44:15:e5:ae:c4:30:2c:cd:60:89:f1:1d:22:ed:5e:5b:10:c8:<br>
+   7e:5f:56:8c:b4:00:12:ed:5f:a4:6a:12:c3:0d:01:03:09:f2:<br>
+   2f:e7:fd:95:25:47:80:ea:c1:25:5a:33:98:16:52:78:24:80:<br>
+   c9:53:11:40:99:f5:bd:b8:e9:35:0e:5d:3e:38:6a:5c:10:d1:<br>
+   c6:f9:54:af:28:56:62:f4:2f:b3:9b:50:e1:c3:a2:ba:27:ee:<br>
+   07:9f:89:2e:78:5c:6d:46:b6:5e:99:de:e6:9d:eb:d9:ff:b2:<br>
+   5f:c6:f6:c6:52:4a:d4:67:be:8d:fc:dd:52:51:8e:a2:d7:15:<br>
+   71:3e </code></a><br>
+ <a name="1036339"> <code>Certificate Trust Flags:<br>
+   SSL Flags:<br>
+     Valid CA<br>
+     Trusted CA<br>
+   Email Flags:<br>
+     Valid CA<br>
+     Trusted CA<br>
+   Object Signing Flags:<br>
+     Valid CA<br>
+     Trusted CA </code></a></p>
+<p> </p>
+<p> </p>
+<h3 id="Validating_a_Certificate"><a name="Head2;"></a> <a name="1035544"> Validating a Certificate </a></h3>
+<p><a name="1036649"> This example validates a certificate: </a><br>
+ <a name="1035541"> <code>certutil -V -n jsmith@netscape.com -b 9803201212Z -u SR -e -l -d </code>
+ <i>
+ certdir</i>
+ </a><br>
+ <a name="1036674"> The Certificate Database Tool shows results similar to </a><br>
+ <a name="1037451"> <code>Certificate:'jsmith@netscape.com' is valid.</code></a><br>
+ <a name="1037453"> or</a><br>
+ <a name="1037452"> <code>UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Expired certificate</code></a><br>
+ <a name="1037673"> or</a><br>
+ <a name="1037664"> <code>UID=jsmith, E=jsmith@netscape.com, CN=John Smith, O=Netscape Communications Corp., C=US : Certificate not approved for this operation</code></a></p>
+<p> </p>
+<p> </p>
+<pre><a name="1028726"></a></pre>
+<p> </p>
+<hr>
+<p> </p>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-02-02 08:39:13 +0000