PKI – Certificates – Certutil -restrict: Learn How to Use Certutil to Display and Configure CA Datab

Today, I am going to discuss removing expired certificates from the CA database. Every time a CA issues a certificate it also stores a copy of the issued certificate in the CA database. Overtime the certificates that the CA issues expire. Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

WARNING: The NSS database does not support concurrent modification. To prevent database corruption, make sure all processes using the NSS database (e.g. DS or PKI server) are stopped before generating certificate requests, importing certificates, or removing certificates.

PKI – Certificates – Certutil -restrict or how to dump CA database

Remove the Expired and revoked certificatesNow that we have a backup of the CA database, we can start cleaning up the records. As with the backup, we will use Certutil.exe. To remove Expired and Revoked certificates, we specify the date until which they should be removed. For example, if you want all certificates expired and revoked through 01-01-2023, then enter 01-01-2023. Certificates expired or revoked on 02-01-2023 will remain in the database. In this example I will remove all certificate which are expired or revoked on 01-01-2023. To indicate that you want to remove expired and revoked certificates enter cert.

To remove the white spaces we are going to defragment the database. We do that with the command below:Esentutl /d ""But before defragmenting the database, you must first stop the service. Keep in mind that because you stop the service, certificates cannot be temporarily issued either.

Certutil.exe is a command-line program that is installed as part of Active Directory Certificate Services (AD CS). You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. This article was created to show examples of certutil commands. Sections in this article include:

The process to back up your current AD CS server CA database and configuration is straightforward. It can be accomplished using the AD CS management console or the certutil command-line utility in Windows Server 2008 R2.. In the console, under Administrative Tools > Certification Authority, right-click the server name and select All Tasks > Back up CA.

Fedora's database of trusted CA certificates adopts theMozilla CA Certificate Store as its core and additionally allows custom adjustments on the local host.It aims to furnish a consolidated repository of CA certificates availableto any PKI-savvy application wishing to verify an unfamiliar certificate.Broadly, there are two paths to this database.Hip applications speaking Cryptoki consult the CA database through the PKCS#11 Kit Trust Module,which directly loads the CA database into its memory.GnuTLS and NSS, for example, load the CA database this way.Old-school applications instead consult this CA database by reading its certificate bundles from files.OpenSSL takes this latter route (unless you provide, configure, and load a PKCS#11 engine).

Package ca-certificates installs the Mozilla CA Store.Package p11-kit-trust together with p11-kitprovides a Cryptoki interface to the CA database.The PKCS#11 Kit Trust Module combines the CA database and Cryptoki access to the database.It is often abbreviated as p11-kit-trust.Here, "module" is understood in terms of the Cryptoki/PKCS#11 framework.

The CA database comprises two directory trees,/etc/pki/ca-trust/source and/usr/share/pki/ca-trust-source.In the latter directory,file ca-bundle.trust.p11-kit holds the complete Mozilla CA store ina format that module p11-kit-trust accepts.This format accommodates trust settings, and the database thereby includes both anchor and blacklistedcertificates; mostly anchor.Out-of-the box, ca-certificates does not augment the Mozilla CA Store,and hence ca-bundle.trust.p11-kit is the main attraction.A system administrator can incorporate additional certificates simply by placing theirPEM files under one of these two directories and running companioncommand update-ca-trust to set things straight.Should the same certificate appear in both source directories but with differenttrust or policy settings, the dictates under /etc/pki/ca-trust/source prevail.The man page update-ca-trust has the details on the organizationof these directories and the addition of other certificates.

To address legacy issues with GnuTLS and OpenSSL,Fedora's trust database retains a handful of CA certificates that have been removed from the Mozilla CA Store.These are listed on the project's home page.You can use command ca-legacy (as root)to enable or disable trust in these certificates.

The PKCS#11 Kit Trust Module, aka p11-kit-trust,represents the CA database of ca-certificatesas a database consulted through the Cryptoki/PKCS#11 API.On initialization, this module loads the certificates it findsin directories /etc/pki/ca-trust/sourceand /usr/share/pki/ca-trust-source.In terms of Cryptoki, p11-kit-trust models the certificates of thesedirectories as two tokens, the System Trust token for /etc/pki/ca-trust/source (in slot 0 or 0x18)and the Default Trust token for /usr/share/pki/ca-trust-source (in slot 1 or 0x19).The Trust Module is implemented as library p11-kit-trust.so,which PKI-savvy applications link.To query the CA database, such applications simply use the Cryptoki interface to the library.

AlthoughNetwork Security Services (NSS)includes a built-in trust module for the Mozilla CA Store, called CKBI,Fedora replaces this module with the PKCS#11 Kit Trust Module.This switch transparently insures that NSS-based applicationssee any local adjustments to the core Mozilla CA Store that are present in the system's CA database.This switch does not affect a user's own NSS database of certificates.

An NSS-based application can let users augment the system CA database with their own set of certificates.These are stored in a file named either cert8.db orcert9.db somewhere under the user's home directory.With Firefox, for example:

When managing certificates, certutilchecks environment variable NSS_DEFAULT_DB_TYPE for the database type,given as "sql" or "dbm".In the absence of the latter guidance, it goes with DB.It balks when it tries the wrong format:

In Fedora DS 1.0.4 and earlier, the directory /opt/fedora-ds/alias is used to store the key/cert databases for all server instances, and each one has a name like slapd-instancename-cert8.db. You are required to specify the database prefix, including the trailing dash (-). Also, the certutil command is found in /opt/fedora-ds/shared/bin e.g.

The LDAP certificate stores have the new CA certificate. Now weneed to update the other certificate databases so that the programsthat use them will trust certificates with the new Issuer DN. Thesedatabases include:

I also confirmed that the old and new CA certificates are present inthe /etc/ipa/ca.crt and /etc/pki/ca-trust/source/ipa.p11-kitfiles. So all the certificate databases now include the new CAcertificate.

The certificate database tool, certutil, is an NSScommand-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can alsolist, generate, modify, or delete certificates within the cert8.db fileand create or change the password, generate new public and private key pairs,display the contents of the key database, or delete key pairs within the key3.db file.

The key and certificate management process generally begins with creatingkeys in the key database, then generating and managing certificates in thecertificate database. The following document discusses certificate and keydatabase management with NSS, including the syntax for the certutil utility:

i'm experimenting with using client authn between a command-lineldapsearch client (for this experiment, the one that comes with sun'sdirectory server resource kit v 5.2) and sun one directory server 5.1(on solaris 9 sparc).using openssl, i created a self-signed ca cert (and keys) plus an ldapserver cert (and keys) and a client cert (and keys); the client andserver certs are both signed by my self-signed ca cert. certs and keysfor all three (ca, server, client) are in pem format.i successfully installed the server and ca certs into the directoryserver; i then added the ca and client certs into $HOME/.netscape/cert7.db using the following certutil command line: certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert"-t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)after running that command, i was able to successfully view the just-added cert with: "certutil -L -n myClientCert -d $HOME/.netscapethat leads me to my first question: 1. does that command implicitly add the cert's private key get into$HOME/.netscape/key3.db? 2. if not, how do i add the cert's private key to key3.db?the certutil docs ( tools/certutil.html) say, "The Certificate Database Tool is a command-line utility thatcan...display the contents of the key database..."i've read and reread that page over and over; but i still can't figureout which command to use to make certutil "display the contents of thekey database".if it's any help, i'm using the binary version of certutil that cameprecompiled as part of the sun one directory server resource kit 5.2(dsrk52) on solaris 9 sparc.for what it's worth: the certs werecreated on my mac with openssl, then jarred and ftp'd over to the sunbox.as far as wanting to view keys, i'm guessing it's actually thepk12util tool i want ( tools/pk12util.html) instead of certutil. is that right? if so, thenplease can you also clear up a couple things about pk12util?the pk12util docs say, "Import a certificate and private key from fromthe p12file into the database." the way i read that description, itimplies that both the private key and cert get imported into the samedatabase ("into __the__ database"). am i understanding that correctly? 3. what exactly _does_ get added to key3.db? 4. how can i view what's in key3.db?if you're interested, the reason for my questions stem from thefollowing ldapsearch error:bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -hbebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W"**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)"ldapssl_enable_clientauth: Bad parameter to an ldap routineldapssl_enable_clientauth: additional info: unable to find certificateSSL error -8174 (security library: bad database.) 2ff7e9595c