On 12/07/2011 07:01 AM, passfree wrote: > On Dec 2, 6:26 pm, Robert Relyea <rrel...@redhat.com> wrote: >> On 12/02/2011 07:46 AM, passfree wrote:> I am writing an experimental tool >> and I need to generate an SSL server >>> on the fly. Needless to say, NSS seams like the perfect choice but >>> here is where I am stuck. >>> SSL_ConfigSecureServer excepts a cert a key and a type. I've tried to >>> look into certutil to see how these are generated but I find it really >>> confusing. Can someone point me towards the right direction how to >>> make these stuff in memory without the need to use the certutill? >> Cert generation needs more than just certutil. You'll need to attach to >> some CA and have it sign your certificate. You may want to look at >> dogtag (an open source CA). >> >> For testing, you can look at the examples in the NSS tests: >> mozilla/security/nss/tests/cert/certs.sh for how to generate cert chains >> and keys in certutil. >> >>> I just need to generate a random CERTCertificate, the corresponding >>> SECKEYPrivateKey. I can get the type myself. >>> Your help is much appreciated. >> If you want to do that programatically, look at certutil's code for >> generating a cert request. That will give you a private key and a >> corresponding cert request to send to a CA. The API for taking to a CA >> is CA specific, but the CA will take your cert request along with your >> authorization info (specific to the CA), the CA will return a DER cert. >> You can then call >> CERT_NewTempCertificate() on the blob to get a >> CERTCertificate(), then call >> PK11_ImportCertForKey() on the CERTCertificate() >> so the NSS will pair it up with the already existing private key (NSS >> will automatically find the private key). >> >> bob > Is it possible to start NSS_Init without creating dbs? I guess what I > am asking if I can have all of this in memory rather than on disc. I > need to create a self-contained executable. Yes, though if you are trying to start an SSL server, you need to get a cert from somewhere. You aren't allowed to just create a cert on your own on the fly -- if you could, SSL would loose all it's utility.
In order to do what you want to do, you'd have to have some connection to a CA to sign your certificate once you created it on the fly. You'd need to be able to authenticate to that CA. Some how. I guess my point is, there are lots of things that can be done, but I'm thinking you want to have a standalone SSL server that has no storage, and I think that idea is fundamentally a loser (whether or not you are using NSS). bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
