Hello folks, Any update on this ? One of my customer is waiting on this. Daniel Veditz from dev-security asked me to contact this list. Hope someone can look into this. If required, I can repro this and and show to someone who has developed certutil.
Thanks. On Thu, May 8, 2014 at 7:03 PM, radiatejava <radiatej...@gmail.com> wrote: > Hello All, > I am using NSS db and utility to maintain certificates for a web > server. I am facing an issue, please go through the steps I am > listing. Can anyone explain why I am getting 'u' attr for certificate > with ca-3 alias even though I did not provide this attribute while > adding it. This is creating problem for me - CA signed cert with > tomcat is not considered as the server certificate but the one with > ca-3 is being considered. > > Please help me to get over this issue, thanks. > > I have ca-3 alias for a self-signed cert and tomcat alias is for CA signed > cert: > 1. [root@GQMTRLPSN01 CSCOcpm]# certutil -d > /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L > ca-2 CT,C,C > ca-3 CTu,Cu,Cu > ca-7 CT,C,C > www.cisco.com.pem CT,C,C > tomcat u,u,u > ca-1 CT,C,C > ca-4 CT,C,C > > 2. I deleted ca-3 from nss db: > [root@GQMTRLPSN01 CSCOcpm]# certutil -D -n ca-3 -d > /opt/CSCOcpm/appsrv/apache-tomcat/conf/nssdb/ -k > /opt/CSCOcpm/appsrv/apache-tomcat/conf/pwdfile.txt > > So now, ca-3 is no more listed. > [root@GQMTRLPSN01 CSCOcpm]# certutil -d > /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L > ca-2 CT,C,C > ca-7 CT,C,C > www.cisco.com.pem CT,C,C > tomcat u,u,u > ca-1 CT,C,C > ca-4 CT,C,C > > 3. Next, added ca-3 again (cmd was taken from instrumented output): > [root@GQMTRLPSN01 CSCOcpm]# certutil -A -n ca-3 -i > /tmp/cert6345886513151373833.pem -t 'TP,,' -d > /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -f > /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/pwdfile.txt > > Moment I did this, I can see the āuā attr for this cert: > [root@GQMTRLPSN01 CSCOcpm]# certutil -d > /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L > ca-2 CT,C,C > ca-7 CT,C,C > ca-3 TPu,u,u > www.cisco.com.pem CT,C,C > tomcat u,u,u > ca-1 CT,C,C > ca-4 CT,C,C -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto