Re: Problem adding a certificate to a brand new cert7.db

Sat, 18 Oct 2003 10:56:27 -0700

Silvio Arcangeli wrote: 
Hello everybody,
I'm sorry to bother you with a question that is probably quiet stupid, but
I'm a newbie to this technology and need some help.

That's what this group is for! Your questions aren't stupid at all.

I'm building a prototype of an Intranet authentication system using a Cisco
ACS server and a RadiantOne virtual LDAP server.
The CISCO ACS server requires the LDAP server to be very "Netscape-like". In
particular, for the SSL handshaking it requires a cert7.db file where to go
and look for the certificate used by the LDAP server.


I didn't understand that last sentence.
Does the cisco product use NSS, and therefore needs a cert7.db file?
If not, then what product needs the cert7.db file?

So what I did was to download the NSS tools, and try to build a brand new
cert7.db file (using the modutil -create) and then add my server's
certificate into it, using certutil with the following options:

certutil -A -n "Silvio Arcangeli" -i ..\rli.cer -d ..\databases\ -t
"TCu" -password ..\password.txt

I also tried other combinations of parameters, but I always have the
following error message:

certutil: could authenticate to token or database: An I/O error occurred
during security authorization

what does it mean?
am i missing any steps or parameters? am i missing any dll file?
(in order to have the tools running i downloaded the nss3.4.1 binary, the
nspr4.2.2 binary and put all the stuff together manually, don't know it's
the proper way of having them run)

Several suggestions:

1. Instead of using "modutil -create", use "certutil -N -d ..." to create
   your DBs.  It will ask you to enter a password for the new key3.db file.

2. I'm guessing you're trying to install a root CA cert for which you do
   not have the private key.  In that case, remove the "u" from the trust
   string.  Make it "TC,,"

3. Certutil doesn't understand "-password".  The option for a password file
   is -f <file>, but you shouldn't need a password file to add a cert to
   the cert DB, UNLESS you've configured the module with modutil to be a
   FIPS module.  Have you done that?

thanks to everybody,
Silvio Arcangeli


--
Nelson B

_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to