I have some question about certutil.
When you create an individual certificate and add it to a certificate
database with the "-S" command, does it also generate key pair for
you?
I'm following the instruction in "Red Hat Directory Server 7.1
Administrator Guide" to use certutil to create a self-sign
certificate.
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
I got very confused in step 5 in the "Using certutil" section in the
"RH DS 7.1 Admin Guide" about generating standalone key pair with the
"-G" command and then it seems like it is not using it at all
afterward because the manual then go on and explain using the "-S"
command to create and add self-signed and server certificates.
I just want to have a second eyes to look at the few steps documented
in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that
step 5 in the "Using certutil" section to generate a key pair with the
"-G" command is not necessary.
Thanks!!!
David
Yes.
> I'm following the instruction in "Red Hat Directory Server 7.1
> Administrator Guide" to use certutil to create a self-sign
> certificate.
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
Ugh! That section needs to be rewritten, IMO.
Among its problems:
- shows the generation of a "noise" file with little or no entropy.
- reuses that noise file in the generation of multiple keys.
- doesn't explain what to do with the generated CA cert
- doesn't explain that this is for testing only, not for production use.
> I got very confused in step 5 in the "Using certutil" section in the
> "RH DS 7.1 Admin Guide" about generating standalone key pair with the
> "-G" command and then it seems like it is not using it at all
> afterward because the manual then go on and explain using the "-S"
> command to create and add self-signed and server certificates.
Yeah, step 5 is a no-op.
> I just want to have a second eyes to look at the few steps documented
> in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that
> step 5 in the "Using certutil" section to generate a key pair with the
> "-G" command is not necessary.
Right.
Suggestions:
1. Don't use vi (or any text editor) to generate a noise file.
Instead use
> dd bs=256 count=1 if=/dev/urandom of=noise
Note: it's not a text file, so drop the .txt suffix
2. Don't re-use noise files. Run that dd command immediately before each
and every command (such as certutil) that uses the noise file as an input,
to get a fresh noise file. And rm that file right after it is used once.
3. Export that CA cert (without the private key) to a file, so that it
can be imported into clients who will then trust it as a CA for issuing
SSL server certs.
> certutil -L -d . -n "CA certificate" -a -o /tmp/rootcert.pem
4. Import that CA cert into the client and trust it to issue SSL server
certs. The exact method depends on the client. For NSS-based clients
it would be something like:
> certutil -A -d client-dir -n "CA certificate" -a -t C,, -i /tmp/rootcert.pem
/Nelson
I also learned something new too. I didn't know you can use certutil
to expert a certificate to pem format.
Thanks!
On Apr 10, 12:50 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.com>
wrote:
Stephen
Are those "Java cards" ?
> however I can't load a certificate on to them without something like the
> PKI applet. I want to use my own self-signed certs. Are there any
> downloadable applets, and if not I can write my own applet, but I'm not
> too sure where to begin.
> Any help would be appreciated!
If you have Java cards, begin here:
http://www.musclecard.com/musclecard/index.html