Hi,
I use NSS3.11.4 with NSPR 4.6.4 (for fips compliant usage).
Here are the steps I perform to add new certificate to NSS db:
Phase 1 - Create a CA Certificate
* CA: Create NSS DB for CA
o Create the folder:
mkdir /opt/nss/fipscadb/
o Create the DB
/opt/nss/bin/certutil -N -d /opt/nss/fipscadb/ -f
/opt/nss/fipscadb/pwdfile.txt
o Make DB FIPS compliant:
/opt/nss/bin/modutil -fips true -dbdir /opt/nss/fipscadb
* CA: Create a CA certificate for self signing in NSS CA db
o /opt/nss/bin/certutil -S -d /opt/nss/fipscadb/ -n cacert -s
"CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -x -t "CTu,CTu,CTu" -v 120 -f
/opt/nss/fipscadb/pwdfile.txt -z /opt/nss/fipscadb/noise.txt
* CA: Export the certificates to a file
o /opt/nss/bin/certutil -L -n cacert -a -d /opt/nss/fipscadb/ -o
cacert.cer
Phase 2 - Create a Server Certificate
* Server: Create NSS DB for Server
o Create the folder:
mkdir /opt/nss/fipsdb/
o Create the DB
/opt/nss/bin/certutil -N -d /opt/nss/fipsdb/ -f
/opt/nss/fipsdb/pwdfile.txt
o Make DB FIPS compliant:
/opt/nss/bin/modutil -fips true -dbdir /opt/nss/fipsdb
* Server: Create a server certificate request (.csr file)
o /opt/nss/bin/certutil -R -a -o servercert.csr -s "CN=et, OU=org
unit, O=org, L=TA, ST=AAA, C=BB" -p "650-555-8888" -d /opt/nss/fipsdb/ -f
/opt/nss/fipsdb/pwdfile.txt -z /opt/nss/fipsdb/noise.txt
* CA: Sign the CSR using NSS tools:
o Copy the certificate request file from server to CA:
cp /opt/nss/fipsdb/servercert.csr /opt/nss/fipscadb/
o Sign (output is .cer file):
/opt/nss/bin/certutil -C -c cacert -a -i
/opt/nss/fipscadb/servercert.csr -o /opt/nss/fipscadb/servercert.cer -v 120 -f
/opt/nss/fipscadb/pwdfile.txt -d
/opt/nss/fipscadb/ -s "CN=et, OU=org unit, O=org, L=CC, ST=AAA, C=BB"
* Server: Import the server certificate signed by CA using NSS tools
o Copy the certificate file from CA to Server:
cp /opt/nss/fipscadb/servercert.cer /opt/nss/fipsdb/
o Import certificate:
/opt/nss/bin/certutil -A -n servercert -t "p,p,p" -a -i
/opt/nss/fipsdb/servercert.cer -d /opt/nss/fipsdb/
After last command I get an error: "certutil: could not add certificate to
token or database: Error adding certificate to database."
If I don't perform modutil -fips on Server Database no error occurs.
What do I miss here?
Thanks in advance,
Yevgeniy
This email and any files transmitted with it are confidential material. They
are intended solely for the use of the designated individual or entity to whom
they are addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or
copying of this communication is strictly prohibited and may be unlawful.
If you have received this email in error please immediately notify the sender
and delete or destroy any copy of this message
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
