On Wed, 2013-04-10 at 11:36 -0700, daniemarq...@gmail.com wrote: > I'm trying to generate a Certificate Signing Request to be later signed by a > CA and imported to a NSS database. > > Currently Using the following commands: > > certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k > "rsa" -g 2048 -o cert.req -a -z noiseFile
I think the -n parameter is unnecessary at this point (and will get ignored), because no cert is involved yet. (If you try certutil -K immediately after the command, you'll get a private key listed without a nickname, even if you have used the -n parameter.) > Then using sslget to receive a successful response I assume with "successful response" you mean that you have downloaded a certificate issued by the CA. > and import it using: > > certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t > ",," Did this command work without error message? I assume you used something like cat retrieved-certificate-file | certutil -A .... It seems wrong to use the -s argument in this scenario. The subject name should be taken from the certificate you import. I suspect that certutil will silently ignore this parameter, but you might want to try without it. > The problem is when I use certutil to list all private keys. I get something > like: > > < 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate > DB:sample-dn That seems correct. > And when I use a PKCS11Wrapper in Java I get a Private Key with the correct > ID but a <NULL-PTR> in the label. What is the "correct ID" that you are using to obtain the privat key? Do you use "9" or do you use "sample-dn"? What's the exact API that you use to obtain the private key? What's the exact attribute, of which interface, that contains the NULL label? If I understand correctly, you are successfully able to obtain the private key and use it, your only problem is that it has an empty label? Is that only a cosmetic issue, or does it cause problems for you? > Note: When I use pk12util I can successfully export and then import in the > firefox nss database and appears good. Which confirms that your earlier certificate had worked. You said you are using "PKCS11Wrapper in Java", do you refer to a Java application that accesses your NSS database directly - or do you refer to an applet downloaded from a website that you expect to be able to access the private key? Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
