certutil adding certificate with extra attributes

[radiatejava]

Hello All,
I am using NSS db and utility to maintain certificates for a web
server. I am facing an issue, please go through the steps I am
listing. Can anyone explain why I am getting 'u' attr for certificate
with ca-3 alias even though I did not provide this attribute while
adding it. This is creating problem for me - CA signed cert with
tomcat is not considered as the server certificate but the one with
ca-3 is being considered.

Please help me to get over this issue, thanks.

I have ca-3 alias for a self-signed cert and tomcat alias is for CA signed cert:
1. [root@GQMTRLPSN01 CSCOcpm]# certutil -d
/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
ca-2 CT,C,C
ca-3 CTu,Cu,Cu
ca-7 CT,C,C
www.cisco.com.pemCT,C,C
tomcat u,u,u
ca-1 CT,C,C
ca-4 CT,C,C

2. I deleted ca-3 from nss db:
[root@GQMTRLPSN01 CSCOcpm]# certutil -D -n ca-3  -d
/opt/CSCOcpm/appsrv/apache-tomcat/conf/nssdb/  -k
/opt/CSCOcpm/appsrv/apache-tomcat/conf/pwdfile.txt

So now, ca-3 is no more listed.
[root@GQMTRLPSN01 CSCOcpm]# certutil -d
/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
ca-2 CT,C,C
ca-7 CT,C,C
www.cisco.com.pemCT,C,C
tomcat   u,u,u
ca-1CT,C,C
ca-4CT,C,C

3. Next, added ca-3 again (cmd was taken from instrumented output):
 [root@GQMTRLPSN01 CSCOcpm]# certutil -A -n ca-3 -i
/tmp/cert6345886513151373833.pem -t 'TP,,'  -d
/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/  -f
/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/pwdfile.txt

Moment I did this, I can see the ‘u’ attr for this cert:
[root@GQMTRLPSN01 CSCOcpm]# certutil -d
/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
ca-2 CT,C,C
ca-7 CT,C,C
ca-3 TPu,u,u
www.cisco.com.pem   CT,C,C
tomcat   u,u,u
ca-1 CT,C,C
ca-4 CT,C,C
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: certutil adding certificate with extra attributes

[radiatejava]

Hello folks,
Any update on this ? One of my customer is waiting on this. Daniel
Veditz from dev-security asked me to contact this list. Hope someone
can look into this. If required, I can repro this and and show to
someone who has developed certutil.

Thanks.

On Thu, May 8, 2014 at 7:03 PM, radiatejava  wrote:
> Hello All,
> I am using NSS db and utility to maintain certificates for a web
> server. I am facing an issue, please go through the steps I am
> listing. Can anyone explain why I am getting 'u' attr for certificate
> with ca-3 alias even though I did not provide this attribute while
> adding it. This is creating problem for me - CA signed cert with
> tomcat is not considered as the server certificate but the one with
> ca-3 is being considered.
>
> Please help me to get over this issue, thanks.
>
> I have ca-3 alias for a self-signed cert and tomcat alias is for CA signed 
> cert:
> 1. [root@GQMTRLPSN01 CSCOcpm]# certutil -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
> ca-2 CT,C,C
> ca-3 CTu,Cu,Cu
> ca-7 CT,C,C
> www.cisco.com.pemCT,C,C
> tomcat u,u,u
> ca-1 CT,C,C
> ca-4 CT,C,C
>
> 2. I deleted ca-3 from nss db:
> [root@GQMTRLPSN01 CSCOcpm]# certutil -D -n ca-3  -d
> /opt/CSCOcpm/appsrv/apache-tomcat/conf/nssdb/  -k
> /opt/CSCOcpm/appsrv/apache-tomcat/conf/pwdfile.txt
>
> So now, ca-3 is no more listed.
> [root@GQMTRLPSN01 CSCOcpm]# certutil -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
> ca-2 CT,C,C
> ca-7 CT,C,C
> www.cisco.com.pemCT,C,C
> tomcat   u,u,u
> ca-1CT,C,C
> ca-4CT,C,C
>
> 3. Next, added ca-3 again (cmd was taken from instrumented output):
>  [root@GQMTRLPSN01 CSCOcpm]# certutil -A -n ca-3 -i
> /tmp/cert6345886513151373833.pem -t 'TP,,'  -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/  -f
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/pwdfile.txt
>
> Moment I did this, I can see the ‘u’ attr for this cert:
> [root@GQMTRLPSN01 CSCOcpm]# certutil -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
> ca-2 CT,C,C
> ca-7 CT,C,C
> ca-3 TPu,u,u
> www.cisco.com.pem   CT,C,C
> tomcat   u,u,u
> ca-1 CT,C,C
> ca-4 CT,C,C
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto