CertTools Logo
CertTools

certutil Commands Reference

Essential certutil commands for managing NSS certificate databases

🗄️ Database Management

Create new NSS database

certutil -N -d sql:/path/to/database

Creates a new certificate database. You'll be prompted for a password to protect the database.

Create database with empty password

certutil -N -d sql:/path/to/database --empty-password

⚠️ Warning: No password protection. Only for non-sensitive testing.

Verify database integrity

certutil -V -d sql:/path/to/database -n "Certificate Nickname"

📋 Listing Certificates

List all certificates

certutil -L -d sql:/path/to/database

Shows nickname and trust flags (C=SSL CA, T=Email CA, P=Object Signing CA).

List certificates in Firefox profile

certutil -L -d sql:~/.mozilla/firefox/PROFILE.default

Replace PROFILE with your Firefox profile name. Find it in ~/.mozilla/firefox/profiles.ini

List certificates in Chrome/Chromium

certutil -L -d sql:~/.pki/nssdb

Show detailed certificate information

certutil -L -d sql:/path/to/database -n "Certificate Nickname"

Displays full certificate details including subject, issuer, validity, and extensions.

Show certificate in ASCII (PEM) format

certutil -L -d sql:/path/to/database -n "Certificate Nickname" -a

➕ Adding Certificates

Add CA certificate (trusted root)

certutil -A -d sql:/path/to/database \
  -n "My CA" -t "C,," -i ca-cert.pem

Trust flags: C=Trusted CA for SSL, T=Email, P=Object signing

Add server certificate

certutil -A -d sql:/path/to/database \
  -n "My Server Cert" -t ",," -i server-cert.pem

Server certificates typically have no trust flags (,,).

Add certificate and private key (PKCS#12)

certutil -A -d sql:/path/to/database -i cert.p12 -n "My Cert"

Trust specific certificate for SSL

certutil -A -d sql:/path/to/database \
  -n "Trusted Server" -t "P,," -i server.pem

P = Trusted peer (for server certificates).

🗑️ Deleting Certificates

Delete certificate by nickname

certutil -D -d sql:/path/to/database -n "Certificate Nickname"

Delete certificate and private key

certutil -F -d sql:/path/to/database -n "Certificate Nickname"

Removes both certificate and associated private key.

📤 Exporting Certificates

Export certificate to PEM

certutil -L -d sql:/path/to/database \
  -n "Certificate Nickname" -a > cert.pem

Export certificate to DER (binary)

certutil -L -d sql:/path/to/database \
  -n "Certificate Nickname" -r > cert.der

Export certificate and key to PKCS#12

pk12util -o cert.p12 -d sql:/path/to/database \
  -n "Certificate Nickname"

Uses pk12util (part of NSS tools). You'll be prompted for export password.

📥 Importing Certificates

Import PKCS#12 file

pk12util -i cert.p12 -d sql:/path/to/database

Imports certificate and private key from PKCS#12 file.

Import PEM certificate

certutil -A -d sql:/path/to/database \
  -n "Imported Cert" -t ",," -a -i cert.pem

Import DER certificate

certutil -A -d sql:/path/to/database \
  -n "Imported Cert" -t ",," -i cert.der

🔒 Trust Management

Modify certificate trust

certutil -M -d sql:/path/to/database \
  -n "Certificate Nickname" -t "CT,C,C"

Sets trust for SSL, Email, and Object Signing. Each position has flags:
p=Valid peer, P=Trusted peer
c=Valid CA, C=Trusted CA
T=Trusted CA for issuing client certs
u=Certificate can be used for authentication

Remove trust (but keep certificate)

certutil -M -d sql:/path/to/database \
  -n "Certificate Nickname" -t ",,"

Trust for SSL only

certutil -M -d sql:/path/to/database \
  -n "Certificate Nickname" -t "C,,"

✅ Certificate Validation

Verify certificate is valid

certutil -V -d sql:/path/to/database \
  -n "Certificate Nickname" -u V

Usage flags: V=SSL Server, C=SSL Client, S=Email Signer

Validate at specific time

certutil -V -d sql:/path/to/database \
  -n "Certificate Nickname" -b 2501010000Z

Date format: YYMMDDHHmmZ (e.g., 2501010000Z = Jan 1, 2025 00:00 UTC)

Check certificate chain

certutil -O -d sql:/path/to/database \
  -n "Certificate Nickname"

Shows the complete certificate chain up to the root CA.

🔑 Key and CSR Generation

Generate RSA key pair

certutil -G -d sql:/path/to/database \
  -z /dev/urandom -g 2048

-g specifies key size (2048, 3072, or 4096 bits).

Create certificate request (CSR)

certutil -R -d sql:/path/to/database \
  -s "CN=example.com,O=My Organization,C=US" \
  -o request.csr -a

Creates CSR with specified subject. -a outputs in ASCII (PEM) format.

Create self-signed certificate

certutil -S -d sql:/path/to/database \
  -n "Self Signed" -s "CN=localhost" \
  -t "C,," -x -v 12

-x=self-signed, -v 12=valid for 12 months

📁 Common Database Locations

Firefox:
  • Linux: ~/.mozilla/firefox/PROFILE.default/
  • macOS: ~/Library/Application Support/Firefox/Profiles/PROFILE.default/
  • Windows: %APPDATA%\Mozilla\Firefox\Profiles\PROFILE.default\
Chrome/Chromium:
  • Linux: ~/.pki/nssdb/
  • Some systems: ~/.config/chromium/Default/
System-wide (Linux):
  • /etc/pki/nssdb/ (RHEL/CentOS/Fedora)
  • /usr/share/pki/nssdb/ (some distributions)
Database Format:
  • Modern: Use sql: prefix (SQLite-based)
  • Legacy: Use dbm: prefix (Berkeley DB, deprecated)
  • Files: cert9.db, key4.db, pkcs11.txt

🏷️ Trust Flags Reference

Trust flags format: SSL,Email,ObjectSigning

Trust Flags:
  • p - Valid peer
  • P - Trusted peer
  • c - Valid CA
  • C - Trusted CA (can issue certs)
  • T - Trusted CA for client certs
  • u - User cert (can authenticate)
Common Patterns:
  • C,, - Trusted SSL CA only
  • CT,C,C - Trusted for all purposes
  • P,, - Trusted SSL peer
  • ,, - No special trust
  • u,u,u - User certificate