beyonddc wrote, On 2008-04-09 09:43: > Hi group, > > I have some question about certutil. > > When you create an individual certificate and add it to a certificate > database with the "-S" command, does it also generate key pair for > you?
Yes. > I'm following the instruction in "Red Hat Directory Server 7.1 > Administrator Guide" to use certutil to create a self-sign > certificate. > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 Ugh! That section needs to be rewritten, IMO. Among its problems: - shows the generation of a "noise" file with little or no entropy. - reuses that noise file in the generation of multiple keys. - doesn't explain what to do with the generated CA cert - doesn't explain that this is for testing only, not for production use. > I got very confused in step 5 in the "Using certutil" section in the > "RH DS 7.1 Admin Guide" about generating standalone key pair with the > "-G" command and then it seems like it is not using it at all > afterward because the manual then go on and explain using the "-S" > command to create and add self-signed and server certificates. Yeah, step 5 is a no-op. > I just want to have a second eyes to look at the few steps documented > in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that > step 5 in the "Using certutil" section to generate a key pair with the > "-G" command is not necessary. Right. Suggestions: 1. Don't use vi (or any text editor) to generate a noise file. Instead use > dd bs=256 count=1 if=/dev/urandom of=noise Note: it's not a text file, so drop the .txt suffix 2. Don't re-use noise files. Run that dd command immediately before each and every command (such as certutil) that uses the noise file as an input, to get a fresh noise file. And rm that file right after it is used once. 3. Export that CA cert (without the private key) to a file, so that it can be imported into clients who will then trust it as a CA for issuing SSL server certs. > certutil -L -d . -n "CA certificate" -a -o /tmp/rootcert.pem 4. Import that CA cert into the client and trust it to issue SSL server certs. The exact method depends on the client. For NSS-based clients it would be something like: > certutil -A -d client-dir -n "CA certificate" -a -t C,, -i /tmp/rootcert.pem /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
