You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS Security Tools

Technical contact: Ian McGreer
Manager: Wan-Teh Chang


The NSS Security Tools allow developers to test, debug, and manage applications that use NSS. The Tools Information table below describes both the tools that are currently working and those that are still under development. The links for each tool take you to the source code, documentation, plans, and related links for each tool. The links will become active when information is available.

Currently, you must download the NSS 3.1 source and build it to create binary files for the NSS tools. For information about using CVS to download the NSS 3.1 source, see For a tar version of the NSS 3.1 source, see

If you have feedback or questions, please feel free to post to This newsgroup is the preferred forum for all questions about NSS and NSS tools.

Overall Objectives

  1. Provide a tool for analyzing and repairing certificate databases (dbck).
  2. Migrate tools from secutil.h interface to PKCS #11 interface.
  3. Eliminate redundant functionality in tools. Many tools implement private versions of PKCS11Init(), OpenCertDB(), etc.
  4. Eliminate use of getopt() and replace with NSPR calls to get command options (to eliminate platform dependencies with getopt()).

Tools Information

Tool Description Links
certutil 2.0 Manage certificate and key databases (cert7.db and key3.db). Source, Documentation, Tasks/Plans
cmsutil 1.0 Performs basic CMS operations such as encrypting, decrypting, and signing messages. Source, Documentation
crlutil Manage certificate revocation lists (CRLs). Source, Documentation,
dbck 1.0 Analyze and repair certificate databases (not working in NSS 3.2) Source, Tasks/Plans
modutil 1.1 Manage the database of PKCS11 modules (secmod.db). Add modules and modify the properties of existing modules (such as whether a module is the default provider of some crypto service). Source, Documentation, Tasks/Plans
pk12util 1.0 Import and export keys and certificates between the cert/key databases and files in PKCS12 format. Source, Documentation, Tasks/Plans
signtool 1.3 Create digitally-signed jar archives containing files and/or code. Source, Documentation (See note 1), Tasks/Plans
signver 1.1 Verify signatures on digitally-signed objects. Source, Documentation (See note 2), Tasks/Plans
ssltap 3.2 Proxy requests for an SSL server and display the contents of the messages exchanged between the client and server. The ssltap tool does not decrypt data, but it shows things like the type of SSL message (clientHello, serverHello, etc) and connection data (protocol version, cipher suite, etc). This tool is very useful for debugging. Source, Documentation

  1. Currently points to the Netscape Certificate Management System Administration Guide on For additional information about this tool, see Object Signing.
  2. Currently points to the signver documentation on For additional information about this tool, see Form Signing