Momcilo Majic wrote, On 2008-08-25 13:03:

> I have created simple CA using ejbca. The root certificate is ECDSA based.
> 
> 1. Than I've tried to create certificate request using certutil:
> certutil -R -s "CN=TestECDSA" -o request.req -a -d database -k ec -q 
> nistp192 -a
> 2. I've uploaded resulting request to the EJBCA, signing and got cert.pem
> 3. I've imported the resulting certificate
> 4. Listing the keys still designates only one ec key with status orphan

What version of NSS did you use?

I'm having Deja vu here.  Did we discuss this a few weeks ago?

As I recall, some versions of NSS had a bug in the certutil -K command
that caused it to report keys as orphans that were not orphans.
However, the certutil -L command properly reported whether the private
key corresponding to each cert was found (in the key DB) or not.

So, if you list your new cert with certutil -L, and you see the "u" trust
flags (e.g. u,u,u) then you know that NSS has correctly matched up the
key and the cert, and all is well, despite certutil -K's diagnosis.

If you're having this result with NSS 3.12.x, please let us know.
Also, if you don't get the "user" trust flags when you list that cert,
then let us know.  But the version of NSS is crucial.  Also, if you
got your NSS from some (any) Linux distribution, let us know what
Linux distribution you got it from.

Thanks.

> Does anybody knows how to establish relationship between 
> request-key-certificate?

It should be entirely automatic.  You can't force it.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to