11.3. Using certutil

11.3. Using certutil

The Directory Server has a command-line tool, certutil, which locally creates self-signed CA and client certificates, certificate databases, and keys. The default location for the Directory Server certutil tool is /usr/lib/dirsec/. [12]


Set the environment variable for the shell to include the certutil directory path. For example:

export PATH=/usr/lib/dirsec/:$PATH

The command varies depending on the shell.

certutil can also be downloaded from ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/.

11.3.1. Creating Directory Server Certificates through the Command Line

The following steps outline how to make the databases, key, CA certificate, server/client certificate, and convert the certificates into pkcs12 format.

  1. Open the directory where the Directory Server certificate databases are stored. For example:

    cd /etc/dirsrv/slapd-instance_name
  2. Create a temporary working directory, and open that directory.

    mkdir /tmp
    cd /tmp
  3. Create a password file for the security token password:

    vi pwdfile.txt

    The password file should be owned by the user as which Directory Server runs, by default nobody, and it must be set as read-only for the Directory Server user and allow no access to anyone else (mode 0400).

  4. Create a noise file for the encryption mechanism:

    vi noise.txt
  5. Create the key and certificate databases databases.

    certutil -N -d . -f pwdfile.txt
  6. Generate the encryption key:

    certutil -G -d . -z noise.txt -f pwdfile.txt
  7. Generate the self-signed CA certificate. This certificate is used to generate the other server certificates and can be exported for use with other servers and clients.

    certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," 
         -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt
  8. Generate the Directory Server client certificate.

    certutil -S -n "Server-Cert" -s "cn=FQDN,cn=Directory Server" -c "CA certificate" 
         -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt

    FQDN is the fully-qualified host and domain name of the Directory Server, such as ldap.example.com. This name must be available for DNS and reverse DNS lookups to Directory Server clients because certificate validation may fail if the clients cannot properly resolve the FQDN. To use the Directory Server behind a DNS round robin or any other scheme which aliases a single server certificate to multiple hostnames, see the SSL information about server name wildcards or subjectAltName.

    To generate a client certificate to use with applications other than the Directory Server, run the same command as for the Directory Server certificate.


    Keep careful track on the numbers set with the -m option. The -m option sets the unique identifier for the server certificate, and a CA cannot issue two certificates with the same ID.

  9. Move the new key and certificate databases and copy over the default Directory Server databases.

    mv .. # If the /tmp directory is in /etc/dirsrv/slapd-instance_name
  10. Export the CA certificate to ASCII (PEM) format so it can be used with other clients.

    certutil -L -d . -n “CA certificate” -a > cacert.asc

    The cacert.asc file can be used as the CA certificate for most clients that require the CA certificate in a simple ASCII file, including Red Hat Enterprise Linux clients, web servers, and others.

  11. Optionally, run pk12util to create a pkcs12 file of the CA certificate and Directory Server key and certificate as a backup. The pkcs12 file contains sensitive information, so the file is password-protected and prompts for a password as the command runs.

    pk12util -d . -o cacert.pk12 -n “CA certificate”
    pk12util -d . -o dscert.pk12 -n “Server-Cert”

The certificates created by certutil are automatically available in the Encryption tab of the Console; there is no need to import them.

11.3.2. certutil Usage

certutil can be used for a variety of tasks to manage certificates and keys, such as generating certificate requests and removing certificates from the certificate database. Some of the most common options are listed in Table 11.1, “certutil Options”. For the full list of commands and arguments, run certutil -H from the command line.

certutil Options Description
certutil -L -d . Lists the certificates in the database.
certutil -L -d . -n "cert_name" "Pretty prints" the specified certificate; the cert_name can specify either a CA certificate or a client certificate.
certutil -L -d . -n "cert_name" > certfile.asc Exports the specified certificate out of the database to ASCII (PEM) format.
certutil -L -d . -n "cert_name" -r > certfile.bin Exports the specified certificate out of the database to binary format; this can be used with Directory Server attributes such as userCertificate;binary.
Table 11.1. certutil Options

[12] This is the location for Red Hat Enterprise Linux 5 i386. File locations for other platforms are listed in Section 1.1, “Directory Server File Locations”.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.