Jan Pechanec wrote:
> On Mon, 7 Jan 2008, Wyllys Ingersoll wrote:
>
>
>> However, if all you want is the ability to sign a CSR with a particular
>> certificate, we could probably add just that feature to pktool. File an
>> RFE and I'm sure we can take a closer look at it, but I think it should be
>> fairly straightforward.
>>
>
> done:
>
> 6648052 pktool(1) could allow certificate signing and verification
>
> thanks, J.
>
>
Thanks! I will look into this. I think we will need to add new commands
to pktool and get them ARC approved since it is a new interface.
I'm thinking of something like:
pktool signcsr
[keystore=pkcs11|file|nss]
signkey=label/filename of signing key (label if keystore=PKCS11 or
NSS, filename if file)
csr=CSR filename
serial=serial number hex string
outcert=filename for resulting certificate.
outformat=pem|der
pktool verifycert
[keystore=pkcs11|file|nss]
cert=label/filename of cert to be verified (label if keystore=PKCS11
or NSS, filename if file)
verifier=label/filename of verifying (CA) cert
The verifycert operation will return 0 for success, else an error. It
will also generate a
text message indicating the result ("success" or "failure").
This is just my initial thoughts on how to do it, please feel free to
add to it or make suggestions.
-Wyllys
