Momcilo Majic wrote, On 2008-08-25 13:03: > I have created simple CA using ejbca. The root certificate is ECDSA based. > > 1. Than I've tried to create certificate request using certutil: > certutil -R -s "CN=TestECDSA" -o request.req -a -d database -k ec -q > nistp192 -a > 2. I've uploaded resulting request to the EJBCA, signing and got cert.pem > 3. I've imported the resulting certificate > 4. Listing the keys still designates only one ec key with status orphan
What version of NSS did you use? I'm having Deja vu here. Did we discuss this a few weeks ago? As I recall, some versions of NSS had a bug in the certutil -K command that caused it to report keys as orphans that were not orphans. However, the certutil -L command properly reported whether the private key corresponding to each cert was found (in the key DB) or not. So, if you list your new cert with certutil -L, and you see the "u" trust flags (e.g. u,u,u) then you know that NSS has correctly matched up the key and the cert, and all is well, despite certutil -K's diagnosis. If you're having this result with NSS 3.12.x, please let us know. Also, if you don't get the "user" trust flags when you list that cert, then let us know. But the version of NSS is crucial. Also, if you got your NSS from some (any) Linux distribution, let us know what Linux distribution you got it from. Thanks. > Does anybody knows how to establish relationship between > request-key-certificate? It should be entirely automatic. You can't force it. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
