On Thu, 2 Aug 2007, David Stutzman wrote: > Craig Dunigan wrote: >> I created the pkcs12 file thusly: >> >> openssl pkcs12 -export -nodes -out domain_cert.p12 -inkey <pem encoded >> private key used to create wildcard csr> -in <pem encoded cert returned >> from CA> > > I did the following using similar files as you: > openssl pkcs12 -export -nodes -out test.p12 -inkey key.pem -in cert.pem > > then I ran pk12util -l to list the contents which worked fine: > /public/linux-dev/nss/bin/pk12util -l test.p12 > > for testing purposes I created a new db: > /public/linux-dev/nss/bin/certutil -N -d . > > tried to import it: > /public/linux-dev/nss/bin/pk12util -i test.p12 -d . > Enter password for PKCS12 file: > pk12util: no nickname for cert...not handled > > OpenSSL didn't set a friendly name for the cert. I went back and > re-created the p12 with the appropriate option to set a friendly name: > openssl pkcs12 -export -nodes -out test.p12 -inkey key.pem -in cert.pem > -name "Testing" > > then I tried to import it again: > /public/linux-dev/nss/bin/pk12util -i test.p12 -d . > Enter password for PKCS12 file: > pk12util: PKCS12 IMPORT SUCCESSFUL > > verify import: > /public/linux-dev/nss/bin/certutil -L -d . > Testing u,u,u > >> Is there some way to make pk12util at least give me some hint as to >> what's wrong with the syntax I'm trying? I'm getting frustrated with >> the less than helpful repetition of the usage message. Thanks in advance, > > I think I'm using NSS 3.11.5. > Maybe try setting a friendly name? > > Dave >
Thanks David, but initially I couldn't even get far enough to make pk12util complain about nicknames. It simply wouldn't do anything but return the usage message, which I assume means, like in other *nix commands, that I have the syntax wrong. On the chance that pk12util does not follow POSIX standard and is sensitive to the order of command line options, I tried re-ordering the options exactly following the usage message. That seems to work, or, at least, pk12util complained about the nickname. Here's the usage message, followed by the command that worked. Usage: pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] [-v] Usage: pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] Usage: pk12util -o exportfile -n certname [-d certdir] [-P dbprefix] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] [-v] pk12util -i <pkcs12 wildcard cert> -d <path to cert8.db/key3.db> -P <db filename prefix for Sun DS> -k <Sun DS token password file> The only difference between this and the command I originally posted is that I originally had -k before -P. I'm posting this in the hopes that someone else experiencing this will search on "usage message" or "command syntax" in the maillist archive before posting, like I did, and see the reason for the repeated usage message. I'm also hoping the developers might read it and consider implementing the POSIX standard for command line options, or at least including a note in the usage message that states that order of options matters. Now that I can see the nickname error, I'm assuming that recreating the pkcs12 file with a name, as you suggest, David, will work just fine. Thanks for pointing it out and saving me another trip to the search engines. -- Craig Dunigan IS Technical Services Specialist Middleware - EIS - DoIT University of Wisconsin, Madison opinions expressed are my own, not the University's _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto