Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Appendix C Command-Line Utilities

Netscape Certificate Management System (CMS) is bundled with various command-line utilities. This appendix summarizes these utilities, explains a few of them, and provides pointers for the rest.

The appendix has the following sections:
Summary of Command-Line Utilities
Table 25.2 summarizes the various command-line utilities that are bundled with Certificate Management System.

Table 25.2 Summary of command-line utilities

Utility
Description
AtoB
(ASCII to Binary Tool)

Converts ASCII base-64 encoded data to binary base-64 encoded data. For details, see "ASCII to Binary Tool".

BtoA
(Binary to ASCII Tool)

Converts binary base-64 encoded data to ASCII base-64 encoded data. For details, see "Binary to ASCII Tool".

PrettyPrintCert
(Pretty Print Certificate Tool)
Prints the contents of a certificate stored as ASCII base-64 encoded data in a human-readable form. For details, see "Pretty Print Certificate Tool".

PrettyPrintCrl
(Pretty Print CRL Tool)
Prints the contents of a CRL stored as ASCII
base-64 encoded data in a human-readable form. For details, see "Pretty Print CRL Tool".

dumpasn1
Dumps the contents of binary base-64-encoded data. For details, see "dumpasn1 Tool".

certutil
(Certificate Database Tool)

View and manipulate the certificate database (cert7.db) contents. For details, see "Certificate Database Tool".

keyutil
(Key Database Tool)

View and manipulate the key database (key3.db) contents. For details, see "Key Database Tool".

signtool
(Netscape Signing Tool)

Used to digitally sign any file, including log files. For details, see "Netscape Signing Tool".

sslstrength
(SSL Strength Tool)
Used to connect to an SSL server and report back the type and strength of the encryption cipher that it's using. For details, see "SSL Strength Tool".

ssltap
(SSL Debugging Tool)

Used to debug SSL applications. For details, see "SSL Debugging Tool".

migrate
(Migration Tool)
Migrate data from a Certificate Server 1.x installation into a Certificate Management System installation. For details, see "Appendix A, Migrating from Certificate Server" in the Netscape Certificate Management System Installation and Deployment Guide.

setpin
(PIN Generator tool)
Used to generate PINs for end entities for directory plus PIN-based authenticating. For details, see "Using the PIN Generator Tool".

killproc

Used to kill system processes in Windows NT. For details, see "Attending to an Unresponsive Server".

The first five tools listed in Table 25.2 (AtoB, BtoA, PrettyPrintCert, PrettyPrintCrl, and dumpasn1) are useful for converting back and forth between various encodings and formats you may encounter when dealing with keys and certificates. (These tools are explained in this appendix.)

The Certificate Database Tool, Key Database Tool, and Security Module Database Tool ("modultil" in Appendix B of Managing Servers with Netscape Console) are useful for a variety of administrative tasks that involve manipulating certificate and key databases.

The Migration tool is used to convert Certificate Server 1.x data for use with Certificate Management System, and the PIN Generator tool is used to create PINs for directory authentication. The killproc tool is used to terminate the Java virtual machines, called jssjava processes, when Certificate Management System becomes unresponsive.

 The Netscape Signing Tool can be used to associate a digital signature with any file, including CMS log files.

 The SSL Strength Tool and SSL Debugging Tool are useful for testing and debugging purposes.

 Location of Command-Line Utilities

Except for the Security Module Database Tool, you can find all the other command-line utilities at this location:

<server_root>/bin/cert/tools/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

The Security Module Database Tool (which is explained in "modultil" in Appendix B of Managing Servers with Netscape Console), is located here:

<server_root>/shared/bin/modutil
ASCII to Binary Tool
You can use the ASCII to Binary tool to convert ASCII base-64 encoded data to binary base-64 encoded data.

 Availability

This tool is available for Solaris 2.5.1 (SunOS 5.5.1), Solaris 2.6 (SunOS 5.6), HP-UX B.11.00, AIX 4.2, and Windows NT 4.0.

Syntax

To run the ASCII to Binary tool, type the following command:

AtoB[.bat] <input_file> <output_file>

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<input_file> specifies the path to the file that contains the base-64 encoded data in ASCII format.

<output_file> specifies the path to the file to write the base-64 encoded data in binary format.

Example

AtoB.bat C:\test\data.in C:\test\data.out

The above command takes the base-64 encoded data (in ASCII format) in the file named data.in and writes the binary equivalent of the data to the file named data.out.
Binary to ASCII Tool
You can use the Binary to ASCII tool to convert binary base-64 encoded data to ASCII base-64 encoded data.

 Availability

This tool is available for Solaris 2.5.1 (SunOS 5.5.1), Solaris 2.6 (SunOS 5.6),
HP-UX B.11.00, AIX 4.2, and Windows NT 4.0.

Syntax

To run the Binary to ASCII tool, type the following command:

BtoA[.bat] <input-file> <output_file>

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<input_file> specifies the path to the file that contains the base-64 encoded data in binary format.

<output_file> specifies the path to the file to write the base-64 encoded data in ASCII format.

Example

BtoA.bat C:\test\data.in C:\test\data.out

The above command takes the base-64 encoded data (in binary format) in the file named data.in and writes the ASCII equivalent of the data to the file named data.out.
Pretty Print Certificate Tool
You can use the Pretty Print Certificate tool to print the contents of a certificate stored as ASCII base-64 encoded data in a human-readable form.

 Availability

This tool is available for Solaris 2.5.1 (SunOS 5.5.1), Solaris 2.6 (SunOS 5.6),
HP-UX B.11.00, AIX 4.2, and Windows NT 4.0.

Syntax

To run the Pretty Print Certificate tool, type the following command:

PrettyPrintCert[.bat] <input_file> [<output_file>]

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<input_file> specifies the path to the file that contains the base-64 encoded certificate.

<output_file> specifies the path to the file to write the certificate. This argument is optional; if you don't specify an output file, the certificate information is written to the standard output.

Example

PrettyPrintCert.bat C:\test\cert.in C:\test\cert.out

The above command takes the base-64 encoded certificate in the cert.in file and writes the certificate in the pretty-print form to the output file named cert.out.

 The base-64 encoded certificate (content of the cert.in file) would look similar to this:

-----BEGIN CERTIFICATE-----

MIIC2DCCAkGgAwIBAgICEAwwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMxIzAhBgNVBAoTG lBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVcz EpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTkwMjE4MDM0MzM 5WhcNMDAwMjE4MDM0MzM5WjCBrjELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHU5ldHNjYXBlIENvbW11 bmljYXRpb25zIENvcnAuMRUwEwYDVQQLEwOZXRzY2FwZSBDTVMxGDAWBEBEwhtaGFybXNlbjEfMB0 GA1UEAxMWaW50ZGV2Y2EgQWRtaW5pcwp0frfJOObeiSsia3BuifRHBNw95ZZQR9NIXr1x5bEdYM1n 0nksKdflcQJ6mcA7718OZIRMfLKyRaHua24zAAMWjsH4F250gAPfZuiaTUYcBx8rhIvCwsac1Xb4X zPp1DZO8NX+9A6Zod0CAwEAAaM2MDQwEQYJYIZIAYb4QgEBBAQDAgCgMB8GA1UdIwQYaAFOu1EY8A mhqmblKUqXS8Zc8HiSojMA0GCgVIHT2xU+055U8omp0kjwHqDkegWhUtfMfeCdbNiXOpwSjCVIf1F ZvjrML/rCkV9pkn7574EBdaP

-----END CERTIFICATE-----

The certificate in pretty-print form (content of the cert.out file) would look similar to this:

Certificate:

Data:

Version: v3

Serial Number: 0x100C

Signature Algorithm: OID.1.2.840.113549.1.1.5 - 1.2.840.113549.1.1.5

Issuer: CN=Test Test CA,OU=Widget Makers 'R'Us,O=PalookaVille Widgets\, Inc.,C=US

Validity:

Not Before: Wednesday, February 17, 1999 7:43:39 PM

Not After: Thursday, February 17, 2000 7:43:39 PM

Subject: MAIL=admin@netscape.com,CN=testCA,Administrator UID=admin,OU=Netscape CMS,O=Netscape Comm Corp.,C=US

Subject Public Key Info:

Algorithm: RSA - 1.2.840.113549.1.1.1

Public Key:

30:81:89:02:81:81:00:DE:26:B3:C2:9D:3F:7F:FA:DF:

24:E3:9B:7A:24:AC:89:AD:C1:BA:27:D1:1C:13:70:F7:

96:59:41:1F:4D:21:7A:F5:C7:96:C4:75:83:35:9F:49:

E4:B0:A7:5F:95:C4:09:EA:67:00:EF:BD:7C:39:92:11:

31:F2:CA:C9:16:87:B9:AD:B8:39:69:18:CE:29:81:5F:

F3:4D:97:B9:DF:B7:60:B3:00:03:16:8E:C1:F8:17:6E:

7A:D2:00:0F:7D:9B:A2:69:35:18:70:1C:7C:AE:12:2F:

0B:0F:EC:69:CD:57:6F:85:F3:3E:9D:43:64:EF:0D:5F:

EF:40:FF:A6:68:FD:DD:02:03:01:00:01:

Extensions:

Identifier: 2.16.840.1.113730.1.1

Critical: no

Value:

03:02:00:A0:

Identifier: Authority Key Identifier - 2.5.29.35

Critical: no

Key Identifier:

EB:B5:11:8F:00:9A:1A:A6:6E:52:94:A9:74:BC:65:CF:

07:89:2A:23:

Signature:

Algorithm: OID.1.2.840.113549.1.1.5 - 1.2.840.113549.1.1.5

Signature:

3E:8A:A9:9B:D1:71:EE:37:0D:1F:A0:C1:00:17:53:26:

6F:EE:28:15:20:74:F6:C5:4F:B4:E7:95:3C:A2:6A:74:

92:3C:07:A8:39:12:1B:7E:C4:C7:AE:79:C8:D8:FF:1F:

D5:48:D8:2E:DD:87:88:69:D5:3A:06:CA:CA:9C:9A:55:

DA:A9:E8:BF:36:BC:68:6D:1F:2B:1C:26:62:7C:75:27:

E2:8D:24:4A:14:9C:92:C6:F0:7A:05:A1:52:D7:CC:7D:

E0:9D:6C:D8:97:3A:9C:12:8C:25:48:7F:51:59:BE:3C:

2B:30:BF:EB:0A:45:7D:A6:49:FB:E7:BE:04:05:D6:8F:


Pretty Print CRL Tool
You can use the Pretty Print CRL tool to print the contents of a CRL stored as ASCII base-64-encoded data in a human-readable form.

 Availability

This tool is available for Solaris 2.5.1 (SunOS 5.5.1), Solaris 2.6 (SunOS 5.6),
HP-UX B.11.00, AIX 4.2, and Windows NT 4.0.

Syntax

To run the Pretty Print CRL tool, type the following command:

PrettyPrintCrl[.bat] <input_file> [<output-file>]

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<input_file> specifies the path to the file that contains the base-64 encoded CRL.

<output_file> specifies the path to the file to write the CRL. This argument is optional; if you don't specify an output file, the CRL information is written to the standard output.

Example

PrettyPrintCrl.bat C:\test\crl.in C:\test\crl.out

The above command takes the base-64 encoded CRL in the crl.in file and writes the CRL in the pretty-print form to the output file named crl.out.

 The base-64 encoded CRL (content of the crl.in file) would look similar to this:

-----BEGIN CRL-----

MIIBkjCBAIBATANBgkqhkiG9w0BAQQFADAsMREwDwYDVQQKEwhOZXRzY2FwZTEXMBUGA1UEAxMOQ2 VydDQwIFRlc3QgQ0EXDTk4MTIxNzIyMzcyNFowgaowIAIBExcNOTgxMjE1MTMxODMyWjAMMAoGA1U dFQQDCgEBMCACARIXDTk4MTIxNTEzMjA0MlowDDAKBgNVHRUEAwoBAjAgAgERFw05ODEyMTYxMjUx NTRaMAwwCgYDVR0VBAMKAQEwIAIBEBcNOTgxMjE3MTAzNzI0WjAMMAoGA1UdFQQDCgEDMCACAQoXD Tk4MTEyNTEzMTExOFowDDAKBgNVHRUEAwoBATANBgkqhkiG9w0BAQQFAAOBgQBCN85O0GPTnHfImY PROvoorx7HyFz2ZsuKsVblTcemsX0NL7DtOa+MyY0pPrkXgm157JrkxEJ7GBOeogbAS6iFbmeSqPH j8+JBH5stJNnfTCuhaM6Wx63Wc9LwZXOXTPsvpGxq0YYI0+DPfBZlI3z4lCsNczxJV+9NkeMrheEg ==

-----END CRL-----

The CRL in pretty-print form (content of the crl.out file) would look similar to this:

Certificate Revocation List:

Data:

Version: v2

Signature Algorithm: MD5withRSA - 1.2.840.113549.1.1.4

Issuer: CN=Cert40 Test CA,O=Netscape

This Update: Thu Dec 17 14:37:24 PST 1998

Revoked Certificates:

Serial Number: 0x13

Revocation Date: Tuesday, December 15, 1998 5:18:32 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Key_Compromise

Serial Number: 0x12

Revocation Date: Tuesday, December 15, 1998 5:20:42 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: CA_Compromise

Serial Number: 0x11

Revocation Date: Wednesday, December 16, 1998 4:51:54 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Key_Compromise

Serial Number: 0x10

Revocation Date: Thursday, December 17, 1998 2:37:24 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Affiliation_Changed

Serial Number: 0xA

Revocation Date: Wednesday, November 25, 1998 5:11:18 AM

Extensions:

Identifier: Revocation Reason - 2.5.29.21

Critical: no

Reason: Key_Compromise

Signature:

Algorithm: MD5withRSA - 1.2.840.113549.1.1.4

Signature:

42:37:CE:4E:D0:63:D3:9C:77:C8:99:83:D1:3A:FA:28:

AF:1E:C7:C8:5C:F6:66:CB:8A:B1:56:E5:4D:C7:A6:B1:

7D:0D:2F:B0:ED:39:AF:8C:C9:8D:29:3E:B9:17:82:6D:

79:EC:9A:E4:C4:42:7B:18:13:9E:A2:06:C0:4B:A8:85:

6E:67:92:A8:F1:E3:F3:E2:41:1F:9B:2D:24:D9:DF:4C:

2B:A1:68:CE:96:C7:AF:F7:5B:F7:3D:2F:06:57:39:74:

CF:B2:FA:46:C6:AD:18:60:8D:3E:0C:F7:C1:66:52:37:

CF:89:42:B0:D7:33:C4:95:7E:F4:D9:1E:32:B8:5E:12:


dumpasn1 Tool
The dumpasn1 tool is freeware that is packaged with Certificate Management System for your convenience. You can use this tool to dump the contents of binary base-64 encoded data. For more information about this tool, see this URL:

 http://www.cs.auckland.ac.nz/~pgut001/

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.