On 2010-02-23 04:05 PST, armin.n...@deutsche-boerse.com wrote: > Hello, > > I am new to SSL and certificates and I have to setup Apache's Qpid > broker using both server authentication and client authentication > which requires certificates on both sides. > We will store a certificate from each client (which he has > self-certified) on our Qpid broker machines using certutil.
I'm not familiar with Qpid. Does it use NSS? certutil is very handy for maintaining databases used by NSS-based programs, but those databases are not terribly useful for programs that do not use NSS. > One question now was whether we could store two certificates of one > client where > - the validity period of both certificates overlap > - the subject of the certificates are identical Yes, certainly, provided their (issuer name, serial number) combinations are unique. > I tested it and found that this is possible, even with identical > nicknames. Indeed, all certificates with the same subject name MUST have the same nicknames also. > I added the certificates without specifying a serial number: > $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr.crt > $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr1.crt > $ certutil -L -d data/0097 -n cbkfr > display the information about both certificates. This shows that they have > different serial numbers. > > Now I wanted to see what happens if I specify explicitly the same serial > number when adding both certificates: > $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr.crt -m 123 > $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr1.crt -m 123 > > This works fine as well and > $ certutil -L -d data/0097 -n cbkfr > shows that both certificates don't have serial number 123 but the one which > the .crt files contain already (checked with a Windows based tool). Right. Certificate contents cannot be changed after the certificate is created. > Does that mean that the -m option is not valid for the -A action? Yes. The -m option is only meaningful for the certutil commands that create new certificates. > The certutil tool doesn't complain! You could file a bug report about that. > That means for me that it is possible without problems to maintain > multiple imported certificates with identical subject and overlapping > validity period under the same nickname. But how can I remove a specific > of these certificates, e.g. since it is expired and therefore not used > anymore? Do you have a real need to remove it? > When I enter > $ certutil -D -d data/0097 -n cbkfr > one of the two certificates is deleted, but which one? Presently, certutil gives you no control over which one. This is a known shortcoming of certutil. I'm pretty sure there is at least one bug on file about it already. > The -m option is ignored here as well. Yes. If you really feel you must delete the old certificate, here is a way to effectively do it in several steps. 1. Dump all the certificates with the same subject name into a PEM file, e.g. certutil -n nickname -d DIRECTORY -L -a -o myPEMfile 2. Edit the PEM file, splitting it into separate PEM files for each cert. Delete the PEM file for the cert you don't want. 3. Delete all the certs with the same subject name from the cert DB by repeating the command certutil -n nickname -d DIRECTORY -D until they're all gone. 4. Add back the certs you wanted to keep. For each file, do certutil -n nickname -d DIRECTORY -A -a -i pemfileN -t flags > Best reagrds > Armin Noll -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
