Thanks for your reply On Wednesday, April 10, 2013 9:10:33 PM UTC+1, Kai Engert wrote: > On Wed, 2013-04-10 at 11:36 -0700, daniemarq...@gmail.com wrote: > > > I'm trying to generate a Certificate Signing Request to be later signed by > > a CA and imported to a NSS database. > > > > > > Currently Using the following commands: > > > > > > certutil -R -d alias -f nssPasswordFile -s "sample-dn" -n "sample-dn" -k > > "rsa" -g 2048 -o cert.req -a -z noiseFile > > > > I think the -n parameter is unnecessary at this point (and will get > > ignored), because no cert is involved yet. > > > > (If you try certutil -K immediately after the command, you'll get a > > private key listed without a nickname, even if you have used the -n > > parameter.) > > > > > > > Then using sslget to receive a successful response > > > > I assume with "successful response" you mean that you have downloaded a > > certificate issued by the CA. > > > > > > > and import it using: > > > > > > certutil -A -s "sample-dn" -n "sample-dn" -a -d alias -f nssPasswordFile -t > > ",," > > > > Did this command work without error message? > > > > I assume you used something like > > cat retrieved-certificate-file | certutil -A .... >
Daniel: Yes, you assume correctly > > > It seems wrong to use the -s argument in this scenario. The subject name > > should be taken from the certificate you import. I suspect that certutil > > will silently ignore this parameter, but you might want to try without > > it. > > > > > > > The problem is when I use certutil to list all private keys. I get > > something like: > > > > > > < 9> rsa c679865c65628623c59ab392019943ef426aa2e1 NSS Certificate > > DB:sample-dn > > > > That seems correct. > > > > > > > And when I use a PKCS11Wrapper in Java I get a Private Key with the correct > > ID but a <NULL-PTR> in the label. > > > > What is the "correct ID" that you are using to obtain the privat key? Do > > you use "9" or do you use "sample-dn"? > I am trying to access by the "sample-dn" > > > What's the exact API that you use to obtain the private key? > > Daniel: I am using the iaik PKCS11Wrapper with the libsoftoken(something like this) > > What's the exact attribute, of which interface, that contains the NULL > > label? Daniel: It's the label of a private key retrieved from the 2nd Slot (Certificade DB) > > > > If I understand correctly, you are successfully able to obtain the > > private key and use it, your only problem is that it has an empty label? > > Is that only a cosmetic issue, or does it cause problems for you? > > Daniel: I hadn't tried to use the private key since I haven't been able to get it by the subject name. It's not a cosmetic issue because I only store the sample-dn > > > > > Note: When I use pk12util I can successfully export and then import in the > > firefox nss database and appears good. > > > > Which confirms that your earlier certificate had worked. > Daniel: Yes but what is the main reason that in the original NSS database the key as the alias "NSS Certificate DB:sample-dn" but the imported NSS database has the alias "sample-dn"? > > > You said you are using "PKCS11Wrapper in Java", do you refer to a Java > > application that accesses your NSS database directly - or do you refer > > to an applet downloaded from a website that you expect to be able to > > access the private key? > Daniel: I access It directly using the IAIK PKCS11Wrapper > > > Kai Thanks Daniel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
