Re: Renaming cert on import (or using certutil)

Thu, 09 Jul 2009 04:40:29 -0700 

Michael Kaply wrote:
I'm importing a code signing cert into my database using pk12util, but it gets assigned a random alias: 

e33eb463-ddba-4895-9469-bfdd01c71fe2


Is there a way via the command line utilities to rename that to a more 
human name?


I'm sure I did this in the past, but I can't find anything in the docs.

Mike Kaply



Nope, no NSS command line utility can change the nickname (I was working 
on one but got stuck backing up and restoring the trust bits...).  Also, 
if you import a certificate that has the same DN as pre-existing 
certificate then no matter what nickname you assign with certutil (or 
the friendly name from PKCS#12) it will get the same nickname as 
pre-existing certificate.



On to renaming...When you import a PKCS#12 file, NSS normally will use 
the "friendly name" attribute of the cert/key as the nickname.  I'm 
guessing you exported the P12 in question from Microsoft operating 
system.  You can "rename" the PKCS#12 file by using openssl to extract 
the contents of the PKCS#12 and then repack it with a new friendly name



You can use either pk12util or openssl (and probably others) to view the 
friendly name of a PKCS#12 file before you import it.

openssl pkcs12 -in test.p12 -info
or
pk12util -l test.p12


(Please ignore the "nss" prefix on all my nss commands, that's Gentoo's 
fault)


dstutz...@mbn /public/dstutzman/nss $ nsspk12util -i test.p12 -d .
Enter password for PKCS12 file:
nsspk12util: PKCS12 IMPORT SUCCESSFUL
dstutz...@mbn /public/dstutzman/nss $ nsscertutil -L -d .


Certificate Nickname                                         Trust 
Attributes


SSL,S/MIME,JAR/XPI

I don't like this nickname                                   u,u,u

dstutz...@mbn /public/dstutzman/nss $ nsscertutil -D -n "I don't like 
this nickname" -d .
dstutz...@mbn /public/dstutzman/nss $ nsscertutil -L -d . 

Certificate Nickname                                         Trust 
Attributes


SSL,S/MIME,JAR/XPI

dstutz...@mbn /public/dstutzman/nss $ openssl pkcs12 -in test.p12 -out 
test.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

dstutz...@mbn /public/dstutzman/nss $ openssl pkcs12 -export -in 
test.pem -out renamed.p12 -name "Me likey this nickname"

Enter pass phrase for test.pem:
Enter Export Password:
Verifying - Enter Export Password:
dstutz...@mbn /public/dstutzman/nss $ nsspk12util -i renamed.p12 -d .
Enter password for PKCS12 file:
nsspk12util: PKCS12 IMPORT SUCCESSFUL
dstutz...@mbn /public/dstutzman/nss $ nsscertutil -L -d .


Certificate Nickname                                         Trust 
Attributes


SSL,S/MIME,JAR/XPI

Me likey this nickname                                       u,u,u


Just make sure you clean up both the PKCS#12s, the original and 
"renamed", as well as the temporary pem file that openssl created as all 
have a copy of your private key (albeit protected somewhat with PBE) so 
once you have it imported into NSS, back up the good PKCS#12 and get the 
rest off the machine.


Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to