Steven,
Unfortunately, certutil will not work in the manner you are attempting.
Historically, NSS had separate utilities for doing key generation
and certificate generation. You had to generate the keys, and then
reference them by the first few bytes of the modulus when creating the cert.
Today, certutil attempts to combine those operations. Key generation
occurs when generating a certificate request. If a creating certificate
is your goal, use:
certutil -R
certutil -C
certutil -A
or, to do it all at once:
certutil -S
You can still generate keys with certutil -G, but they will be
"orphaned". certutil only knows how to locate keys that correspond to a
certificate, it used the public key of the cert to locate the private
key. Most likely, the key generation steps you tried succeeded,
certutil just couldn't show them to you. Once the associated cert is in
the database (via a certutil -A or certutil -S), you should be able to
list the key.
-Ian
-Ian
Steven T. Hatton wrote:
> I'm stumbling along with the certutil I got from nss 3.3.1. It seems to
> be doing some things I expect it to. One thing it isn't doing is
> showing me the keys. In the following I have generated a database, a key
> pair, and a request. Notice that the -K never seems to show anything.
> Here's what I've done so far:
>
> # create a password file
> bash-2.03$ echo password123 > pwd.txt
>
> # create a database (set)
> bash-2.03$ certutil -N -d server
> In order to finish creating your database, you
> must enter a password which will be used to
> encrypt this key and any future keys.
>
> The password must be at least 8 characters long,
> and must contain at least one non-alphabetic character.
>
> Enter new password:**********
> Re-enter password:*********
>
> # notice all db files are the same size.
> # I'm not sure exactly why the time stamps differ.
> # That could be due to the fact that I hit it at exactly
> # the end of the minute.
> bash-2.03$ ls -Rl
> .:
> total 2
> -rw-r--r-- 1 hattons sysadmin 12 Nov 14 19:43 pwd.txt
> drwxr-xr-x 2 hattons sysadmin 512 Nov 14 19:45 server
>
> server:
> total 72
> -rw------- 1 hattons sysadmin 32768 Nov 14 19:46 cert7.db
> -rw------- 1 hattons sysadmin 32768 Nov 14 19:46 key3.db
> -rw------- 1 hattons sysadmin 32768 Nov 14 19:45 secmod.db
>
> # look to see if there are any keys
> bash-2.03$ certutil -K -d server -k all -h all -f pwd.txt
> bash-2.03$ # none here, but that's to be expected
>
> # generate a key pair
> bash-2.03$ certutil -G -f pwd.txt -k rsa -g 2048 -d server
>
> A random seed must be generated that will be used in the
> creation of your key. One of the easiest ways to create a
> random seed is to use the timing of keystrokes on a keyboard.
>
> To begin, type keys on the keyboard until this progress meter
> is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
>
>
> Continue typing until the progress meter is full:
>
> |************************************************************|
>
> Finished. Press enter to continue:
>
>
> Generating key. This may take a few moments...
>
> # Look for a key pair
> bash-2.03$ certutil -K -d server -k all -h all -f pwd.txt
> bash-2.03$ # No keys showing, and I _do_ expect one.
>
> # Note the changed timestamp on the key3.db
> bash-2.03$ ls -Rl
> .:
> total 2
> -rw-r--r-- 1 hattons sysadmin 12 Nov 14 19:43 pwd.txt
> drwxr-xr-x 2 hattons sysadmin 512 Nov 14 19:45 server
>
> server:
> total 72
> -rw------- 1 hattons sysadmin 32768 Nov 14 19:46 cert7.db
> -rw------- 1 hattons sysadmin 32768 Nov 14 19:57 key3.db
> -rw------- 1 hattons sysadmin 32768 Nov 14 19:45 secmod.db
>
> # Generate a cert request.
> # I'm confused about what's happening with the key3.db now.
> # Is the old key replaced by a new one?
> bash-2.03$ certutil -R -d server -g 2048 -k rsa -h internal -s
> "cn=server, o=globalsymmetry" -f pwd.txt -a > server.req
>
> A random seed must be generated that will be used in the
> creation of your key. One of the easiest ways to create a
> random seed is to use the timing of keystrokes on a keyboard.
>
> To begin, type keys on the keyboard until this progress meter
> is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
>
>
> Continue typing until the progress meter is full:
>
> |************************************************************|
>
> Finished. Press enter to continue:
>
>
> Generating key. This may take a few moments...
>
> # Look for a key
> bash-2.03$ certutil -K -d server -k all -h all -f pwd.txt
> bash-2.03$ # Hmmmm, no key.
>
> # I get some semi useful info from this.
> # What's up with the version number here?
> bash-2.03$ certutil -U -d server
>
> slot: NSS Internal Cryptographic Services Version 3.2
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> bash-2.03$
>
>
> # and just for grins, let's see what libs we're calling:
> bash-2.03$ ldd /usr/local/nss/bin/certutil
> libplc4.so => /usr/local/nspr/lib/libplc4.so
> libplds4.so => /usr/local/nspr/lib/libplds4.so
> libnspr4.so => /usr/local/nspr/lib/libnspr4.so
> libthread.so.1 => /usr/lib/64/libthread.so.1
> libnsl.so.1 => /usr/lib/64/libnsl.so.1
> libsocket.so.1 => /usr/lib/64/libsocket.so.1
> librt.so.1 => /usr/lib/64/librt.so.1
> libdl.so.1 => /usr/lib/64/libdl.so.1
> libc.so.1 => /usr/lib/64/libc.so.1
> libpthread.so.1 => /usr/lib/64/libpthread.so.1
> libmp.so.2 => /usr/lib/64/libmp.so.2
> libaio.so.1 => /usr/lib/64/libaio.so.1
> /usr/platform/SUNW,Sun-Fire-280R/lib/sparcv9/libc_psr.so.1
> bash-2.03$
>
> # believe all these are up to date.
>
