Hello All, I am using NSS db and utility to maintain certificates for a web server. I am facing an issue, please go through the steps I am listing. Can anyone explain why I am getting 'u' attr for certificate with ca-3 alias even though I did not provide this attribute while adding it. This is creating problem for me - CA signed cert with tomcat is not considered as the server certificate but the one with ca-3 is being considered.
Please help me to get over this issue, thanks. I have ca-3 alias for a self-signed cert and tomcat alias is for CA signed cert: 1. [root@GQMTRLPSN01 CSCOcpm]# certutil -d /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L ca-2 CT,C,C ca-3 CTu,Cu,Cu ca-7 CT,C,C www.cisco.com.pem CT,C,C tomcat u,u,u ca-1 CT,C,C ca-4 CT,C,C 2. I deleted ca-3 from nss db: [root@GQMTRLPSN01 CSCOcpm]# certutil -D -n ca-3 -d /opt/CSCOcpm/appsrv/apache-tomcat/conf/nssdb/ -k /opt/CSCOcpm/appsrv/apache-tomcat/conf/pwdfile.txt So now, ca-3 is no more listed. [root@GQMTRLPSN01 CSCOcpm]# certutil -d /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L ca-2 CT,C,C ca-7 CT,C,C www.cisco.com.pem CT,C,C tomcat u,u,u ca-1 CT,C,C ca-4 CT,C,C 3. Next, added ca-3 again (cmd was taken from instrumented output): [root@GQMTRLPSN01 CSCOcpm]# certutil -A -n ca-3 -i /tmp/cert6345886513151373833.pem -t 'TP,,' -d /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -f /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/pwdfile.txt Moment I did this, I can see the āuā attr for this cert: [root@GQMTRLPSN01 CSCOcpm]# certutil -d /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L ca-2 CT,C,C ca-7 CT,C,C ca-3 TPu,u,u www.cisco.com.pem CT,C,C tomcat u,u,u ca-1 CT,C,C ca-4 CT,C,C -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
