Hello, I would like to ask your advice on how to best deal with a problem related to deleting certificates/keys.
I'm currently experimenting with creating short-lived certificates for TLS-client-authentication using the <keygen> element. While it seems easy to create the keys/certs, I have more problems deleting them. Ideally, I would like to delete all certs I created before adding another one. I can do this from a local app (i.e., it doesn't have to come over the web which I assume isn't possible for security reasons). I have experimented with certutil -D but I have some doubts about that approach: * can certutil access the database while the browser is running and using it? (An un-dated discussion mentioned the use of an old version of Berkely DB where concurrent access was considered dangerous). * chosing the cert to delete by nickname is not easy--is the way a nickname is constructed documented somewhere? I'd prefer to select certs by issuer, is there a way? * in my reading of the doc, it seems that I don't need to know the password for accessing the db when deleting. (certutil -h says "certutil -D -n cert-name [-d certdir] [-P dbprefix]" without a [-f pwfile] option). Can you confirm this? * Does certutil -D also delete the corresponding keys or do I need to use certutil -F. Is there a way to delete orphaned keys? Alternatively, are there any better ways for my needs than certutil? Maybe some magic where new certificates automatically replace older ones with the same Subj DN? Any DB-level-access (Berkeley DB..) to the db files (maybe with locking)? Many thanks in advance for any help! -b -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
