Table of Contents
Advertisement
Listing Keys and Certificates
To list the keys and certificates in the configured PKCS#11 tokens, run the following
■
command:
certutil -L -d AS_NSS_DB [-h tokenname]
For example, to list the contents of the default NSS soft token, type:
certutil -L -d AS_NSS_DB
The standard output will be similar to the following:
verisignc1g1
verisignc1g2
verisignc1g3
verisignc2g3
verisignsecureserver
verisignc2g1
verisignc2g2
verisignc3g1
verisignc3g2
verisignc3g3
s1as
The output displays the name of the token in the left column and a set of three trust
attributes in the right column. For Enterprise Server certificates, it is usually T,c,c. Unlike
the J2SE java.security.KeyStore API, which contains only one level of trust, the NSS
technology contains several levels of trust. Enterprise Server is primarily interested in the
first trust attribute, which describes how this token uses SSL. For this attribute:
T indicates that the Certificate Authority (CA) is trusted for issuing client certificates.
u indicates that you can use the certificates (and keys) for authentication or signing.
The attribute combination of u,u,u indicates that a private key exists in the database.
To list the contents of the hardware token, mytoken, run the following command:
■
certutil -L -d AS_NSS_DB -h mytoken
You will be prompted for the password for the hardware token. The standard output is
similar to the following:
Enter Password or Pin for "mytoken":
mytoken:Server-Cert
Chapter 9 • Configuring Security
Using Hardware Crypto Accelerator With Enterprise Server
T,c,c
T,c,c
T,c,c
T,c,c
T,c,c
T,c,c
T,c,c
T,c,c
T,c,c
T,c,c
u,u,u
	u,u,u
123
Advertisement
Chapters
Table of Contents
