CMSUTIL Problem

Wed, 10 Nov 2010 05:41:23 -0800 

I am on a Linux system and I am trying to send a signed email message
using cmsutil and the smime toolkit but it fails with the following
error:

cmsutil: the corresponding cert for key "(null)" does not exist:
Certificate key usage inadequate for attempted operation.

I have a pkcs12 file I loaded into the nss database with the following
command:

pk12util -i Email.p12 -d ./database

I have also loaded the root CA certs using:

certutil -A -d ./database -n "gdca-root" -t "CT,C,," -i gdrootca.cer
certutil -A -d ./database -n "gdca1" -t "CT,C,," -i gdca1.cer

certutil -L -d ./database shows:
Stephen Moccaldi's U.S. Government ID  u,u,u
gdca-root                              CT,C,
gdca1                                  CT,C,

certutil -K -d ./database shows:
< 0> rsa    b853151eeaf438ea9f55b43bd0a5efedeac8f1a4  Stephen Moccaldi's
U.S. Government ID

certutil -V -n "Stephen Moccaldi's U.S. Government ID" -u SR -d
./database shows:
certutil: certificate is valid

But, when I type: 
cat testmsg.txt | smime -S "Stephen Moccaldi's U.S. Government ID" -p
"passwd" -d ./database | mail myemailaddr...@myserver.com"

I get the error: 
cmsutil: the corresponding cert for key "(null)" does not exist:
Certificate key usage inadequate for attempted operation.
cmsutil: problem signing: Certificate key usage inadequate for attempted
operation.
cmsutil: NSS_Shutdown failed:  NSS could not shutdown.  Objects are
still in use.
ERROR: signature generation failed.
No message, no subject; hope that's ok

I get the same error when I type:
cmsutil -S -N "Stephen Moccaldi's U.S. Government ID" -i testmsg.txt -o
testmsg.signed -d ./database -p "passwd"

Does it have anything to do with the length of the nickname?  If I type
the above line with one less character in the nickname it does not show
"(null)" for the key it shows "Stephen Moccaldi's U.S. Government I".
The error is:

cmsutil: the corresponding cert for key "Stephen Moccaldi's U.S.
Government I" does not exist: Certificate key usage inadequate for
attempted operation.

Since the nickname is set in the Email.p12 file and I can't specify it,
does that mean I need a new cert with a shorter friendly name?
I am using NSS version 3.12.3 and nspr 4.7.6.

Any help will be greatly appreciated.
Thanks.

Steve Moccaldi
stephen.mocca...@gdc4s.com

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to