Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Question about the usage of certutil documented in Red Hat Directory Server Admin Guide

19 views
Skip to first unread message

beyonddc

unread,
Apr 9, 2008, 12:43:05 PM4/9/08
to
Hi group,

I have some question about certutil.

When you create an individual certificate and add it to a certificate
database with the "-S" command, does it also generate key pair for
you?

I'm following the instruction in "Red Hat Directory Server 7.1
Administrator Guide" to use certutil to create a self-sign
certificate.
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158

I got very confused in step 5 in the "Using certutil" section in the
"RH DS 7.1 Admin Guide" about generating standalone key pair with the
"-G" command and then it seems like it is not using it at all
afterward because the manual then go on and explain using the "-S"
command to create and add self-signed and server certificates.

I just want to have a second eyes to look at the few steps documented
in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that
step 5 in the "Using certutil" section to generate a key pair with the
"-G" command is not necessary.

Thanks!!!

David

Nelson Bolyard

unread,
Apr 10, 2008, 12:50:53 AM4/10/08
to
beyonddc wrote, On 2008-04-09 09:43:
> Hi group,
>
> I have some question about certutil.
>
> When you create an individual certificate and add it to a certificate
> database with the "-S" command, does it also generate key pair for
> you?

Yes.

> I'm following the instruction in "Red Hat Directory Server 7.1
> Administrator Guide" to use certutil to create a self-sign
> certificate.
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158

Ugh! That section needs to be rewritten, IMO.
Among its problems:
- shows the generation of a "noise" file with little or no entropy.
- reuses that noise file in the generation of multiple keys.
- doesn't explain what to do with the generated CA cert
- doesn't explain that this is for testing only, not for production use.

> I got very confused in step 5 in the "Using certutil" section in the
> "RH DS 7.1 Admin Guide" about generating standalone key pair with the
> "-G" command and then it seems like it is not using it at all
> afterward because the manual then go on and explain using the "-S"
> command to create and add self-signed and server certificates.

Yeah, step 5 is a no-op.

> I just want to have a second eyes to look at the few steps documented
> in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that
> step 5 in the "Using certutil" section to generate a key pair with the
> "-G" command is not necessary.

Right.

Suggestions:

1. Don't use vi (or any text editor) to generate a noise file.
Instead use
> dd bs=256 count=1 if=/dev/urandom of=noise

Note: it's not a text file, so drop the .txt suffix

2. Don't re-use noise files. Run that dd command immediately before each
and every command (such as certutil) that uses the noise file as an input,
to get a fresh noise file. And rm that file right after it is used once.

3. Export that CA cert (without the private key) to a file, so that it
can be imported into clients who will then trust it as a CA for issuing
SSL server certs.
> certutil -L -d . -n "CA certificate" -a -o /tmp/rootcert.pem

4. Import that CA cert into the client and trust it to issue SSL server
certs. The exact method depends on the client. For NSS-based clients
it would be something like:

> certutil -A -d client-dir -n "CA certificate" -a -t C,, -i /tmp/rootcert.pem

/Nelson

beyonddc

unread,
Apr 10, 2008, 11:00:50 AM4/10/08
to
aahh.... that's exactly what I thought. I was suspecting step 5 is an
no-op! Thanks for your confirmation!

I also learned something new too. I didn't know you can use certutil
to expert a certificate to pem format.

Thanks!

On Apr 10, 12:50 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.com>
wrote:

Stephen Hamilton

unread,
Apr 10, 2008, 11:11:54 AM4/10/08
to dev-tec...@lists.mozilla.org
I'm trying to find a sample java applet that runs on a smart card. I've
got some Gemalto 64kv2 cards that I'm trying to use like a CAC card,
however I can't load a certificate on to them without something like the
PKI applet. I want to use my own self-signed certs. Are there any
downloadable applets, and if not I can write my own applet, but I'm not
too sure where to begin.
Any help would be appreciated!

Stephen

Nelson Bolyard

unread,
Apr 10, 2008, 11:32:29 AM4/10/08
to
Stephen Hamilton wrote, On 2008-04-10 08:11:
> I'm trying to find a sample java applet that runs on a smart card. I've
> got some Gemalto 64kv2 cards that I'm trying to use like a CAC card,

Are those "Java cards" ?

> however I can't load a certificate on to them without something like the
> PKI applet. I want to use my own self-signed certs. Are there any
> downloadable applets, and if not I can write my own applet, but I'm not
> too sure where to begin.
> Any help would be appreciated!

If you have Java cards, begin here:
http://www.musclecard.com/musclecard/index.html

0 new messages