On Thu, 2 Aug 2007, David Stutzman wrote:
> Craig Dunigan wrote:
>> I created the pkcs12 file thusly:
>>
>> openssl pkcs12 -export -nodes -out domain_cert.p12 -inkey <pem encoded
>> private key used to create wildcard csr> -in <pem encoded cert returned
>> from CA>
>
> I did the following using similar files as you:
> openssl pkcs12 -export -nodes -out test.p12 -inkey key.pem -in cert.pem
>
> then I ran pk12util -l to list the contents which worked fine:
> /public/linux-dev/nss/bin/pk12util -l test.p12
>
> for testing purposes I created a new db:
> /public/linux-dev/nss/bin/certutil -N -d .
>
> tried to import it:
> /public/linux-dev/nss/bin/pk12util -i test.p12 -d .
> Enter password for PKCS12 file:
> pk12util: no nickname for cert...not handled
>
> OpenSSL didn't set a friendly name for the cert. I went back and
> re-created the p12 with the appropriate option to set a friendly name:
> openssl pkcs12 -export -nodes -out test.p12 -inkey key.pem -in cert.pem
> -name "Testing"
>
> then I tried to import it again:
> /public/linux-dev/nss/bin/pk12util -i test.p12 -d .
> Enter password for PKCS12 file:
> pk12util: PKCS12 IMPORT SUCCESSFUL
>
> verify import:
> /public/linux-dev/nss/bin/certutil -L -d .
> Testing u,u,u
>
>> Is there some way to make pk12util at least give me some hint as to
>> what's wrong with the syntax I'm trying? I'm getting frustrated with
>> the less than helpful repetition of the usage message. Thanks in advance,
>
> I think I'm using NSS 3.11.5.
> Maybe try setting a friendly name?
>
> Dave
>
Thanks David, but initially I couldn't even get far enough to make
pk12util complain about nicknames. It simply wouldn't do anything but
return the usage message, which I assume means, like in other *nix
commands, that I have the syntax wrong.
On the chance that pk12util does not follow POSIX standard and is
sensitive to the order of command line options, I tried re-ordering
the options exactly following the usage message. That seems to work,
or, at least, pk12util complained about the nickname. Here's the
usage message, followed by the command that worked.
Usage: pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname]
[-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
[-v]
Usage: pk12util -l listfile [-d certdir] [-P dbprefix] [-h tokenname]
[-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
Usage: pk12util -o exportfile -n certname [-d certdir] [-P dbprefix]
[-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
[-v]
pk12util -i <pkcs12 wildcard cert> -d <path to cert8.db/key3.db> -P
<db filename prefix for Sun DS> -k <Sun DS token password file>
The only difference between this and the command I originally posted
is that I originally had -k before -P.
I'm posting this in the hopes that someone else experiencing this will
search on "usage message" or "command syntax" in the maillist archive
before posting, like I did, and see the reason for the repeated usage
message. I'm also hoping the developers might read it and consider
implementing the POSIX standard for command line options, or at least
including a note in the usage message that states that order of
options matters.
Now that I can see the nickname error, I'm assuming that recreating
the pkcs12 file with a name, as you suggest, David, will work just
fine. Thanks for pointing it out and saving me another trip to the
search engines.
--
Craig Dunigan
IS Technical Services Specialist
Middleware - EIS - DoIT
University of Wisconsin, Madison
opinions expressed are my own, not the University's
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
