I'm stumbling along with the certutil I got from nss 3.3.1. It seems to
be doing some things I expect it to. One thing it isn't doing is
showing me the keys. In the following I have generated a database, a key
pair, and a request. Notice that the -K never seems to show anything.
Here's what I've done so far:
# create a password file
bash-2.03$ echo password123 > pwd.txt
# create a database (set)
bash-2.03$ certutil -N -d server
In order to finish creating your database, you
must enter a password which will be used to
encrypt this key and any future keys.
The password must be at least 8 characters long,
and must contain at least one non-alphabetic character.
Enter new password:**********
Re-enter password:*********
# notice all db files are the same size.
# I'm not sure exactly why the time stamps differ.
# That could be due to the fact that I hit it at exactly
# the end of the minute.
bash-2.03$ ls -Rl
.:
total 2
-rw-r--r-- 1 hattons sysadmin 12 Nov 14 19:43 pwd.txt
drwxr-xr-x 2 hattons sysadmin 512 Nov 14 19:45 server
server:
total 72
-rw------- 1 hattons sysadmin 32768 Nov 14 19:46 cert7.db
-rw------- 1 hattons sysadmin 32768 Nov 14 19:46 key3.db
-rw------- 1 hattons sysadmin 32768 Nov 14 19:45 secmod.db
# look to see if there are any keys
bash-2.03$ certutil -K -d server -k all -h all -f pwd.txt
bash-2.03$ # none here, but that's to be expected
# generate a key pair
bash-2.03$ certutil -G -f pwd.txt -k rsa -g 2048 -d server
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
# Look for a key pair
bash-2.03$ certutil -K -d server -k all -h all -f pwd.txt
bash-2.03$ # No keys showing, and I _do_ expect one.
# Note the changed timestamp on the key3.db
bash-2.03$ ls -Rl
.:
total 2
-rw-r--r-- 1 hattons sysadmin 12 Nov 14 19:43 pwd.txt
drwxr-xr-x 2 hattons sysadmin 512 Nov 14 19:45 server
server:
total 72
-rw------- 1 hattons sysadmin 32768 Nov 14 19:46 cert7.db
-rw------- 1 hattons sysadmin 32768 Nov 14 19:57 key3.db
-rw------- 1 hattons sysadmin 32768 Nov 14 19:45 secmod.db
# Generate a cert request.
# I'm confused about what's happening with the key3.db now.
# Is the old key replaced by a new one?
bash-2.03$ certutil -R -d server -g 2048 -k rsa -h internal -s
"cn=server, o=globalsymmetry" -f pwd.txt -a > server.req
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
# Look for a key
bash-2.03$ certutil -K -d server -k all -h all -f pwd.txt
bash-2.03$ # Hmmmm, no key.
# I get some semi useful info from this.
# What's up with the version number here?
bash-2.03$ certutil -U -d server
slot: NSS Internal Cryptographic Services Version 3.2
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
bash-2.03$
# and just for grins, let's see what libs we're calling:
bash-2.03$ ldd /usr/local/nss/bin/certutil
libplc4.so => /usr/local/nspr/lib/libplc4.so
libplds4.so => /usr/local/nspr/lib/libplds4.so
libnspr4.so => /usr/local/nspr/lib/libnspr4.so
libthread.so.1 => /usr/lib/64/libthread.so.1
libnsl.so.1 => /usr/lib/64/libnsl.so.1
libsocket.so.1 => /usr/lib/64/libsocket.so.1
librt.so.1 => /usr/lib/64/librt.so.1
libdl.so.1 => /usr/lib/64/libdl.so.1
libc.so.1 => /usr/lib/64/libc.so.1
libpthread.so.1 => /usr/lib/64/libpthread.so.1
libmp.so.2 => /usr/lib/64/libmp.so.2
libaio.so.1 => /usr/lib/64/libaio.so.1
/usr/platform/SUNW,Sun-Fire-280R/lib/sparcv9/libc_psr.so.1
bash-2.03$
# believe all these are up to date.
