aahh.... that's exactly what I thought. I was suspecting step 5 is an no-op! Thanks for your confirmation!
I also learned something new too. I didn't know you can use certutil to expert a certificate to pem format. Thanks! On Apr 10, 12:50 am, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > beyonddc wrote, On 2008-04-09 09:43: > > > Hi group, > > > I have some question about certutil. > > > When you create an individual certificate and add it to a certificate > > database with the "-S" command, does it also generate key pair for > > you? > > Yes. > > > I'm following the instruction in "Red Hat Directory Server 7.1 > > Administrator Guide" to use certutil to create a self-sign > > certificate. > >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > > Ugh! That section needs to be rewritten, IMO. > Among its problems: > - shows the generation of a "noise" file with little or no entropy. > - reuses that noise file in the generation of multiple keys. > - doesn't explain what to do with the generated CA cert > - doesn't explain that this is for testing only, not for production use. > > > I got very confused in step 5 in the "Using certutil" section in the > > "RH DS 7.1 Admin Guide" about generating standalone key pair with the > > "-G" command and then it seems like it is not using it at all > > afterward because the manual then go on and explain using the "-S" > > command to create and add self-signed and server certificates. > > Yeah, step 5 is a no-op. > > > I just want to have a second eyes to look at the few steps documented > > in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that > > step 5 in the "Using certutil" section to generate a key pair with the > > "-G" command is not necessary. > > Right. > > Suggestions: > > 1. Don't use vi (or any text editor) to generate a noise file. > Instead use > > > dd bs=256 count=1 if=/dev/urandom of=noise > > Note: it's not a text file, so drop the .txt suffix > > 2. Don't re-use noise files. Run that dd command immediately before each > and every command (such as certutil) that uses the noise file as an input, > to get a fresh noise file. And rm that file right after it is used once. > > 3. Export that CA cert (without the private key) to a file, so that it > can be imported into clients who will then trust it as a CA for issuing > SSL server certs. > > > certutil -L -d . -n "CA certificate" -a -o /tmp/rootcert.pem > > 4. Import that CA cert into the client and trust it to issue SSL server > certs. The exact method depends on the client. For NSS-based clients > it would be something like: > > > certutil -A -d client-dir -n "CA certificate" -a -t C,, -i > > /tmp/rootcert.pem > > /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
