Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Renaming cert on import (or using certutil)

1,607 views
Skip to first unread message

Michael Kaply

unread,
Jul 9, 2009, 1:37:34 AM7/9/09
to
I'm importing a code signing cert into my database using pk12util, but
it gets assigned a random alias:

e33eb463-ddba-4895-9469-bfdd01c71fe2

Is there a way via the command line utilities to rename that to a more
human name?

I'm sure I did this in the past, but I can't find anything in the docs.

Mike Kaply

David Stutzman

unread,
Jul 9, 2009, 7:38:39 AM7/9/09
to

Nope, no NSS command line utility can change the nickname (I was working
on one but got stuck backing up and restoring the trust bits...). Also,
if you import a certificate that has the same DN as pre-existing
certificate then no matter what nickname you assign with certutil (or
the friendly name from PKCS#12) it will get the same nickname as
pre-existing certificate.

On to renaming...When you import a PKCS#12 file, NSS normally will use
the "friendly name" attribute of the cert/key as the nickname. I'm
guessing you exported the P12 in question from Microsoft operating
system. You can "rename" the PKCS#12 file by using openssl to extract
the contents of the PKCS#12 and then repack it with a new friendly name

You can use either pk12util or openssl (and probably others) to view the
friendly name of a PKCS#12 file before you import it.
openssl pkcs12 -in test.p12 -info
or
pk12util -l test.p12

(Please ignore the "nss" prefix on all my nss commands, that's Gentoo's
fault)

dstutzman@mbn /public/dstutzman/nss $ nsspk12util -i test.p12 -d .
Enter password for PKCS12 file:
nsspk12util: PKCS12 IMPORT SUCCESSFUL
dstutzman@mbn /public/dstutzman/nss $ nsscertutil -L -d .

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

I don't like this nickname u,u,u
dstutzman@mbn /public/dstutzman/nss $ nsscertutil -D -n "I don't like
this nickname" -d .
dstutzman@mbn /public/dstutzman/nss $ nsscertutil -L -d .

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI
dstutzman@mbn /public/dstutzman/nss $ openssl pkcs12 -in test.p12 -out
test.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
dstutzman@mbn /public/dstutzman/nss $ openssl pkcs12 -export -in
test.pem -out renamed.p12 -name "Me likey this nickname"
Enter pass phrase for test.pem:
Enter Export Password:
Verifying - Enter Export Password:
dstutzman@mbn /public/dstutzman/nss $ nsspk12util -i renamed.p12 -d .
Enter password for PKCS12 file:
nsspk12util: PKCS12 IMPORT SUCCESSFUL
dstutzman@mbn /public/dstutzman/nss $ nsscertutil -L -d .

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Me likey this nickname u,u,u

Just make sure you clean up both the PKCS#12s, the original and
"renamed", as well as the temporary pem file that openssl created as all
have a copy of your private key (albeit protected somewhat with PBE) so
once you have it imported into NSS, back up the good PKCS#12 and get the
rest off the machine.

Dave

Michael Kaply

unread,
Jul 9, 2009, 7:24:46 PM7/9/09
to David Stutzman
Appreciate the detailed explanation.

Unfortunately I'm getting a segmentation fault on the export of the
test.pem to my new pfx file...

Very strange...

Mike

Nelson B Bolyard

unread,
Jul 9, 2009, 7:59:42 PM7/9/09
to mozilla's crypto code discussion list
On 2009-07-08 22:37 PDT, Michael Kaply wrote:
> I'm importing a code signing cert into my database using pk12util, but
> it gets assigned a random alias:
>
> e33eb463-ddba-4895-9469-bfdd01c71fe2

That's a Microsoft Windows GUID. The most likely cause of this is that
you exported the cert and private key from an MS Windows cert/key store
using Microsoft's PFX file creation wizard, and didn't give the
certificate a nickname (which Microsoft calls a "Friendly name") first,
so Windows assigned it a random GUID for its "friendly" name.
(Not very friendly, I think). (PFX == PKCS#12, as you may know.)

The simplest solution is to use Microsoft's cert manager and give the
cert a friendly name in the cert store, then re-export it to a new PFX
file. Then delete the cert with the old nickname from your NSS cert DB
and then import the new PFX file.

> Is there a way via the command line utilities to rename that to a more
> human name?

Not via NSS command line utilities. Alas.

> I'm sure I did this in the past, but I can't find anything in the docs.

Here are instructions on how to use MS Windows cert manager to give a
certificate a "Friendly Name" and "Description". These work on XP, and
probably on other Windows versions, too.

a) In IE, go to the tools menu, and select "Internet Options".
b) Click on the "Content" tab.
c) Click on the "Certificates" button.
d) Select the cert you want to export. Click the View button.
e) click the Details tab.
f) Click the "Edit Properties" button.
g) Type in a "Friendly name". No ':' characters in it, please.
h) Type in a Description, anything you like.
i) Make sure that "Enable all purposes" is checked.
j) Click OK to dismiss the Certificate Properties dialog.
k) Click OK to dismiss the Certificate Detail dialog.

Then export it to a new pfx file.

0 new messages