在linux系统中安装certutil工具可以使用以下语句。

sudo apt-get install libnss3-tools

chrome内核浏览器通过读取证书数据库中的证书文件作为信任文件。我们可以通过手动导入方式证书进行信任。

certutil证书管理常用的命令如下：

• 查询数据库中证书列表

  certutil -L -d .  # 数据库文件在当前目录
  certutil -L -d ~/.pki/nssdb/  # 数据库文件在~/.pki/nssdb/ 目录
  certutil -L -d sql:/etc/ipsec.d
  

• 添加证书到数据库中

  # 添加一个根证书到数据库中，作为信任证书
  certutil -A -n 存入数据库中的名字 -t "C,," -i mycert.crt -d 数据库目录
  # 添加一个中间证书到数据库中，作为信任证书
  certutil -A -n 存入数据库中的名字 -t ",," -i mycert.crt -d 数据库目录
  # 添加一个私有证书到数据库中，作为信任证书
  certutil -A -n 存入数据库中的名字 -t "P,," -i mycert.crt -d 数据库目录
  

• 查询某个证书

  certutil -L -n 存入数据库中的名字 -d 数据库目录
  

• 删除数据库中某个证书

  certutil -D -n 存入数据库中的名字 -d 数据库目录
  

• 导出某个证书文件

  certutil -L -a -n 证书名 -d . > 证书名
  

• 为SSL客户端身份验证添加个人证书和私钥

  pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
  

最近接到一个需求，统计所有证书相同加密算法的证书种类。

#!/bin/bash
list=`certutil -L  -d . | awk -F "CT,C,c" '{print $1}' `
IFS=$'\n\n'
for item in $list
doname=`echo "$item"| awk '$1=$1'`i=`certutil -L -n "$name" -d .| grep "Signature Algorithm"` echo $name"\t"$i
done

---

问题一

问题描述：

1. 浏览器导入证书能正常访问目标网站，显示目标网站安全。
2. 使用脚本命令导入证书，访问目标网站显示不安全网站。

问题原因：

1. 浏览器导入证书后会自动下载信任机构的CA证书，然后再导入目标网站的证书。
2. 脚本命令导入证书，是强行将目标网站证书导入，因此对于机构证书未信任，导致网站证书也未被信任。

解决办法：
将机构提供的CA证书以及，网站证书同时导入到浏览器中即可解决问题。

---

---

#certutile -H
-A              Add a certificate to the database        (create if needed)All options under -E apply
-B              Run a series of certutil commands from a batch file-i batch-file     Specify the batch file
-E              Add an Email certificate to the database (create if needed)-n cert-name      Specify the nickname of the certificate to add-t trustargs      Set the certificate trust attributes:trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,and z is for code signing. Use ,, for no explicit trust.p      prohibited (explicitly distrusted)P      trusted peerc      valid CAT      trusted CA to issue client certs (implies c)C      trusted CA to issue server certs (implies c)u      user certw      send warningg      make step-up cert-f pwfile         Specify the password file-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-a                The input certificate is encoded in ASCII (RFC1113)-i input          Specify the certificate file (default is stdin)-C              Create a new binary certificate from a BINARY cert request-c issuer-name    The nickname of the issuer cert-i cert-request   The BINARY certificate request file-o output-cert    Output binary cert to this file (default is stdout)-x                Self sign--pss-sign        Sign the certificate with RSA-PSS (the issuer key must be rsa)-m serial-number  Cert serial number-w warp-months    Time Warp-v months-valid   Months valid (default is 3)-f pwfile         Specify the password file-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-Z hashAlg        Specify the hash algorithm to use. Possible keywords:"MD2", "MD4", "MD5", "SHA1", "SHA224","SHA256", "SHA384", "SHA512"-1 | --keyUsage keyword,keyword,... Create key usage extension. Possible keywords:"digitalSignature", "nonRepudiation", "keyEncipherment","dataEncipherment", "keyAgreement", "certSigning","crlSigning", "critical"-2                Create basic constraint extension-3                Create authority key ID extension-4                Create crl distribution point extension-5 | --nsCertType keyword,keyword,...  Create netscape cert type extension. Possible keywords:"sslClient", "sslServer", "smime", "objectSigning","sslCA", "smimeCA", "objectSigningCA", "critical".-6 | --extKeyUsage keyword,keyword,... Create extended key usage extension. Possible keywords:"serverAuth", "clientAuth","codeSigning","emailProtection", "timeStamp","ocspResponder","stepUp", "msTrustListSign", "critical"-7 emailAddrs     Create an email subject alt name extension-8 dnsNames       Create an dns subject alt name extension-a                The input certificate request is encoded in ASCII (RFC1113)-G              Generate a new key pair-h token-name     Name of token in which to generate key (default is internal)-k key-type       Type of key pair to generate ("dsa", "ec", "rsa" (default))-g key-size       Key size in bits, (min 512, max 8192, default 2048) (not for ec)-y exp            Set the public exponent value (3, 17, 65537) (rsa only)-f password-file  Specify the password file-z noisefile      Specify the noise file to be used-q pqgfile        read PQG value from pqgfile (dsa only)-q curve-name     Elliptic curve name (ec only)One of nistp256, nistp384, nistp521, curve25519.If a custom token is present, the following curves are also supported:sect163k1, nistk163, sect163r1, sect163r2,nistb163, sect193r1, sect193r2, sect233k1, nistk233,sect233r1, nistb233, sect239k1, sect283k1, nistk283,sect283r1, nistb283, sect409k1, nistk409, sect409r1,nistb409, sect571k1, nistk571, sect571r1, nistb571,secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,nistp192, secp224k1, secp224r1, nistp224, secp256k1,secp256r1, secp384r1, secp521r1,prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3,  c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2sect131r1, sect131r2-d keydir         Key database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix--keyAttrFlags attrflagsPKCS #11 key Attributes.Comma separated list of key attribute attribute flags,selected from the following list of choices:{token | session} {public | private} {sensitive | insensitive}{modifiable | unmodifiable} {extractable | unextractable}--keyOpFlagsOn opflags--keyOpFlagsOff opflagsPKCS #11 key Operation Flags.Comma separated list of one or more of the following:encrypt, decrypt, sign, sign_recover, verify,verify_recover, wrap, unwrap, derive-D              Delete a certificate from the database-n cert-name      The nickname of the cert to delete-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix--rename        Change the database nickname of a certificate-n cert-name      The old nickname of the cert to rename--new-n new-name  The new nickname of the cert to rename-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-F              Delete a key and associated certificate from the database-n cert-name      The nickname of the key to delete-k key-id         The key id of the key to delete, obtained using -K-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-U              List all modules-d moddir         Module database directory (default is '~/.netscape')-P dbprefix       Cert & Key database prefix-X                force the database to open R/W-K              List all private keys-h token-name     Name of token to search ("all" for all tokens)-k key-type       Key type ("all" (default), "dsa", "ec", "rsa")-n name           The nickname of the key or associated certificate-f password-file  Specify the password file-d keydir         Key database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-X                force the database to open R/W-L              List all certs, or print out a single named cert (or a subset)-h token-name     Name of token to search ("all" for all tokens)-n cert-name      Pretty print named cert (list all if unspecified)--email email-address Pretty print cert with email address (list all if unspecified)-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-X                force the database to open R/W-r                For single cert, print binary DER encoding-a                For single cert, print ASCII encoding (RFC1113)--dump-ext-val OID For single cert, print binary DER encoding of extension OID--build-flags   Print enabled build flags relevant for NSS test execution-M              Modify trust attributes of certificate-n cert-name      The nickname of the cert to modify-t trustargs      Set the certificate trust attributes (see -A above)-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-N              Create a new certificate database-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-f password-file  Specify the password file--empty-password  use empty password when creating a new database-T              Reset the Key database or token-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-h token-name     Token to reset (default is internal)-0 SSO-password   Set token's Site Security Officer password-O              Print the chain of a certificate-n cert-name      The nickname of the cert to modify-d certdir        Cert database directory (default is ~/.netscape)-a                Input the certificate in ASCII (RFC1113); default is binary-P dbprefix       Cert & Key database prefix-X                force the database to open R/W--simple-self-signed don't search for a chain if issuer name equals subject name-R              Generate a certificate request (stdout)-s subject        Specify the subject name (using RFC1485)-o output-req     Output the cert request to this file-k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default))or nickname of the cert key to use, or key id obtained using -K-h token-name     Name of token in which to generate key (default is internal)-g key-size       Key size in bits, RSA keys only (min 512, max 8192, default 2048)--pss             Create a certificate request restricted to RSA-PSS (rsa only)-q pqgfile        Name of file containing PQG parameters (dsa only)-q curve-name     Elliptic curve name (ec only)See the "-G" option for a full list of supported names.-f pwfile         Specify the password file-d keydir         Key database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-p phone          Specify the contact phone number ("123-456-7890")-Z hashAlg        Specify the hash algorithm to use. Possible keywords:"MD2", "MD4", "MD5", "SHA1", "SHA224","SHA256", "SHA384", "SHA512"-a                Output the cert request in ASCII (RFC1113); default is binarySee -S for available extension options See -G for available key flag options -V              Validate a certificate-n cert-name      The nickname of the cert to Validate-b time           validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")-e                Check certificate signature -u certusage      Specify certificate usage:C      SSL ClientV      SSL ServerI      IPsecL      SSL CAA      Any CAY      Verify CAS      Email signerR      Email RecipientO      OCSP status responderJ      Object signer-d certdir        Cert database directory (default is ~/.netscape)-a                Input the certificate in ASCII (RFC1113); default is binary-P dbprefix       Cert & Key database prefix-X                force the database to open R/W-W              Change the key database password-d certdir        cert and key database directory-f pwfile         Specify a file with the current password-@ newpwfile      Specify a file with the new password in two lines--upgrade-merge Upgrade an old database and merge it into a new one-d certdir        Cert database directory to merge into (default is ~/.netscape)-P dbprefix       Cert & Key database prefix of the target database-f pwfile         Specify the password file for the target database--source-dir certdir Cert database directory to upgrade from--source-prefix dbprefix Cert & Key database prefix of the upgrade database--upgrade-id uniqueID Unique identifier for the upgrade database--upgrade-token-name name Name of the token while it is in upgrade state-@ pwfile         Specify the password file for the upgrade database--merge         Merge source database into the target database-d certdir        Cert database directory of target (default is ~/.netscape)-P dbprefix       Cert & Key database prefix of the target database-f pwfile         Specify the password file for the target database--source-dir certdir Cert database directory of the source database--source-prefix dbprefix Cert & Key database prefix of the source database-@ pwfile         Specify the password file for the source database-S              Make a certificate and add to database-n key-name       Specify the nickname of the cert-s subject        Specify the subject name (using RFC1485)-c issuer-name    The nickname of the issuer cert-t trustargs      Set the certificate trust attributes (see -A above)-k key-type-or-id Type of key pair to generate ("dsa", "ec", "rsa" (default))-h token-name     Name of token in which to generate key (default is internal)-g key-size       Key size in bits, RSA keys only (min 512, max 8192, default 2048)--pss             Create a certificate restricted to RSA-PSS (rsa only)-q pqgfile        Name of file containing PQG parameters (dsa only)-q curve-name     Elliptic curve name (ec only)See the "-G" option for a full list of supported names.-x                Self sign--pss-sign        Sign the certificate with RSA-PSS (the issuer key must be rsa)-m serial-number  Cert serial number-w warp-months    Time Warp-v months-valid   Months valid (default is 3)-f pwfile         Specify the password file-d certdir        Cert database directory (default is ~/.netscape)-P dbprefix       Cert & Key database prefix-p phone          Specify the contact phone number ("123-456-7890")-Z hashAlg        Specify the hash algorithm to use. Possible keywords:"MD2", "MD4", "MD5", "SHA1", "SHA224","SHA256", "SHA384", "SHA512"-1                Create key usage extension-2                Create basic constraint extension-3                Create authority key ID extension-4                Create crl distribution point extension-5                Create netscape cert type extension-6                Create extended key usage extension-7 emailAddrs     Create an email subject alt name extension-8 DNS-names      Create a DNS subject alt name extension--extAIA          Create an Authority Information Access extension--extSIA          Create a Subject Information Access extension--extCP           Create a Certificate Policies extension--extPM           Create a Policy Mappings extension--extPC           Create a Policy Constraints extension--extIA           Create an Inhibit Any Policy extension--extSKID         Create a subject key ID extensionSee -G for available key flag options --extNC           Create a name constraints extension--extSAN type:name[,type:name]... Create a Subject Alt Name extension with one or multiple names- type: directory, dn, dns, edi, ediparty, email, ip, ipaddr,other, registerid, rfc822, uri, x400, x400addr--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... Add one or multiple extensions that certutil cannot encode yet,by loading their encodings from external files.- OID (example): 1.2.3.4- critical-flag: critical or not-critical- filename: full path to a file containing an encoded extension

certutil证书管理命令相关推荐

1. linux certutil删除命令

   查询certutil -L -d sql:/etc/ipsec.d 删除 certutil -D -d sql:/etc/ipsec.d -n vpnclient -D 删除 -d 哪个数据库 -n ...

2. Windows certutil.exe 命令 简单举例 计算MD5与SHA1/256

   Certutil 是 Windows 操作系统上预装的工具,是一个 CLI 程序,可用于转储和显示证书颁发机构(CA),配置信息,证书服务, CA 组件的备份和还原以及验证证书.密钥对和证书链, 校验 ...

3. Windows(Win10)自带的可用于文件校验(Hash校验,SHA256校验,MD5校验等)的命令: CertUtil 和 Get-FileHash

   Windows(Win10)自带的用于文件校验(Hash校验,SHA256校验,MD5校验等)的命令: certutil 和 Get-FileHash Windows(Win10)自带的用于文件校验( ...

4. certutil 命令配合PS反弹shellcode

   Certutil.exe是一个命令行程序,作为证书服务的一部分安装.您可以使用Certutil.exe转储和显示证书颁发机构(CA)配置信息,配置证书服务,备份和还原CA组件以及验证证书,密钥对和证书 ...

5. 在windows上执行certutil命令时报错CertUtil: WsResetMetadata

   E:\TDDOWNLOAD\ORACLE11G>certutil -hashfile p13390677_112040_Linux-x86-64_1of7.zip md5 ---->> ...

6. Windows命令行通过certutil命令查看文件的MD5-SHA1-SHA256校验值

   简介: Windows系统中通过 certutil -hashfile 文件名 hash算法 dos命令可以查看文件的MD5,SHA1,SHA256 哈希校验值,无需第三方工具:通过 https:// ...

7. Windows证书管理

   windows里提供了数字证书管理工具,用于管理我们PC里安装的许多数字证书. 数字证书是一种电子文件,那么它有一定的格式,也有拓展名.但是拓展名多种多样.使用CA证书可以防止未经过认证的人访问我们的 ...

8. Windows自带certutil工具校验用法

   windows自带校验工具certutil,记录用法如下. certutil -hashfile <file> MD5 certutil -hashfile <file> SH ...

9. Windows 命令终端（CMD）程序员常用的命令

   文章目录 certutil cd dir md/mkdir rd del replace chdir/cd attrib help type more findstr rename/ren set 环 ...

最新文章

1. java优先级目数_10.Java运算符+(优先级、目数)+
2. matplotlib可视化时间序列数据、并高亮时间序列中的指定区域（Highlight a Region of Time-Series Plot with Matplotlib）
3. 刚入行的软件测试工程师如何自学软件测试？0 基础该怎么学习软件测试
4. 【以太坊】web3.js的1.0版本和0.2.0版本的安装及区别
5. 【正一专栏】梅西、内马尔分开明天会更好
6. linux 下opencv安装教程,linux 下 opencv安装
7. Taro+react开发（39）taro中model使用
8. linux httpd 内存,apache占用内存过高耗完内存？
9. sparksql 操作hive_Spark SQL 物化视图原理与实践
10. 平面/UI设计师社区网站集设网|让你作品开始发光
11. 今日恐慌与贪婪指数为38 等级从贪婪转为恐慌
12. 使用phpqrcode来生成二维码/thinkphp
13. 小技巧：Go怎么样获取常驻内存子进程的输出
14. 服务器延迟和时间偏移怎么设置,针对大量时间偏移配置 W32Time - Windows Server | Microsoft Docs...
15. N个结点不同结构的二叉树个数
16. 彻底弄懂 Nginx location 匹配
17. 随机密聊 匿名聊天室程序源码
18. Linux使用nvida-smi查看GPU类型
19. iperf的ios版本；无线局域网测速
20. 【P4】 查看库文件两个历史版本的区别

热门文章

1. c语言中赋值表达式加上分号,C语言赋值表达式
2. 算法工程-kafka架构理解
3. 爬虫框架 Scrapy 教程详解
4. Thinkphp模板中截取字元串函数
5. 旋转后的空间中的组件图
6. java int.tryparse_【转载】 C#中使用int.TryParse方法将字符串转换为整型Int类型
7. acwing基础算法
8. 倾斜模型单体化的研究
9. 比例放大器设置接线US-DAS1/US-DAS2
10. linux系统下升级pip