HP-UX Directory Server 8.1 administrator guide
Table 12-1 certutil options (continued)
DescriptionOptions
The output file to which to save the certificate request.
-o
An input file containing a certificate.
-I
The path to a password file for the security databases password.
-f
Table 12-2 “certutil examples” has some common uses for the certutil command.
Table 12-2 certutil examples
DescriptionExample
Lists the certificates in the database.certutil -L -d .
Creates new key (key3.db) and certificate (cert8.db)
databases.
certutil -N -d .
Creates a self-signed CA certificate.certutil -S -n "CA certificate" -s "cn=My Org CA cert,
dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 120 -d . -k
rsa
"Pretty prints" the specified certificate; the cert_name
can specify either a CA certificate or a client certificate.
certutil -L -d . -n "cert_name
Exports the specified certificate out of the database to
ASCII (PEM) format.
certutil -L -d . -n "cert_name" > certfile.asc
Exports the specified certificate out of the database to
binary format; this can be used with Directory Server
attributes such as userCertificate;binary.
certutil -L -d . -n "cert_name" -r > certfile.bin
12.4 Starting the server with TLS/SSL enabled
Most of the time, the server should run with TLS/SSL enabled. If TLS/SSL is temporarily disabled,
re-enable it before processing transactions that require confidentiality, authentication, or data
integrity.
Before TLS/SSL can be activated, first create a certificate database, obtain and install a server
certificate, and trust the CA's certificate, as described in “Obtaining and installing server
certificates”.
With TLS/SSL enabled, when the server restarts, it prompts for the PIN or password to unlock
the key database. This is the same password used when the server certificate and key were
imported into the database. Restarting the Directory Server without the password prompt is
possible by using use a hardware crypto device or creating a PIN file (“Creating a password file
for the Directory Server”).
482 Managing SSL