On 2011-01-25 13:07 PDT, Michael H. Warfield wrote: > [...] Instead of having a cert in the > database with the name I specified in creating the .p12 file, I ended up > with a cert in the database with the name of the E-Mail address in the > cert. Not sure where that problem is (openssl or the pk12util import). > But, I went to delete that certificate and that's when the fun begun. > "certutil -D -n postmas...@wittsend.com" ran without error but the cert > was still there. Run it again and you get this error: > > [root@romulus ipsec.d]# certutil -D -n postmas...@wittsend.com -d . > certutil: could not find certificate named "postmas...@wittsend.com": > security library: bad database. > > That's also when I noticed I was missing at least one other cert.
I was unable to reproduce any of this with the cert DB you sent me. Before I deleted the cert with that command above, the cert DB was OK, not corrupted, and after I deleted it, it was also OK. The cert I had specified, and its nickname record AND its email record were all deleted from the DB, leaving it in a consistent state. A second delete attempt produced the same error message you saw, but didn't modify the DB at all. I tried with both certutil and libs from NSS 3.11.latest and 3.12.latest and got the same results both ways. I have these thoughts about the different behaviors that you and I experienced. 1) Maybe you had another program that was also holding the DB files open at the same time you did the certutil -D command. 2) IINM, You had the private key for some certs in your key3.db by virtue of having used pk12util to import one or more, and I didn't. That might have made a difference. 3) It's possible that the original cert DB you had was in some state of corruption, and the cert DB you reconstructed for my testing was not corrupted. Unless and until I can reproduce the behavior you saw, I won't be of much help in resolving it. Sorry. :-/ -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
