Netscape MANAGEMENT SYSTEM 6.0 - COMMAND-LINE Manual page 99

Table 13-1 Description of options
-k key ... directory
-G nickname
-l
Specifies the nickname (key) of the certificate you want to sign with and signs
the files in the specified directory. The directory to sign is always specified as
the last command-line argument. Thus, it is possible to write
signtool -k MyCert -d . signdir
You may have trouble if the nickname contains a single quotation mark. To
avoid problems, escape the quotation mark using the escape conventions for
your platform.
It's also possible to use the -k option without signing any files or specifying a
directory. For example, you can use it with the -l option to get detailed
information about a particular signing certificate.
Generates a new private-public key pair and corresponding object-signing
certificate with the given nickname.
The newly generated keys and certificate are installed into the key and
certificate databases in the directory specified by the -d option. With the NT
version of Netscape Signing Tool, you must use the -d option with the -G
option. With the Unix version of Netscape Signing Tool, omitting the -d option
causes the tool to install the keys and certificate in the Communicator key and
certificate databases. If you are installing the keys and certificate in the
Communicator databases, you must exit Communicator before using this
option; otherwise, you risk corrupting the databases. In all cases, the certificate
is also output to a file named x509.cacert, which has the MIME-type
application/x-x509-ca-cert.
Unlike certificates normally used to sign finished code to be distributed over a
network, a test certificate created with -G is not signed by a recognized
certificate authority. Instead, it is self-signed. In addition, a single test signing
certificate functions as both an object-signing certificate and a CA. When you are
using it to sign objects, it behaves like an object-signing certificate. When it is
imported into browser software such as Communicator, it behaves like an
object-signing CA and cannot be used to sign objects.
The -G option is available in Netscape Signing Tool 1.0 and later versions only.
By default, it produces only RSA certificates with 1024-byte keys in the internal
token. However, you can use the -s option specify the required key size and the
-t option to specify the token. For more information about the use of the -G
option, see "Generating Test Object-Signing Certificates" on page 104.
Lists signing certificates, including issuing CAs. If any of your certificates are
expired or invalid, the list will so specify. This option can be used with the -k
option to list detailed information about a particular signing certificate.
The -l option is available in Netscape Signing Tool 1.0 and later versions only.
SignTool Syntax and Options
Chapter 13 Netscape Signing Tool 99