On Thu, 2 Aug 2007, David Stutzman wrote:
> Craig Dunigan wrote:
>> I created the pkcs12 file thusly:
>>
>> openssl pkcs12 -export -nodes -out domain_cert.p12 -inkey <pem encoded
>> private key used to create wildcard csr> -in <pem encoded cert returned
>> from CA>
>
> I did the following using similar files as you:
> openssl pkcs12 -export -nodes -out test.p12 -inkey key.pem -in cert.pem
>
> then I ran pk12util -l to list the contents which worked fine:
> /public/linux-dev/nss/bin/pk12util -l test.p12
>
> for testing purposes I created a new db:
> /public/linux-dev/nss/bin/certutil -N -d .
>
> tried to import it:
> /public/linux-dev/nss/bin/pk12util -i test.p12 -d .
> Enter password for PKCS12 file:
> pk12util: no nickname for cert...not handled
>
> OpenSSL didn't set a friendly name for the cert.  I went back and
> re-created the p12 with the appropriate option to set a friendly name:
> openssl pkcs12 -export -nodes -out test.p12 -inkey key.pem -in cert.pem
> -name "Testing"
>
> then I tried to import it again:
> /public/linux-dev/nss/bin/pk12util -i test.p12 -d .
> Enter password for PKCS12 file:
> pk12util: PKCS12 IMPORT SUCCESSFUL
>
> verify import:
>  /public/linux-dev/nss/bin/certutil -L -d .
> Testing                                                      u,u,u
>
>> Is there some way to make pk12util at least give me some hint as to
>> what's wrong with the syntax I'm trying?  I'm getting frustrated with
>> the less than helpful repetition of the usage message.  Thanks in advance,
>
> I think I'm using NSS 3.11.5.
> Maybe try setting a friendly name?
>
> Dave
>


Thanks David, but initially I couldn't even get far enough to make 
pk12util complain about nicknames.  It simply wouldn't do anything but 
return the usage message, which I assume means, like in other *nix 
commands, that I have the syntax wrong.

On the chance that pk12util does not follow POSIX standard and is 
sensitive to the order of command line options, I tried re-ordering 
the options exactly following the usage message.  That seems to work, 
or, at least, pk12util complained about the nickname.  Here's the 
usage message, followed by the command that worked.

Usage:   pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname]
                  [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
                  [-v]
Usage:   pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname]
                  [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
Usage:   pk12util -o exportfile -n certname [-d certdir] [-P dbprefix]
                  [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
                  [-v]

pk12util -i <pkcs12 wildcard cert> -d <path to cert8.db/key3.db> -P 
<db filename prefix for Sun DS> -k <Sun DS token password file>

The only difference between this and the command I originally posted 
is that I originally had -k before -P.

I'm posting this in the hopes that someone else experiencing this will 
search on "usage message" or "command syntax" in the maillist archive 
before posting, like I did, and see the reason for the repeated usage 
message.  I'm also hoping the developers might read it and consider 
implementing the POSIX standard for command line options, or at least 
including a note in the usage message that states that order of 
options matters.

Now that I can see the nickname error, I'm assuming that recreating 
the pkcs12 file with a name, as you suggest, David, will work just 
fine.  Thanks for pointing it out and saving me another trip to the 
search engines.

-- 
Craig Dunigan
IS Technical Services Specialist
Middleware - EIS - DoIT
University of Wisconsin, Madison

opinions expressed are my own, not the University's




_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to