Re: certutil adding certificate with extra attributes

Wed, 14 May 2014 00:25:25 -0700 

Hello folks,
Any update on this ? One of my customer is waiting on this. Daniel
Veditz from dev-security asked me to contact this list. Hope someone
can look into this. If required, I can repro this and and show to
someone who has developed certutil.

Thanks.

On Thu, May 8, 2014 at 7:03 PM, radiatejava <radiatej...@gmail.com> wrote:
> Hello All,
> I am using NSS db and utility to maintain certificates for a web
> server. I am facing an issue, please go through the steps I am
> listing. Can anyone explain why I am getting 'u' attr for certificate
> with ca-3 alias even though I did not provide this attribute while
> adding it. This is creating problem for me - CA signed cert with
> tomcat is not considered as the server certificate but the one with
> ca-3 is being considered.
>
> Please help me to get over this issue, thanks.
>
> I have ca-3 alias for a self-signed cert and tomcat alias is for CA signed 
> cert:
> 1. [root@GQMTRLPSN01 CSCOcpm]# certutil -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
> ca-2                                                         CT,C,C
> ca-3                                                         CTu,Cu,Cu
> ca-7                                                         CT,C,C
> www.cisco.com.pem                            CT,C,C
> tomcat                                                     u,u,u
> ca-1                                                         CT,C,C
> ca-4                                                         CT,C,C
>
> 2. I deleted ca-3 from nss db:
> [root@GQMTRLPSN01 CSCOcpm]# certutil -D -n ca-3  -d
> /opt/CSCOcpm/appsrv/apache-tomcat/conf/nssdb/  -k
> /opt/CSCOcpm/appsrv/apache-tomcat/conf/pwdfile.txt
>
> So now, ca-3 is no more listed.
> [root@GQMTRLPSN01 CSCOcpm]# certutil -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
> ca-2                                                         CT,C,C
> ca-7                                                         CT,C,C
> www.cisco.com.pem                            CT,C,C
> tomcat                                                       u,u,u
> ca-1                                                        CT,C,C
> ca-4                                                        CT,C,C
>
> 3. Next, added ca-3 again (cmd was taken from instrumented output):
>  [root@GQMTRLPSN01 CSCOcpm]# certutil -A -n ca-3 -i
> /tmp/cert6345886513151373833.pem -t 'TP,,'  -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/  -f
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/pwdfile.txt
>
> Moment I did this, I can see the ā€˜uā€™ attr for this cert:
> [root@GQMTRLPSN01 CSCOcpm]# certutil -d
> /opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/conf/nssdb/ -L
> ca-2                                                         CT,C,C
> ca-7                                                         CT,C,C
> ca-3                                                         TPu,u,u
> www.cisco.com.pem                               CT,C,C
> tomcat                                                       u,u,u
> ca-1                                                         CT,C,C
> ca-4                                                         CT,C,C
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to