Ben - I agree that the syntactical help could be much better. It would be best to create a CR for the issue, I will make sure it gets tracked. As with anything in OpenSolaris, a CR is required before any fix can be putback, but whether that CR is generated by an external person or internal doesn't matter. In this case, it would be cool if you create the CR and fill in your issue in detail, then someone here will pick it up and work on a fix (probably me).
-Wyllys Ben Rockwood wrote: > pktool has gotten a bad wrap as impossibly difficult to use, largely due to > the syntax. As an example, the following: > > <pre> > benr at quadra KMF$ pktool gencsr -i keystore=file outcsr=csr outkey=privkey > subject="cuddletech.com" > Usage: > pktool -? (help and usage) > pktool -f option_file > pktool subcommand [options...] > .... > </pre> > > This syntax conforms with the help output: > > <pre> > gencsr [-i] keystore=file > outcsr=csr-fn > outkey=key-fn > subject=subject-DN > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ keytype=rsa|dsa ] > [ keylen=key-size ] > [ eku=[critical:]EKU name,...] > [ format=pem|der ] > </pre> > > However, it doesn't work because -i (shown in the help as optional) is > mutually exclusive to subject= (shown in the help as required). > > Furthermore, lack of error reporting and large number of arguments can cause > a simple syntax issue to turn into an hour long slug-fest. > > In the few cases where there is error reporting, its utterly unhelpful, > example: > > <pre> > benr at quadra KMF$ pktool gencsr keystore=file outcsr=csr outkey=privkey > subject="cuddletech.com" > Error creating CSR or keypair: > libkmf error: KMF_ERR_RDN_PARSER > Usage: > pktool -? (help and usage) > pktool -f option_file > </pre> > > The problem here is that the subject line isn't a proper DN, it should be > "CN=cuddletech.com" rather than "cuddletech.com"... but the error reported is > entirely non-intuative. The untrained admin won't realize that > "KMF_ERR_RDN_PARSER" means the subject line format is invalid. > > > > I like pktool, its an awesome utility but issues like the above hamper > adoption. When a good admin can do something in 2 minutes using OpenSSL > tools and they spent 30 minutes trying to figure out how to do it with pktool > they just give up. > > Is there an effort to improve these usability issues or do I need to create a > CR? > > benr. >
