Public bug reported: root@root:~/sandbox# certutil -K -d .pki/nssdb/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan) < 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4 < 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan) < 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37 < 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan) < 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
root@root:~/sandbox# certutil -L -d .pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 1.2.3.4 CTu,u,u 2.3.4.5 u,u,u 2.3.4.7 u,u,u 2.3.4.37 u,u,u root@root:~/sandbox# certutil -D -n 2.3.4.37 -d .pki/nssdb/ Here the cert got deleted root@root:~/sandbox# certutil -L -d .pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 1.2.3.4 CTu,u,u 2.3.4.5 u,u,u 2.3.4.7 u,u,u But the private key did not get which is expected I believe as I just deleted only the cert root@root:~/sandbox# certutil -K -d .pki/nssdb/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan) < 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4 < 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan) < 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37 < 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan) < 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan) So I attempted to delete the corresponding key root@root:~/sandbox# certutil -F -n 2.3.4.37 -d .pki/nssdb/ Enter Password or Pin for "NSS Certificate DB": But it did not delete as can be seen below. root@root:~/sandbox# certutil -K -d .pki/nssdb/ -f .pki/conf/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan) < 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4 < 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan) < 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37 < 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan) < 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan) Only way I can get the key deleted is by executing a "-F key deletion" on a key whose cert has not already been deleted. This however removes the corresponding cert also. I know there is a bug on 'being unable to delete a orphan key'. But I thought this is a distinct interesting behavior. ========= lsb_release -rd Description: Ubuntu 12.04.5 LTS Release: 12.04 ========= dpkg -l | grep nss ii insserv 1.14.0-2.1ubuntu2 Tool to organize boot sequence using LSB init.d script dependencies ii libnss3 3.17-0ubuntu0.12.04.1 Network Security Service libraries ii libnss3-1d 3.17-0ubuntu0.12.04.1 Network Security Service libraries ii libnss3-tools 3.17.1-0ubuntu0.12.04.1 Network Security Service tools ii openssh-client 1:5.9p1-5ubuntu1.4 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.9p1-5ubuntu1.4 secure shell (SSH) server, for secure access from remote machines ii openssl 1.0.1-4ubuntu5.17 Secure Socket Layer (SSL) binary and related cryptographic tools ** Affects: nss (Ubuntu) Importance: Undecided Status: New ** Tags: certutil nss pki -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1377284 Title: Cannot delete a private key using certutil -F To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1377284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs