Hi Nelson and Wan-Teh,
OK, I might be able to resolve the issue that way.
Thank you for responding quickly with informative replies, this is a
great help when starting to use Mozilla NSS.
Also, the NSS documentation is much better than the documentation
provided for OpenSSL. I guess you and Wan-Teh Chang should get the
credit for that :-)
Yahel.
Nelson B wrote:
Yahel Zamir wrote:
Hi Everyone,
Our company develops a server to be deployed at customer sites, and we
would like to use NSS to authenticate client connections. As a start, we
can setup a CA sign our own certificates.
I tried to follow the instructions in the SSL Reference chapter "Getting
Strated with SSL"
(http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html)
but encountered some difficulties. Can anyone point me to some more
information?
See below.
1.
The "Getting Strated with SSL" document mentions that "keyutil" was
replaced by "certutil", which makes the examples outdated. Is this
document still valid?
The portion of that document that gives a series of keyutil and certutil
commands is NOT valid.
It doesn't work to simply change "keyutil" to "certutil" in those commands.
There is not a one-for-one correspondence between the old keyutil functions
and the new certutil functions. certutil -L does not do what keyutil -K did.
Someone really needs to write new docs, but that work is not prioritized
very high at this time.
2.
It seems that a server certificate needs to include the server's fully
qualified domain name. Is this requirement obligatory?
Yes, essentially, because of the serious security vulnerabilities of
allowing non-FQDN host names in SSL server certs.
3.
At step (3) of "Creating the Databases and Generating the Keys", running
"certutil -L -d server_db" did not display anything. Any idea what is
missing here?
certutil -L lists only certs, not keys.
4.
I tried to proceed to "Creating the CA Certificate and Adding It to the
Database". Using the string "f7c1" returned an error, so I changed to
"rsa". But at step (2), certutil complained "certutil: self-signing a
cert request is not supported". Suggestions?
Once upon a time, certutil allowed users to specify keys by giving the
values of the leading bytes of the RSA modulus in hex, giving enough of
them to uniquely indicate a key in the key DB. The example in the
web page you cited shows using an RSA key whose modulus starts with
0xf7c1. Of course, when you generate your own key, you get a new
modulus. So, even if you had that old version of certutil that uses -k
for a "key ID", you could not copy the modulus from the sample. You'd
have to print the modulus from your own generated key and use that in
place of the values in the demo script.
But that ability to specify keys by "key id" (a leadihg substring of the
RSA modulus) was in NSS 1.x or 2.x (I don't remember which), and is NOT
in NSS 3.x. In NSS 3.x, the -k option specifies the TYPE of key (e.g.
RSA, DSA, ECC) and does not identify any particular key.
In the old days, you generated a key pair with keyutil, and then
generated a cert request with a separate command using certutil.
Today, when you use certutil to generate a cert request, it generates
a new key pair for you. The key pair generation is no longer separate
from the cert request generation.
Suggestion: the NSS QA test scripts do ALL these steps. They generate
cert requests, issue certs, etc. If you can follow the cert.sh script,
or a log file from the execution of that script, you will see how to do
every step you need, and more. The NSS QA test scripts try to be
rather exhaustive, so you might have to look through a lot to find the
commands you need. See
http://lxr.mozilla.org/security/source/security/nss/tests/cert/cert.sh
For a log file of a run of cert.sh, see one of the log files from
http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS
.
Thanks,
Yahel Zamir.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
