I am trying to set up an internal CA to mint certificates for a
Netscape Directory Server environment. I am trying to avoid using
Netscape's Admin Console in this process, so I want to use the NSS
toolkit. I am new to this software so please excuse me if these
questions are already answered somewhere.
[Is there a way of generating a cert request and producing the
certificate database from the command line within the Directory Server
product itself?]
I am having problems getting the toolkit working. There seems to be
some discrepency between the documentation and the implementation.
Examples include the -k option is documented as passing the key
identity/name (in the examples) where the tool wants the key type.
Also, the -C option does not support self-signed cert generation (-x).
Finally, there is no keyutil command anymore, I assume its operations
are subsumed by the certutil command.
As I see it, in order to build a certificate and key database for the
Directory Server I need to complete the following steps:
1) generate a root CA certifcate/keypair
2) generate a server keypair and cert request
3) mint the server certificate for the server based on the request and
root CA key
4) package the server keypair, server cert and root cert into a key
database ready for deployment on the directory server.
Are these basic steps correct?
I use the following to make the root CA keypair and certificate (step
1 from above):
% certutil -N -d credstore/proj/env
% certutil -S -n "proj env Root Cert" -s "CN=LDAPRootCA, OU=proj env,
O=My Org, C=GB" -t "CT,CT,CT" -x -m 1234 -v 60 -f password-file -d
credstore/proj/env -z random.data
This seems to work OK, but when I use "certutil -K" to list the keys I
get no output. Is this expected? I do get output for from the
"certutil -L" command however.
Steps 2 and 3 can be combined into the following command I believe,
for a server called "foo":
% certutil -S -n "proj env foo" -s "CN=foo, OU=proj env, O=My Org,
C=GB" -c "proj env Root Cert" -t "u,u,u" -g 512 -m 1 -v 13 -f
password-file -z random.data -d credstore/proj/env
Unfortunately this generates the follwing error:
certutil: unable to find issuer with nickname proj env Root Cert:
Certificate extension not found.
certutil: could not obtain certificate from file: Certificate
extension not found.
I'm not sure what this error is refering to. At best I believe it is
to do with the labeling of a keypair in the key database.
Even if this were to work, I'm not sure how to complete step 4, i.e.
producing a cert and key database that the Directory Server can use.
Any help with the above would be most useful.
Many thanks,
Frank Taylor.
