Neil Durant wrote: > > I have been trying to set up a private certificate authority so that I > can sign jar files used within the organisation I work at, for use in > Mozilla applications. I followed the steps on chapter 12 of the > O'Reilly Mozilla book, and ran into problems at the end when trying to > sign jar files. I then found articles in this newsgroup pointing out > errors in the text. So I followed the steps laid out in the draft > revision of that chapter http://certs.mozdev.org/cadraft.html), and I > still have problems. > > Here are the steps I am doing: > > mkdir CA > mkdir JAR > certutil -N -d CA > certutil -d CA -S -s "CN=I2 root CA, O=I2" -n "I2" -t ",,C" -v 96 -x > -1 -2 -5 > certutil -d CA -L > certutil -L -d CA -n "I2" -a -o CA/root.cacert > pp -t certificate -a -i CA/root.cacert > certutil -d JAR -A -n "I2" -t ",,C" -i CA/root.cacert > > At this point, according to the documentation on the webpage I should > have to enter a password, but instead the command completes without > asking for one.
This behavior is the result of an improperly initialized key DB. The original chapter 12 recommended removing the key db after initializing it, (after the certutil -N step) which led to this problem. Start all over, with empty CA and JAR directories. Don't remove any files along the way. > If I continue... > > certutil -L -d JAR > certutil -d JAR -R -o JAR/req.txt -a -s "CN=I2 signing cert, O=I2" -v > 95 > > I get the following error: > certutil: unable to generate key(s) > : An I/O error occurred during security authorization. > > I found articles in this newsgroup relating to this error, when the > key3.db and secmod.db file are deleted, but I have not been deleting > them. Well, the fact that you weren't asked for a password (as you noted above) indicates that the cert DB was not properly initialized with a password. This suggests that either the certutil -N step terminated abnormally without initializing the DB with the password, or that the key DB was deleted after this step, and then created (but not initialized) by some subsequent certutil command. > What am I doing wrong? Hope someone can help! > > Regards, > > Neil -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
