Yevgeniy Gubenko wrote, On 2008-08-07 09:09: > I use NSS3.11.4 with NSPR 4.6.4 (for fips compliant usage). > Here are the steps I perform to add new certificate to NSS db: > Phase 1 - Create a CA Certificate > > * CA: Create NSS DB for CA > o Create the folder: > mkdir /opt/nss/fipscadb/ > o Create the DB > certutil -N -d /opt/nss/fipscadb/ -f /opt/nss/fipscadb/pwdfile.txt > o Make DB FIPS compliant: > modutil -fips true -dbdir /opt/nss/fipscadb > * CA: Create a CA certificate for self signing in NSS CA db > o certutil -S -d /opt/nss/fipscadb/ -n cacert -s \ > "CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -x -t "CTu,CTu,CTu" \ > -v 120 -f /opt/nss/fipscadb/pwdfile.txt -z /opt/nss/fipscadb/noise.txt > * CA: Export the certificates to a file > o certutil -L -n cacert -a -d /opt/nss/fipscadb/ -o cacert.cer > > > Phase 2 - Create a Server Certificate > > * Server: Create NSS DB for Server > o Create the folder: > mkdir /opt/nss/fipsdb/ > o Create the DB > certutil -N -d /opt/nss/fipsdb/ -f /opt/nss/fipsdb/pwdfile.txt > o Make DB FIPS compliant: > modutil -fips true -dbdir /opt/nss/fipsdb > * Server: Create a server certificate request (.csr file) > o certutil -R -a -o servercert.csr -s \ > "CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -p "650-555-8888" \ > -d /opt/nss/fipsdb/ -f /opt/nss/fipsdb/pwdfile.txt > -z /opt/nss/fipsdb/noise.txt > * CA: Sign the CSR using NSS tools: > o Copy the certificate request file from server to CA: > cp /opt/nss/fipsdb/servercert.csr /opt/nss/fipscadb/ > o Sign (output is .cer file): > certutil -C -c cacert -a -i /opt/nss/fipscadb/servercert.csr \ > -o /opt/nss/fipscadb/servercert.cer -v 120 -f \ > /opt/nss/fipscadb/pwdfile.txt -d /opt/nss/fipscadb/ -s \ > "CN=et, OU=org unit, O=org, L=CC, ST=AAA, C=BB" > * Server: Import the server certificate signed by CA using NSS tools > o Copy the certificate file from CA to Server: > cp /opt/nss/fipscadb/servercert.cer /opt/nss/fipsdb/ > o Import certificate: > certutil -A -n servercert -t "p,p,p" -a -i \ > /opt/nss/fipsdb/servercert.cer -d /opt/nss/fipsdb/ > > After last command I get an error: > "certutil: could not add certificate to token or database: Error adding > certificate to database." > If I don't perform modutil -fips on Server Database no error occurs. > What do I miss here? > > Thanks in advance, > Yevgeniy
Were you producing cert8.db or were you producing cert9.db? For cert8.db, this seems like a bug, although it bears a little bit more investigation. I think Bob will look into it. Let me suggest an alternative set of steps to produce the files you want. See <http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011987> One more comment: The stuff below is inappropriate for email sent to a list with world- wide distribution. Please leave it off of further mails to this list. Thanks. > This email and any files transmitted with it are confidential material. > They are intended solely for the use of the designated individual or > entity to whom they are addressed. If the reader of this message is not > the intended recipient, you are hereby notified that any dissemination, > use, distribution or copying of this communication is strictly prohibited > and may be unlawful. > > If you have received this email in error please immediately notify the > sender and delete or destroy any copy of this message _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
