Anthony Lieuallen wrote: > The documentation for the certutil tool [1] refers to a "u" value for > the -t argument which it says means "Certificate can be used for > authentication or signing". When I "certutil -H" it says u means "user > cert" and mentions nothing about being able to be used for signing (nor > authentication).
The "u" flag means that NSS has local access to the private key that complements the cert's public key. The term "user cert" means a cert for which NSS has access to the private key. Access to the private key is necessary to be able to perform signing or decryption. It is necessary, but may not be sufficient. If the cert has a key usage extension or extended key usage extension that disallows use for signatures, then the key still cannot be used for that purpose. > But, no matter how I import a certificate, I can't get "signtool -l" to > list that as one that I can sign things with. It will list a testing > cert made with "signtool -G" and then "certutil -L" says "u,u,Cu" for > that testing cert, but the same permission on import of a real cert > produces "G,,C". You cannot set or force the "u" flag on a certificate. If the private key is present, the u flag will appear, and not otherwise. > So. Is there something special about certs that can be used to sign > objects? Yes, er, sort of. The "special" thing is that the corresponding private key is available to NSS, e.g. in the key3.db file or in a crypto token. > If so, how do I get one? Either way, how do I import it with > certutil, so that I can use it with signtool? You cannot import private keys with certutil. Generally a private key is imported together with its corresponding cert. The pk12util tool does that, using a file in the PKCS#12 format (also known as .pfx files on Windows). > Thanks. > > [1] > http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193 -- Nelson B 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
