Ian McGreer wrote: > > Steven, > > Unfortunately, certutil will not work in the manner you are attempting. > Historically, NSS had separate utilities for doing key generation > and certificate generation. You had to generate the keys, and then > reference them by the first few bytes of the modulus when creating the cert. > > Today, certutil attempts to combine those operations. Key generation > occurs when generating a certificate request. If a creating certificate > is your goal, use: > certutil -R > certutil -C > certutil -A > or, to do it all at once: > certutil -S > > You can still generate keys with certutil -G, but they will be > "orphaned". certutil only knows how to locate keys that correspond to a > certificate, it used the public key of the cert to locate the private > key. Most likely, the key generation steps you tried succeeded, > certutil just couldn't show them to you. Once the associated cert is in > the database (via a certutil -A or certutil -S), you should be able to > list the key.
It is good that certutil can do all the steps from key gen to issuing the CSR in one step. But it is also necessary (for many users) that NSS tools be able to generate CSR's from extant keys. /Nelson
