Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Certutil - Generate new key

60 views
Skip to first unread message

daniem...@gmail.com

unread,
Apr 10, 2013, 2:36:59 PM4/10/13
to
Hi

I'm trying to generate a Certificate Signing Request to be later signed by a CA and imported to a NSS database.

Currently Using the following commands:

certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k "rsa" -g 2048 -o cert.req -a -z noiseFile

Then using sslget to receive a successful response and import it using:

certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t ",,"

The problem is when I use certutil to list all private keys. I get something like:

< 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate DB:sample-dn

And when I use a PKCS11Wrapper in Java I get a Private Key with the correct ID but a <NULL-PTR> in the label.

Note: When I use pk12util I can successfully export and then import in the firefox nss database and appears good.

Thanks

Kai Engert

unread,
Apr 10, 2013, 4:10:33 PM4/10/13
to mozilla's crypto code discussion list
On Wed, 2013-04-10 at 11:36 -0700, daniem...@gmail.com wrote:
> I'm trying to generate a Certificate Signing Request to be later signed by a CA and imported to a NSS database.
>
> Currently Using the following commands:
>
> certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k "rsa" -g 2048 -o cert.req -a -z noiseFile

I think the -n parameter is unnecessary at this point (and will get
ignored), because no cert is involved yet.

(If you try certutil -K immediately after the command, you'll get a
private key listed without a nickname, even if you have used the -n
parameter.)


> Then using sslget to receive a successful response

I assume with "successful response" you mean that you have downloaded a
certificate issued by the CA.


> and import it using:
>
> certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t ",,"

Did this command work without error message?

I assume you used something like
cat retrieved-certificate-file | certutil -A ....

It seems wrong to use the -s argument in this scenario. The subject name
should be taken from the certificate you import. I suspect that certutil
will silently ignore this parameter, but you might want to try without
it.


> The problem is when I use certutil to list all private keys. I get something like:
>
> < 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate DB:sample-dn

That seems correct.


> And when I use a PKCS11Wrapper in Java I get a Private Key with the correct ID but a <NULL-PTR> in the label.

What is the "correct ID" that you are using to obtain the privat key? Do
you use "9" or do you use "sample-dn"?

What's the exact API that you use to obtain the private key?

What's the exact attribute, of which interface, that contains the NULL
label?

If I understand correctly, you are successfully able to obtain the
private key and use it, your only problem is that it has an empty label?
Is that only a cosmetic issue, or does it cause problems for you?


> Note: When I use pk12util I can successfully export and then import in the firefox nss database and appears good.

Which confirms that your earlier certificate had worked.

You said you are using "PKCS11Wrapper in Java", do you refer to a Java
application that accesses your NSS database directly - or do you refer
to an applet downloaded from a website that you expect to be able to
access the private key?

Kai


daniem...@gmail.com

unread,
Apr 10, 2013, 4:58:15 PM4/10/13
to mozilla's crypto code discussion list
Thanks for your reply

On Wednesday, April 10, 2013 9:10:33 PM UTC+1, Kai Engert wrote:
> On Wed, 2013-04-10 at 11:36 -0700, daniem...@gmail.com wrote:
>
> > I'm trying to generate a Certificate Signing Request to be later signed by a CA and imported to a NSS database.
>
> >
>
> > Currently Using the following commands:
>
> >
>
> > certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k "rsa" -g 2048 -o cert.req -a -z noiseFile
>
>
>
> I think the -n parameter is unnecessary at this point (and will get
>
> ignored), because no cert is involved yet.
>
>
>
> (If you try certutil -K immediately after the command, you'll get a
>
> private key listed without a nickname, even if you have used the -n
>
> parameter.)
>
>
>
>
>
> > Then using sslget to receive a successful response
>
>
>
> I assume with "successful response" you mean that you have downloaded a
>
> certificate issued by the CA.
>
>
>
>
>
> > and import it using:
>
> >
>
> > certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t ",,"
>
>
>
> Did this command work without error message?
>
>
>
> I assume you used something like
>
> cat retrieved-certificate-file | certutil -A ....
>


Daniel: Yes, you assume correctly


>
>
> It seems wrong to use the -s argument in this scenario. The subject name
>
> should be taken from the certificate you import. I suspect that certutil
>
> will silently ignore this parameter, but you might want to try without
>
> it.
>
>
>
>
>
> > The problem is when I use certutil to list all private keys. I get something like:
>
> >
>
> > < 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate DB:sample-dn
>
>
>
> That seems correct.
>
>
>
>
>
> > And when I use a PKCS11Wrapper in Java I get a Private Key with the correct ID but a <NULL-PTR> in the label.
>
>
>
> What is the "correct ID" that you are using to obtain the privat key? Do
>
> you use "9" or do you use "sample-dn"?
>
I am trying to access by the "sample-dn"
>
>
> What's the exact API that you use to obtain the private key?
>
>

Daniel: I am using the iaik PKCS11Wrapper with the libsoftoken(something like this)

>
> What's the exact attribute, of which interface, that contains the NULL
>
> label?

Daniel: It's the label of a private key retrieved from the 2nd Slot (Certificade DB)

>
>
>
> If I understand correctly, you are successfully able to obtain the
>
> private key and use it, your only problem is that it has an empty label?
>
> Is that only a cosmetic issue, or does it cause problems for you?
>
>

Daniel: I hadn't tried to use the private key since I haven't been able to get it by the subject name. It's not a cosmetic issue because I only store the sample-dn

>
>
>
> > Note: When I use pk12util I can successfully export and then import in the firefox nss database and appears good.
>
>
>
> Which confirms that your earlier certificate had worked.
>

Daniel: Yes but what is the main reason that in the original NSS database the key as the alias "NSS Certificate DB:sample-dn" but the imported NSS database has the alias "sample-dn"?

>
>
> You said you are using "PKCS11Wrapper in Java", do you refer to a Java
>
> application that accesses your NSS database directly - or do you refer
>
> to an applet downloaded from a website that you expect to be able to
>
> access the private key?
>

Daniel: I access It directly using the IAIK PKCS11Wrapper

>
>
> Kai

Thanks

Daniel

daniem...@gmail.com

unread,
Apr 10, 2013, 4:58:15 PM4/10/13
to mozilla.dev...@googlegroups.com, mozilla's crypto code discussion list
Thanks for your reply

On Wednesday, April 10, 2013 9:10:33 PM UTC+1, Kai Engert wrote:
> On Wed, 2013-04-10 at 11:36 -0700, daniem...@gmail.com wrote:
>
> > I'm trying to generate a Certificate Signing Request to be later signed by a CA and imported to a NSS database.
>
> >
>
> > Currently Using the following commands:
>
> >
>
> > certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k "rsa" -g 2048 -o cert.req -a -z noiseFile
>
>
>
> I think the -n parameter is unnecessary at this point (and will get
>
> ignored), because no cert is involved yet.
>
>
>
> (If you try certutil -K immediately after the command, you'll get a
>
> private key listed without a nickname, even if you have used the -n
>
> parameter.)
>
>
>
>
>
> > Then using sslget to receive a successful response
>
>
>
> I assume with "successful response" you mean that you have downloaded a
>
> certificate issued by the CA.
>
>
>
>
>
> > and import it using:
>
> >
>
> > certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t ",,"
>
>
>
> Did this command work without error message?
>
>
>
> I assume you used something like
>
> cat retrieved-certificate-file | certutil -A ....
>


Daniel: Yes, you assume correctly


>
>
> It seems wrong to use the -s argument in this scenario. The subject name
>
> should be taken from the certificate you import. I suspect that certutil
>
> will silently ignore this parameter, but you might want to try without
>
> it.
>
>
>
>
>
> > The problem is when I use certutil to list all private keys. I get something like:
>
> >
>
> > < 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate DB:sample-dn
>
>
>
> That seems correct.
>
>
>
>
>
> > And when I use a PKCS11Wrapper in Java I get a Private Key with the correct ID but a <NULL-PTR> in the label.
>
>
>
> What is the "correct ID" that you are using to obtain the privat key? Do
>
> you use "9" or do you use "sample-dn"?
>
I am trying to access by the "sample-dn"
>
>
> What's the exact API that you use to obtain the private key?
>
>

Daniel: I am using the iaik PKCS11Wrapper with the libsoftoken(something like this)

>
> What's the exact attribute, of which interface, that contains the NULL
>
> label?

Daniel: It's the label of a private key retrieved from the 2nd Slot (Certificade DB)

>
>
>
> If I understand correctly, you are successfully able to obtain the
>
> private key and use it, your only problem is that it has an empty label?
>
> Is that only a cosmetic issue, or does it cause problems for you?
>
>

Daniel: I hadn't tried to use the private key since I haven't been able to get it by the subject name. It's not a cosmetic issue because I only store the sample-dn

>
>
>
> > Note: When I use pk12util I can successfully export and then import in the firefox nss database and appears good.
>
>
>
> Which confirms that your earlier certificate had worked.
>

Daniel: Yes but what is the main reason that in the original NSS database the key as the alias "NSS Certificate DB:sample-dn" but the imported NSS database has the alias "sample-dn"?

>
>
> You said you are using "PKCS11Wrapper in Java", do you refer to a Java
>
> application that accesses your NSS database directly - or do you refer
>
> to an applet downloaded from a website that you expect to be able to
>
> access the private key?
>

0 new messages