Yahel Zamir wrote: > Hi Everyone, > > Our company develops a server to be deployed at customer sites, and we > would like to use NSS to authenticate client connections. As a start, we > can setup a CA sign our own certificates. > > I tried to follow the instructions in the SSL Reference chapter "Getting > Strated with SSL" > (http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html) > but encountered some difficulties. Can anyone point me to some more > information?
See below. > 1. > The "Getting Strated with SSL" document mentions that "keyutil" was > replaced by "certutil", which makes the examples outdated. Is this > document still valid? The portion of that document that gives a series of keyutil and certutil commands is NOT valid. It doesn't work to simply change "keyutil" to "certutil" in those commands. There is not a one-for-one correspondence between the old keyutil functions and the new certutil functions. certutil -L does not do what keyutil -K did. Someone really needs to write new docs, but that work is not prioritized very high at this time. > 2. > It seems that a server certificate needs to include the server's fully > qualified domain name. Is this requirement obligatory? Yes, essentially, because of the serious security vulnerabilities of allowing non-FQDN host names in SSL server certs. > 3. > At step (3) of "Creating the Databases and Generating the Keys", running > "certutil -L -d server_db" did not display anything. Any idea what is > missing here? certutil -L lists only certs, not keys. > 4. > I tried to proceed to "Creating the CA Certificate and Adding It to the > Database". Using the string "f7c1" returned an error, so I changed to > "rsa". But at step (2), certutil complained "certutil: self-signing a > cert request is not supported". Suggestions? Once upon a time, certutil allowed users to specify keys by giving the values of the leading bytes of the RSA modulus in hex, giving enough of them to uniquely indicate a key in the key DB. The example in the web page you cited shows using an RSA key whose modulus starts with 0xf7c1. Of course, when you generate your own key, you get a new modulus. So, even if you had that old version of certutil that uses -k for a "key ID", you could not copy the modulus from the sample. You'd have to print the modulus from your own generated key and use that in place of the values in the demo script. But that ability to specify keys by "key id" (a leadihg substring of the RSA modulus) was in NSS 1.x or 2.x (I don't remember which), and is NOT in NSS 3.x. In NSS 3.x, the -k option specifies the TYPE of key (e.g. RSA, DSA, ECC) and does not identify any particular key. In the old days, you generated a key pair with keyutil, and then generated a cert request with a separate command using certutil. Today, when you use certutil to generate a cert request, it generates a new key pair for you. The key pair generation is no longer separate from the cert request generation. Suggestion: the NSS QA test scripts do ALL these steps. They generate cert requests, issue certs, etc. If you can follow the cert.sh script, or a log file from the execution of that script, you will see how to do every step you need, and more. The NSS QA test scripts try to be rather exhaustive, so you might have to look through a lot to find the commands you need. See http://lxr.mozilla.org/security/source/security/nss/tests/cert/cert.sh For a log file of a run of cert.sh, see one of the log files from http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS > . > Thanks, > Yahel Zamir. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
