HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

471

472

473

474

475

476

477

478

479

480

The -w argument is the password used to encrypt the .p12 file for transport. The -k argument

specifies the password for the key database containing the server certificate being exported

to .p12.

10. If the Directory Server will run with TLS/SSL enabled, then create a password file (pin.txt)

for the server to use so it will not prompt you for a password every time it restarts. Creating

the password file is described in “Creating a password file for the Directory Server” (page

484).

The certificates created by certutil are automatically available in the Encryption tab of the

Console. There is no need to import them because they are already in the certificate database.

12.3.2 certutil usage

The certutil utility can be used for a variety of tasks to manage certificates and keys, such as

generating certificate requests and removing certificates from the certificate database. Some of

the most common options are listed in Table 57 (page 479). For the full list of commands and

arguments, run certutil -H from the command line.

Table 57 certutil options

DescriptionOptions

Creates a self-signed CA certificate.-x

Creates a server or client certificate.-S

Generates a certificate request.-R

Creates new security databases.-N

Lists all the certificates in the database.-L

Adds a certificate to the certificate database.-A

Gives the name of the certificate.-n

Certificate database directory; this is the directory for the subsystem instance.-d

The serial number for the certificate.-m

The key type to use; the only option is rsa.-k

The key size. The recommended size for RSA keys is 2048.-g

The subject name of the certificate.-s

The trust arguments for the certificate, meaning the purposes for which the certificate is allowed

to be used.

-t

The validity period, in months.-v

These set the available certificate extensions. Only eight can be specified through the certutil

tool:

numbers 1-8

• Key Usage: 1

• Basic Constraints: 2

• Certificate Authority Key ID: 3

• CRL Distribution Point: 4

• Netscape Certificate Type: 5

• Extended Key Usage: 6

• Email Subject Alternative Name: 7

• DNS Subject Alternative Name: 8

Outputs the certificate request to an ASCII file instead of binary.-a

12.3 Using certutil 479