On Wed, 2013-04-10 at 11:36 -0700,
daniem...@gmail.com wrote:
> I'm trying to generate a Certificate Signing Request to be later signed by a CA and imported to a NSS database.
>
> Currently Using the following commands:
>
> certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k "rsa" -g 2048 -o cert.req -a -z noiseFile
I think the -n parameter is unnecessary at this point (and will get
ignored), because no cert is involved yet.
(If you try certutil -K immediately after the command, you'll get a
private key listed without a nickname, even if you have used the -n
parameter.)
> Then using sslget to receive a successful response
I assume with "successful response" you mean that you have downloaded a
certificate issued by the CA.
> and import it using:
>
> certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t ",,"
Did this command work without error message?
I assume you used something like
cat retrieved-certificate-file | certutil -A ....
It seems wrong to use the -s argument in this scenario. The subject name
should be taken from the certificate you import. I suspect that certutil
will silently ignore this parameter, but you might want to try without
it.
> The problem is when I use certutil to list all private keys. I get something like:
>
> < 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate DB:sample-dn
That seems correct.
> And when I use a PKCS11Wrapper in Java I get a Private Key with the correct ID but a <NULL-PTR> in the label.
What is the "correct ID" that you are using to obtain the privat key? Do
you use "9" or do you use "sample-dn"?
What's the exact API that you use to obtain the private key?
What's the exact attribute, of which interface, that contains the NULL
label?
If I understand correctly, you are successfully able to obtain the
private key and use it, your only problem is that it has an empty label?
Is that only a cosmetic issue, or does it cause problems for you?
> Note: When I use pk12util I can successfully export and then import in the firefox nss database and appears good.
Which confirms that your earlier certificate had worked.
You said you are using "PKCS11Wrapper in Java", do you refer to a Java
application that accesses your NSS database directly - or do you refer
to an applet downloaded from a website that you expect to be able to
access the private key?
Kai