MozillaZine

Creating SMIME certificates with Mozilla NSS

From MozillaZine Knowledge Base

The title of this article omits the slash from S/MIME because a slash is a special character in file names and URLs.

Note: The information in this article dates from 2007.

This article describes how to use the certutil program in Mozilla's NSS package to create your own S/MIME certificates. Read the article Creating SMIME certificates first, because it explains the general principles.

This article is based on Windows, but most of the information here also applies to other platforms.

Contents

Installing and running certutil

See the NSS Release Notes for information about the latest release. Download the optimized binary for your operating system from:

http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

Binaries are available for HP-UX, Linux and Windows. If there is no binary for your system, then you might be able to find one on the Internet, or you can get the source code and build one yourself.

NSS requires libraries (DLLs on Windows) from the NSPR package, but any Mozilla application already includes them so you do not usually need to download NSPR separately.

Installation

To install certutil on Windows:

1. Unpack the download in a temporary directory.

2. Go to the unpacked bin directory, and copy certutil.exe from there to your Mozilla application's installation directory.

3. Copy the DLLs from the unpacked lib directory to your Mozilla application's installation directory, but do not overwrite any of your Mozilla application's existing DLLs. (You might find that all the DLLs are already present, so that no DLL needs to be copied.)

Running certutil

To run certutil:

1. Close your Mozilla application.

2. Open a command prompt (an MS-DOS prompt).

3. Go to your Mozilla application's profile. If this makes the command prompt huge, shorten it. For example:

C:
CD "\WINDOWS\Application Data\Thunderbird\Profiles\default.xn6"
PROMPT NSS$G

4. Check that your Mozilla application's installation directory is in your system path, adding it if necessary. Try this command (notice the full stop at the end):

certutil -L -d .

If the response is "Bad command or file name", fix your system path. For example:

SET PATH=%PATH%;C:\Program Files\Mozilla\Thunderbird

5. Create a plain text file named: rand.txt   In the file, type a few lines of random characters to seed the random number generator. Save the file.

6. Create a plain text file named: info.txt   You will use this file to supply information about your certificates.

Unicode support

The file info.txt is a UTF-8 file. See the main article for more information.

Passwords

certutil uses your Mozilla application's master password, if you have set one. It refers to this password as the 'Password or Pin for "NSS Certificate DB"'. See the main article for more information.

Self-signed certificates

Skip this section if you are using CA certificates. See the main article for more information.

1. To create a self-signed certificate, edit info.txt and enter the following. It must all be on one long line:

-S -x -s "CN=Me Myself,E=myself@example.com,O=Example Corp." -n "Myself" -k rsa -g 1024 -v 12 -t "cu,Cu,cu" -z rand.txt

Change the -s parameter to specify information about your identity, separating values with commas. See the main article for more information.

Change the -n parameter to specify a nickname that identifies this certificate in the database.

Optionally change the -g and -v parameters to specify the key size and validity (in months).

Save the file.

2. At your command prompt, run the command:

certutil -B -d . -i info.txt

Supply your master password.

Start your Mozilla application and examine your new certificate in the Certificate Manager.

Certificate files

The Certificate Manager in Mozilla applications cannot export certificate files from self-signed certificates. To export a certificate file, run the command:

certutil -L -a -d . -n "Myself" -o myname.cert

Change the -n parameter to specify the nickname of your certificate.

Certificate Authority certificates

Skip this section if you are using self-signed certificates. See the main article for more information.

To create a CA certificate:

1. Edit info.txt and enter the following. It must all be on one long line:

-S -x -2 -s "CN=My CA,E=myca@example.com,O=Example Corp." -n "My CA" -m 0 -k rsa -g 1024 -v 12 -t "CTu,Cu,Cu" -z rand.txt

Change the -s parameter to specify information about your CA, separating values with commas. See the main article for more information.

Change the -n parameter to specify a nickname that identifies this certificate in the database.

Optionally change the -g and -v parameters to specify the key size and validity (in months).

Save the file.

2. At your command prompt, run the command:

certutil -B -d . -i info.txt

Supply your master password.

When asked whether the certificate is a CA, reply: Y

When asked about the path length constraint, press Enter to skip the constraint.

When asked whether the extension is critical, reply: Y

Signing your own certificate

To create a certificate for an identity, edit info.txt and change it to the following. It must all be on one long line:

-S -c "My CA" -2 -s "CN=Me Myself,E=myself@example.com,O=Example Corp." -n "Myself" -m 1 -k rsa -g 1024 -v 12 -t "u,u,u" -z rand.txt

Change the -c parameter to specify the nickname of your CA certificate.

Change the -s parameter to specify information about your identity, separating values with commas. See the main article for more information.

Change the -n parameter to specify a nickname that identifies this certificate in the database.

Optionally change the -g and -v parameters to specify the key size and validity (in months).

At your command prompt, run the command (the same as before):

certutil -B -d . -i info.txt

Supply your master password.

When asked whether the certificate is a CA, reply: N

When asked about the path length constraint, press Enter to skip the constraint.

When asked whether the extension is critical, reply: Y

Signing more certificates

To create a certificate for another identity, edit info.txt and change:

  • The -s parameter to specify information about the identity
  • The -n parameter to specify a new nickname
  • The -m parameter to specify a new serial number

Run the command as before.

Examining certificates

To list the certificates in the database, by nickname:

certutil -L -d .

To dump the contents of a certificate—the same information that you see when you view a certificate in the Certificate Manager:

certutil -L -d . -n "Myself" -o contents.txt

Change the -n parameter to specify the nickname of your certificate.

See also

External links

  • [1] certutil documentation
  • [2] Various NSS documents
  • [3] Building and installing NSS