Nelson B wrote:
Correct. Softoken generates much of the PKCS #11 objects and data from data stored in the database. The public keys are one of these. They are generated from the existing private key.jayasree bhattacharya wrote:Thanks Nelson for ur reply. My confusion is less but still there. The doubts are:a)When certutil generates keys, pvt key is stored in keydb but where is pub key stored? I am not creating any cert but just generating keys.If I recall correctly, NSS does not store public keys in either DB file. Private keys are stored in key3.db. Certificates are stored in cert8.db. Public keys, which generally can be derived from private keys, are not stored separately in either DB, as I recall. The public keys may be accessible through the PKCS#11 API, and/or NSS's PK11wrap APIs. I'd imagine that the public keys accessed that way are reconstructed from the private keys. If I'm mis-remembering this, and the public keys ARE stored in the key DB, I invite correction on this point. (Bob :)
Certutil doesn't have an option to dump public keys. Since certutil's API is PKCS #11, the public keys would show up, though because the data is actually stored in the key3.db, the much of actual key data for those public keys would not be available unless the token is logged in.b)I want to see all the pub keys in keydb using certutil How do I see them?I believe the answer is: they don't exist, so you can't see them.
No, though enough information is stored with the private key to generate a new public key in the key database, and the cert has a copy of the public key within it's data (so it's possible to extract the public key from the cert).d)When I use certutil to create a cert ,is pub key stored in 2 places? One as a pub key itself in keydb and another as a member of the cert, where the cert is created in certdb?IIRC, the key is not stored, other than in the cert.
e)When,there is no keydb and certdb and I use certutil -G -d dirname, to generate keys ,I see that a certdbis built. What is stored there then?A private key.
After key gen, you will have a key in keydb and an empty certdb.This, with nelson's previous response should answer most of your issues (I think the -K option is the main issue you were missing).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
