On 12/02/2011 07:46 AM, passfree wrote:
> I am writing an experimental tool and I need to generate an SSL server
> on the fly. Needless to say, NSS seams like the perfect choice but
> here is where I am stuck.
>
> SSL_ConfigSecureServer excepts a cert a key and a type. I've tried to
> look into certutil to see how these are generated but I find it really
> confusing. Can someone point me towards the right direction how to
> make these stuff in memory without the need to use the certutill?
Cert generation needs more than just certutil. You'll need to attach to
some CA and have it sign your certificate. You may want to look at
dogtag (an open source CA).
For testing, you can look at the examples in the NSS tests:
mozilla/security/nss/tests/cert/certs.sh for how to generate cert chains
and keys in certutil.
> I just need to generate a random CERTCertificate, the corresponding
> SECKEYPrivateKey. I can get the type myself.
>
> Your help is much appreciated.
If you want to do that programatically, look at certutil's code for
generating a cert request. That will give you a private key and a
corresponding cert request to send to a CA. The API for taking to a CA
is CA specific, but the CA will take your cert request along with your
authorization info (specific to the CA), the CA will return a DER cert.
You can then call
CERT_NewTempCertificate() on the blob to get a
CERTCertificate(), then call
PK11_ImportCertForKey() on the CERTCertificate()
so the NSS will pair it up with the already existing private key (NSS
will automatically find the private key).
bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
