summaryrefslogtreecommitdiff
path: root/usr/src/man/man1/pktool.1
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/man/man1/pktool.1')
-rw-r--r--usr/src/man/man1/pktool.184
1 files changed, 14 insertions, 70 deletions
diff --git a/usr/src/man/man1/pktool.1 b/usr/src/man/man1/pktool.1
index 4a1888b636..491d7c6493 100644
--- a/usr/src/man/man1/pktool.1
+++ b/usr/src/man/man1/pktool.1
@@ -3,7 +3,7 @@
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH pktool 1 "23 Mar 2009" "SunOS 5.11" "User Commands"
+.TH PKTOOL 1 "Mar 23, 2009"
.SH NAME
pktool \- manage certificates and keys
.SH SYNOPSIS
@@ -31,12 +31,10 @@ file-based.
The following command options are supported:
.sp
.ne 2
-.mk
.na
\fB\fB-f\fR \fIoption_file\fR\fR
.ad
.RS 18n
-.rt
Allows the user to set up the options in a file instead of entering the options
on the command line.
.sp
@@ -62,12 +60,10 @@ objtype=key
.sp
.ne 2
-.mk
.na
\fB\fB-i\fR\fR
.ad
.RS 18n
-.rt
Allows the user to specify the \fBsubject-DN\fR interactively for the
\fBgencert\fR and \fBgencsr\fR subcommands. When \fB-i\fR is specified, the
user is prompted to input some data to form a \fBsubject-DN\fR.
@@ -106,7 +102,6 @@ The resulting \fBsubject-DN\fR is:
The following subcommands are supported:
.sp
.ne 2
-.mk
.na
\fB\fBdelete\fR\fR
.ad
@@ -172,7 +167,7 @@ pktool delete keystore=file
pktool delete keystore=file
objtype=crl
infile=\fIinput-fn\fR
-
+
.fi
.in -2
.sp
@@ -186,7 +181,6 @@ Number (PIN).
.sp
.ne 2
-.mk
.na
\fB\fBdownload\fR\fR
.ad
@@ -196,7 +190,7 @@ The format for the \fBdownload\fR subcommand is as follows:
.sp
.in +2
.nf
- pktool download url=\fIurl_str\fR
+ pktool download url=\fIurl_str\fR
[objtype=crl|cert]
[http_proxy=\fIproxy_str\fR]
[outfile=\fIoutput-fn\fR]
@@ -213,7 +207,6 @@ CRL or certificate file. If the CRL or the certificate is expired,
.sp
.ne 2
-.mk
.na
\fB\fBexport\fR\fR
.ad
@@ -261,7 +254,6 @@ file-based keystore to the specified file.
.sp
.ne 2
-.mk
.na
\fB\fBgencert\fR\fR
.ad
@@ -297,7 +289,7 @@ pktool gencert [-i] [ keystore=pkcs11]
[keylen=\fIkey-size\fR]
[lifetime=\fInumber\fR-hour|\fInumber\fR-day|\fInumber\fR-year]
[eku=[critical:]\fIEKU_name,...\fR]
-
+
pktool gencert [-i] keystore=file
outcert=\fIcert-fn\fR
outkey=\fIkey-fn\fR
@@ -322,7 +314,6 @@ key to the specified keystore.
.sp
.ne 2
-.mk
.na
\fB\fBgencsr\fR\fR
.ad
@@ -345,7 +336,7 @@ pktool gencsr [-i] keystore=nss
[keylen=\fIkey-size\fR]
[format=pem|der]
[eku=[critical:]\fIEKU_name,...\fR]
-
+
pktool gencsr [-i] keystore=pkcs11
label=\fIkey-label\fR
outcsr=\fIcsr-fn\fR
@@ -357,7 +348,7 @@ pktool gencsr [-i] keystore=pkcs11
[keylen=\fIkey-size\fR]
[format=pem|der]
[eku=[critical:]\fIEKU_name,...\fR]
-
+
pktool gencsr [-i] keystore=file
outcsr=\fIcsr-fn\fR
outkey=\fIkey-fn\fR
@@ -380,7 +371,6 @@ the user to enter a PIN for token-based keystore.
.sp
.ne 2
-.mk
.na
\fB\fBgenkey\fR\fR
.ad
@@ -427,7 +417,6 @@ subcommand prompts the user to enter a PIN for token-based keystore.
.sp
.ne 2
-.mk
.na
\fB\fBimport\fR\fR
.ad
@@ -493,7 +482,6 @@ specified keystore.
.sp
.ne 2
-.mk
.na
\fB\fBinittoken\fR\fR
.ad
@@ -520,7 +508,6 @@ this command to proceed.
.sp
.ne 2
-.mk
.na
\fB\fBlist\fR\fR
.ad
@@ -550,7 +537,7 @@ pktool list [keystore=pkcs11]
pktool list keystore=pkcs11
objtype=crl
infile=\fIinput-fn\fR
-
+
pktool list keystore=nss
objtype=cert
[subject=\fIsubject-DN\fR]
@@ -566,7 +553,7 @@ pktool list keystore=nss
[token=\fItoken\fR[:\fImanuf\fR[:\fIserial\fR]]]
[dir=\fIdirectory-path\fR]
[prefix=\fIDBprefix\fR]
-
+
pktool list keystore=file
objtype=cert
[infile=\fIinput-fn\fR]
@@ -590,7 +577,6 @@ to authenticate to the PKCS#11 token by entering the correct PIN.
.sp
.ne 2
-.mk
.na
\fB\fBsetpin\fR\fR
.ad
@@ -633,7 +619,6 @@ By default the \fBusertype\fR is assumed to be \fBuser\fR.
.sp
.ne 2
-.mk
.na
\fB\fBsigncsr\fR\fR
.ad
@@ -695,7 +680,6 @@ signcsr keystore=nss
.sp
.ne 2
-.mk
.na
\fB\fBtokens\fR\fR
.ad
@@ -715,7 +699,6 @@ The tokens subcommand lists all visible PKCS#11 tokens.
.sp
.ne 2
-.mk
.na
\fB\fB-?\fR\fR
.ad
@@ -741,7 +724,6 @@ synonym for \fB-?\fR.
The \fBpktool\fR subcommands support the following options:
.sp
.ne 2
-.mk
.na
\fBaltname=[critical:]\fIsubjectAltName\fR\fR
.ad
@@ -760,7 +742,6 @@ Example 1: Add an IP address to the \fIsubjectAltName\fR extension.
.sp
.ne 2
-.mk
.na
\fB\fBcurrlabel=token label\fR\fR
.ad
@@ -773,7 +754,6 @@ for details about the format of the token name to be used.
.sp
.ne 2
-.mk
.na
\fB\fBdir=\fR\fIdirectory_path\fR\fR
.ad
@@ -785,7 +765,6 @@ requested object is stored.
.sp
.ne 2
-.mk
.na
\fB\fBeku\fR=[critical:]\fIEKU_Name\fR,[critical:]\fIEKU_Name, ...\fR]\fR
.ad
@@ -812,7 +791,6 @@ eku=KPClientAuth,clientAuth
.sp
.ne 2
-.mk
.na
\fB\fBextractable=y | n\fR\fR
.ad
@@ -825,7 +803,6 @@ is \fBy\fR.
.sp
.ne 2
-.mk
.na
\fBformat=pem | der | pkcs12\fR
.ad
@@ -843,7 +820,6 @@ default format is \fBpem\fR.
.sp
.ne 2
-.mk
.na
\fB\fBinfile=\fR\fIinput-fn\fR\fR
.ad
@@ -858,7 +834,6 @@ for \fBlist\fR, \fBdelete\fR and \fBimport\fR subcommands when
.sp
.ne 2
-.mk
.na
\fB\fBissuer=\fR\fIissuer-DN\fR\fR
.ad
@@ -869,7 +844,6 @@ Specifies the issuer of a certificate.
.sp
.ne 2
-.mk
.na
\fB\fBkeylen=\fR\fIkey-size\fR\fR
.ad
@@ -891,7 +865,6 @@ ignored if specified.
.sp
.ne 2
-.mk
.na
\fBkeystore=\fBnss | pkcs11 | file\fR\fR
.ad
@@ -903,7 +876,6 @@ file-based plugin.
.sp
.ne 2
-.mk
.na
\fB\fBkeytype=rsa | dsa | aes | arcfour | des | 3des | generic\fR\fR
.ad
@@ -953,7 +925,6 @@ keyusage=critical:digitalSignature,dataEncipherment
.sp
.ne 2
-.mk
.na
\fB\fBlabel=\fIkey-label\fR | \fIcert-label\fR\fR\fR
.ad
@@ -976,7 +947,6 @@ Certificate (when \fBobjtype=key\fR) or the private key (when
.sp
.ne 2
-.mk
.na
\fB\fBlifetime=\fInumber\fR-hour|\fInumber\fR-day|\fInumber\fR-year\fR\fR
.ad
@@ -991,7 +961,6 @@ lifetime=2-day, lifetime=3-year\fR
.sp
.ne 2
-.mk
.na
\fB\fBnewlabel=token label\fR\fR
.ad
@@ -1004,7 +973,6 @@ change the label assigned to the token that is being initialized. See the
.sp
.ne 2
-.mk
.na
\fB\fBnickname=\fR\fIcert-nickname\fR\fR
.ad
@@ -1025,7 +993,6 @@ resulting certificate.
.sp
.ne 2
-.mk
.na
\fB\fBobjtype=cert | key | crl\fR\fR
.ad
@@ -1038,7 +1005,6 @@ Specifies the class of the object: \fBcert,\fR \fBkey,\fR or \fBcrl\fR. For the
.sp
.ne 2
-.mk
.na
\fB\fBobjtype=public | private | both\fR\fR
.ad
@@ -1060,7 +1026,6 @@ compatibility with earlier versions of the \fBpktool\fR command.
.sp
.ne 2
-.mk
.na
\fB\fBoutcert=\fR\fIcert-fn\fR\fR
.ad
@@ -1073,7 +1038,6 @@ required with this option.
.sp
.ne 2
-.mk
.na
\fB\fBoutcrl=\fIoutput-crl-fn\fR\fR\fR
.ad
@@ -1084,7 +1048,6 @@ Specifies the output CRL filename to write to.
.sp
.ne 2
-.mk
.na
\fB\fBoutcsr=\fR\fIcsr-fn\fR\fR
.ad
@@ -1095,7 +1058,6 @@ Specifies the output CSR filename to write to.
.sp
.ne 2
-.mk
.na
\fB\fBoutfile=\fR\fIoutput-fn\fR\fR
.ad
@@ -1110,7 +1072,6 @@ specified, the downloaded file name is the basename of the URL string.
.sp
.ne 2
-.mk
.na
\fB\fBoutformat=pem | der | pkcs12\fR\fR
.ad
@@ -1129,7 +1090,6 @@ supported formats are: \fBpem\fR, \fBder\fR or \fBpkcs12\fR. The default is
.sp
.ne 2
-.mk
.na
\fB\fBoutkey=\fR\fIkey-fn\fR\fR
.ad
@@ -1141,7 +1101,6 @@ only required when using the \fBfiles\fR keystore.
.sp
.ne 2
-.mk
.na
\fB\fBprefix=\fR\fIDBprefix\fR\fR
.ad
@@ -1152,7 +1111,6 @@ Specifies the NSS database prefix. This option only applies to the NSS token.
.sp
.ne 2
-.mk
.na
\fB\fBprint=y | n\fR\fR
.ad
@@ -1169,7 +1127,6 @@ warning like \fBcannot reveal the key value\fR is issued.
.sp
.ne 2
-.mk
.na
\fB\fBsensitive=y | n\fR\fR
.ad
@@ -1182,7 +1139,6 @@ sensitive. The valid values are: \fBy\fR and \fBn\fR. The default value is
.sp
.ne 2
-.mk
.na
\fB\fBserial=\fR\fIhex-serial-number\fR\fR
.ad
@@ -1194,7 +1150,6 @@ specified as a hex value. Example: \fB0x0102030405060708090a0b0c0d0e0f\fR
.sp
.ne 2
-.mk
.na
\fB\fBsubject=\fR\fIsubject-DN\fR\fR
.ad
@@ -1205,7 +1160,7 @@ request. An example \fBsubject=\fR setting might be:
.sp
.in +2
.nf
-subject=O=Sun Microsystems Inc., \e
+subject=O=Sun Microsystems Inc., \e
OU=Solaris Security Technologies Group, \e
L=Ashburn, ST=VA, C=US, CN=John Smith
.fi
@@ -1216,7 +1171,6 @@ L=Ashburn, ST=VA, C=US, CN=John Smith
.sp
.ne 2
-.mk
.na
\fB\fBtoken=\fItoken\fR[:\fImanuf\fR[:\fIserial\fR]]\fR\fR
.ad
@@ -1237,7 +1191,6 @@ default to \fBpkcs11_softtoken\fR if this option is not specified.
.sp
.ne 2
-.mk
.na
\fB\fBtrust=\fItrust\fR-\fIvalue\fR\fR\fR
.ad
@@ -1249,7 +1202,6 @@ and that the standard NSS syntax applies.
.sp
.ne 2
-.mk
.na
\fB\fBusertype=user | so\fR\fR
.ad
@@ -1262,7 +1214,6 @@ in order to set the PIN for the security officer of the token.
.sp
.ne 2
-.mk
.na
\fB\fBurl=\fR\fIurl_string\fR\fR
.ad
@@ -1273,7 +1224,6 @@ Specifies the URL to download a CRL or a certificate file.
.sp
.ne 2
-.mk
.na
\fB\fBverifycrl=y | n\fR\fR
.ad
@@ -1286,7 +1236,6 @@ default value is \fBn\fR.
.sp
.ne 2
-.mk
.na
\fB\fBhttp_proxy=\fR\fIproxy_str\fR\fR
.ad
@@ -1357,23 +1306,19 @@ file into the keystore indicated in the command:
The following exit values are returned:
.sp
.ne 2
-.mk
.na
\fB\fB0\fR\fR
.ad
.RS 6n
-.rt
Successful completion.
.RE
.sp
.ne 2
-.mk
.na
\fB\fB>0\fR\fR
.ad
.RS 6n
-.rt
An error occurred.
.RE
@@ -1385,13 +1330,12 @@ See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.TS
-tab() box;
-cw(2.75i) |cw(2.75i)
-lw(2.75i) |lw(2.75i)
-.
-ATTRIBUTE TYPEATTRIBUTE VALUE
+box;
+c | c
+l | l .
+ATTRIBUTE TYPE ATTRIBUTE VALUE
_
-Interface StabilityCommitted
+Interface Stability Committed
.TE
.SH SEE ALSO
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-03 03:06:32 +0000