>
>> I use the following to make the root CA keypair and certificate (step
>> 1 from above):
>>
>> % certutil -N -d credstore/proj/env
>> % certutil -S -n "proj env Root Cert" -s "CN=LDAPRootCA, OU=proj env,
>> O=My Org, C=GB" -t "CT,CT,CT" -x -m 1234 -v 60 -f password-file -d
>> credstore/proj/env -z random.data
>>
>> This seems to work OK, but when I use "certutil -K" to list the keys I
>> get no output. Is this expected? I do get output for from the
>> "certutil -L" command however.
>
>
> certutil -K does not work. This is a bug fixed on the tip, but not it
> any release up to NSS 3.3.
>
> You are creating a CA cert, and will need some extensions. In this
> case, I believe you will want to add -1 -2 -5 to the end of your command
> line. Those options will present you with menus of extensions, you
> should choose "SSL CA", "Basic Constraints", etc.
The easiest way to see how to generate certs is to run the NSS test
cases in security/nss/tests all.sh runs all the tests cert/cert.sh runs
the certificate tests (which uses certutil to create client and server
certs. Here's an example out put of the run:
init.sh init: Testing PATH
.:/u/relyea/nsstip/mozilla/dist/SunOS5.6_DBG.OBJ/bin:
/u/relyea/nsstip/mozilla/dist/SunOS5.6_DBG.OBJ/lib:/usr/local-sparc-solaris/pure
/purify-4.0-solaris2:/tools/ns/workshop/bin:/tools/ns/soft/gcc-2.6.3/run/default
/sparc_sun_solaris2.4/bin:/share/builds/components/jdk/1.2.2_01/SunOS:/usr/ccs/b
in:/usr/opt/bin:/tools/ns/bin:/usr/sbin:/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/
bin:/usr/openwin/include:/usr/ucb:/usr/opt/java/bin:/usr/local/bin:/etc:/usr/etc
:/usr/etc/install:/opt/Acrobat3/bin against LIB
/u/relyea/nsstip/mozilla/dist/Su
nOS5.6_DBG.OBJ/lib
cert.sh: Certutil Tests ===============================
cert.sh: Creating a CA Certificate ==========================
cert.sh: Creating CA Cert DB --------------------------
certutil -N -d . -f ../tests.pw.15189
cert.sh: Certificate initialized ----------
cert.sh: Creating CA Cert --------------------------
certutil -s "CN=NSS Test CA, O=BOGUS NSS, L=Mountain View,
ST=California, C=US"
-S -n TestCA -t CTu,CTu,CTu -v 60 -x -d . -1 -2 -5 -f ../tests.pw.15189
-z ../te
sts_noise.15189
cert.sh: Exporting Root Cert --------------------------
certutil -L -n TestCA -r -d . -o root.cert
cert.sh: Creating Client CA Issued Certificates ===============
cert.sh: Initializing TestUser's Cert DB --------------------------
certutil -N -d . -f ../tests.pw.15189
cert.sh: Import Root CA for TestUser --------------------------
certutil -A -n TestCA -t TC,TC,TC -f ../tests.pw.15189 -d . -i
../CA/root.cert
cert.sh: Generate Cert Request for TestUser --------------------------
certutil -s "CN=TestUser, [EMAIL PROTECTED], O=BOGUS NSS, L=Mountain
View, ST
=California, C=US" -R -d . -f ../tests.pw.15189 -z ../tests_noise.15189
-o req
Generating key. This may take a few moments...
cert.sh: Sign TestUser's Request --------------------------
certutil -C -c TestCA -m 6 -v 60 -d ../CA -i req -o TestUser.cert -f
../tests.pw
.15189
cert.sh: Import TestUser's Cert --------------------------
certutil -A -n TestUser -t u,u,u -d . -f ../tests.pw.15189 -i TestUser.cert
cert.sh: Creating Server CA Issued Certificate for \
javi.red.iplanet.com ------------------------------------
cert.sh: Creating javi.red.iplanet.com's Server Cert
--------------------------
certutil -s "CN=javi.red.iplanet.com, O=BOGUS Netscape, L=Mountain View,
ST=Cali
fornia, C=US" -S -n javi.red.iplanet.com -c TestCA -t Pu,Pu,Pu -d . -f
../tests.
pw.15189 -z ../tests_noise.15189 -v 60
Generating key. This may take a few moments...
NOTE: I wouldn't use the -z option for any real production certificates.
It's a handy way to make test scripts run, but for production it really
doesn't generate adequate entropy -- especially for CA certificates.
>
>>
>> Even if this were to work, I'm not sure how to complete step 4, i.e.
>> producing a cert and key database that the Directory Server can use.
>
>
> You can use pk12util to export the cert and key you created (you will
> not need, nor want, to export the self-signed root). You can then use
> pk12util again to import the cert and key into the Directory Server
> database. I don't know where in the installation the cert and key
> databases are, but once you find them you can use pk12util to do the
> import.
IPlanet servers use the same database format as NSS and PSM (different
versions of the servers and clients have differing levels of
commonality). The servers store their key and cert databases in
$(SERVERROOT)/aliases (where SERVERROOT is the top level directory where
you installed the server). The database names are typically
{server-type}-{hostname}-cert7.db, though it can be pretty much anything
-cert7.db. You manipulate these databases directly with certutil by
specifying the '-P' option to specify the cert and key db prefix (alias
name in the server UI). Also, the default nickname for the certificate
on servers is 'Server-Cert'.
bob
>
