Frank Taylor wrote:
> I am trying to set up an internal CA to mint certificates for a
> Netscape Directory Server environment. I am trying to avoid using
> Netscape's Admin Console in this process, so I want to use the NSS
> toolkit. I am new to this software so please excuse me if these
> questions are already answered somewhere.
>
> [Is there a way of generating a cert request and producing the
> certificate database from the command line within the Directory Server
> product itself?]
>
> I am having problems getting the toolkit working. There seems to be
> some discrepency between the documentation and the implementation.
> Examples include the -k option is documented as passing the key
> identity/name (in the examples) where the tool wants the key type.
> Also, the -C option does not support self-signed cert generation (-x).
> Finally, there is no keyutil command anymore, I assume its operations
> are subsumed by the certutil command.
All of those assessments are correct. The -k option is not used
anymore. -C and -x do not work together, there was debate over this a
while ago, I don't remember if it is a bug or a documentation error.
And lastly, you are correct, certutil (attempts) to subsume keyutil.
>
> As I see it, in order to build a certificate and key database for the
> Directory Server I need to complete the following steps:
>
> 1) generate a root CA certifcate/keypair
>
> 2) generate a server keypair and cert request
>
> 3) mint the server certificate for the server based on the request and
> root CA key
>
> 4) package the server keypair, server cert and root cert into a key
> database ready for deployment on the directory server.
>
> Are these basic steps correct?
Yes.
> I use the following to make the root CA keypair and certificate (step
> 1 from above):
>
> % certutil -N -d credstore/proj/env
> % certutil -S -n "proj env Root Cert" -s "CN=LDAPRootCA, OU=proj env,
> O=My Org, C=GB" -t "CT,CT,CT" -x -m 1234 -v 60 -f password-file -d
> credstore/proj/env -z random.data
>
> This seems to work OK, but when I use "certutil -K" to list the keys I
> get no output. Is this expected? I do get output for from the
> "certutil -L" command however.
certutil -K does not work. This is a bug fixed on the tip, but not it
any release up to NSS 3.3.
You are creating a CA cert, and will need some extensions. In this
case, I believe you will want to add -1 -2 -5 to the end of your command
line. Those options will present you with menus of extensions, you
should choose "SSL CA", "Basic Constraints", etc.
> Steps 2 and 3 can be combined into the following command I believe,
> for a server called "foo":
>
> % certutil -S -n "proj env foo" -s "CN=foo, OU=proj env, O=My Org,
> C=GB" -c "proj env Root Cert" -t "u,u,u" -g 512 -m 1 -v 13 -f
> password-file -z random.data -d credstore/proj/env
>
> Unfortunately this generates the follwing error:
>
> certutil: unable to find issuer with nickname proj env Root Cert:
> Certificate extension not found.
> certutil: could not obtain certificate from file: Certificate
> extension not found.
See my comment above. In order to sign a cert, the signer must have a
minimum set of CA extensions.
> I'm not sure what this error is refering to. At best I believe it is
> to do with the labeling of a keypair in the key database.
>
> Even if this were to work, I'm not sure how to complete step 4, i.e.
> producing a cert and key database that the Directory Server can use.
You can use pk12util to export the cert and key you created (you will
not need, nor want, to export the self-signed root). You can then use
pk12util again to import the cert and key into the Directory Server
database. I don't know where in the installation the cert and key
databases are, but once you find them you can use pk12util to do the import.
> Any help with the above would be most useful.
>
> Many thanks,
>
> Frank Taylor.
>
