.nh .TH PKICertImport 1 "Jan 30, 2019" PKI "PKI certificate import tool" .SH NAME .PP PKICertImport - Used to safely validate and import certificates into the NSS database. .SH SYNOPSIS .PP \fBPKICertImport\fP \fB-d\fP \fINSS-database\fP \fB-i\fP \fIcertificate\fP \fB-n\fP \fInickname\fP \fB-t\fP \fItrust\fP \fB-u\fP \fIusage\fP [\fB-h\fP \fItoken\fP] [\fB-f\fP \fIpassword-file\fP] [\fB-a\fP] .PP Validate and import a certificate into the specified NSS database. Verifies signature, trust chain, trust, and usage flags. If a certificate is not valid, it will not be added to the NSS database or specified token. .SH DESCRIPTION .PP The certificate import utility validates signature, trust chain, trust, and usage flags before importing a certificate into the specified NSS database. This ensures that no certificate is used before its authenticity has been verified. Unlike \fBcertutil\fP, only one invocation is necessary to both validate and import certificates. .PP See \fBcertutil\fP for more information about the parameters to \fBPKICertImport\fP\&. .SH OPTIONS .PP \fBPKICertImport\fP parameters: .PP \fB--ascii\fP, \fB-a\fP .br The certificate is encoded in ASCII (PEM) format instead of binary format. Optional. .PP \fB--certificate\fP, \fB-i\fP \fIcertificate\fP .br Path to the certificate to import. Required. .PP \fB--chain\fP, \fB-c\fP .br Import an entire PKCS12 chain; requires \fB--pkcs12\fP\&. Optional. .PP \fB--chain-trust\fP \fItrust\fP .br Trust flags to assign intermediate certificates; requires \fB--chain\fP\&. .PP \fB--chain-usage\fP \fIusage\fP .br Usage to validate intermediate certificates against; requires \fB--chain\fP\&. .PP \fB--database\fP, \fB-d\fP \fINSS-database\fP .br The directory containing the NSS database. This is usually the client's personal directory. Required. .PP \fB--password\fP, \fB-f\fP \fIpassword-file\fP .br The path to a file containing the password to the NSS database. Optional. .PP \fB--hsm\fP, \fB-h\fP \fItoken\fP .br Name of the token. If not specified, the default token is the internal database slot. Optional. .PP \fB--leaf-only\fP, \fB-l\fP .br Import only the leaf certificate from a PKCS12 chain; requiers \fB--pkcs12\fP\&. Optional. .PP \fB--nickname\fP, \fB-n\fP \fInickname\fP .br Nickname for the certificate in the NSS database. Required. .PP \fB--pkcs12\fP, \fB-p\fP .br The input certificate is a .p12/PKCS12 file. Optional. .PP \fB--pkcs12-password\fP, \fB-w\fP \fIpassword-file\fP .br Password file for the PKCS12 chain; requires \fB--pkcs12\fP\&. .PP \fB--trust\fP, \fB-t\fP \fItrust\fP .br Trust flags for the certificate. See \fBcertutil\fP for more information about the available trust flags. Required. .PP \fB--usage\fP, \fB-u\fP \fIusage\fP .br Usage to validate the certificate against. See \fBcertutil\fP for more information about available usage flags. Required. .SH UNSAFE OPTIONS .PP \fB--unsafe-keep-keys\fP .br Keep the keys in the NSS DB in the event of a verification failure. .PP \fB--unsafe-trust-then-verify\fP .br Specify trust when importing the certificate instead of after verifying certificates. This enables importing a new root certificate instead of requiring the chain to have an existing, trusted root. .SH ENVIRONMENT .PP \fBVERBOSE\fP .br When specified, see all internal commands being executed as part of this command. .SH EXAMPLES .PP To import a server certificate: .PP .RS .nf PKICertImport -d . -n "example.com" -i example-com.crt -t ,, -u V .fi .RE .PP To import a CA certificate (root or intermediate): .PP .RS .nf PKICertImport -d . -n "MyCA Cert" -i ca-cert.crt -t CT,C,C -u L .fi .RE .PP To import a leaf client certificate from a PKCS12 chain: .PP .RS .nf PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --leaf .fi .RE .PP To import the entire chain of a client certificate: .PP .RS .nf PKICertImport -d . -n "Nick Named" -i nick-named.p12 -t ,, -u C --pkcs12 --chain --chain-trust CT,C,C --chain-usage L .fi .RE .SH AUTHORS .PP Alexander Scheel <ascheel@redhat.com>\&. .SH COPYRIGHT .PP Copyright (c) 2019 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.