John Simeone wrote:
Running NSS 3.9.2 OPT on Win2K SP4 with NSPR 4.4.1.
Followed instructions in:
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html
That web page was written years ago, for a very old version of NSS,
NSS 2.7 (IRC). NSS now is on a new major version (current is 3.9),
and the certutil command works a little differently. Appears to me
that the documentation (specifically this page) hasn't kept up.
Generated two key pairs using:
certutil -G -g 2048 -d c:\server_db
certutil -G -g 2048 -d c:\server_db
Appears to work correctly, i.e. "Generating key. This may take a few
moments..."
Did it ask you for your key DB password in there? If not, then
perhaps your key DB wasn't properly initialized with a password.
In that case, start over, delete your old cert and key DBs,
(back them up first if you like), and start over with
certutil -N again, and create a DB password. That may help.
Attempting to list the public keys using:
certutil -L -d c:\server_db
produces no output whatsoever but no errors. Just a return to the
command prompt.
Any attempt to go further and generate a cert request using the -R
command produces the message:
"certutil: NSS_Initialize failed: security library: bad database."
Can anyone suggest what is going on here and how to remedy the situation?
Please file a bug in bugzilla.mozilla.org against product NSS, component
tools (that may get changed as the bug is worked on), reporting exactly
your original text, and perhaps this reply too. Your bug may get changed
to a documentation bug if the NSS developers decide that the program is
right and the documentation is wrong. One of them is wrong, perhaps
both.
certutil is now capable of generating the key pair in the step that
creates the cert request. It appears to me that it is no longer
possible to explicitly specify which public key to use via an option
to the certutil -R command. It appears to me that certutil -R always
generates a new key pair.
By default, certutil -R generates a 1024-bit RSA key pair. You can
override the defaults through some options, e.g.
-k dsa -q pqgfile if you don't want RSA, or
-g 2048 if you want a different size key.
Perhaps we (NSS developers) should eliminate the old certutil -G feature,
if certutil has no way to use keys generated in that fasion. I think
we should either eliminate that old option, or fix it, and add an option
for certutil -R to enable users to explicitly specify a key pair, as they
could and did before NSS 3.4 (IINM).
Thank you.
If you can read a shell script, you can see how the NSS automated test
scripts do all this stuff with the present certutil command, by looking in
http://lxr.mozilla.org/security/source/security/nss/tests/cert/cert.sh
Hope this helps.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto