> I first posted this in the 'security' newsgroup. It was suggested that > here is more appropriate.
Yup. This is the right place.
I'm interested in your case, because you seem to have experienced a crash and/or infinite loop in certutil.
First, I'm going to suggest that you retry a couple steps with a small variation on the commands you used, to see what, if any, different results you get. I'm also going to ask you to email me a zip file containing your CSRs, and your root CA cert to see if I can reproduce the problem for myself.
In your listing of the commands you ran, I saw these pieces:
> # Generate the CSR > $CU -R -o csr.txt -a -s "CN=$USER oject signing cert, O=arcamax.com" -v 100
and later I saw
> $CU -C -c "arcamax.com" -i csr.txt -a -o cert.txt -1 -2 -5
The output of the command "certutil -H" (the LONG help message), shows that the -C command does not take the -a option. That help output states that the -C requires that the CSR be BINARY. So, I'd like you to try this again, and remove the -a option from both of the above two commands, and maybe name the file csr.bin instead of csr.txt. That is, generate a binary CSR, and input a binary CSR.
If that solves the problem, then we have a very good idea which code is failing. If not, we have to look further.
It should not be necesssary to start all over from the beginning, but if
you do, please back up and then blow away the existing *.db files in the directories were they were created by $CU -N, that is in $CADB and $SIGNDB.
The certutil -N command creates new DBs only if no DBs already exist.
If you start over, you should start over with fresh new files.
Whether the csr.bin files work or not, please zip up and email me both
the csr.bin and csr.txt files and the amirootca.cacert file, so that I can attempt to reproduce the crash or loop myself. Note that I do NOT need
or want your key3.db files (where your private keys live).
One more question: what was the value of $USER in your examples? Did it perchance contain any non-ASCII characters? E.g. characters with umlauts, etc?
> I also attempted to compile from source on the RedHat 7.3 box. I did > not find instructions on how to do this. I found this page: > http://www.mozilla.org/projects/security/pki/nss/buildnss_31.html
http://www.mozilla.org/projects/security/pki/nss/nss-3.9/nss-3.9-build.html
> BTW: As I work on this I am developing a document of what needs to be > done. I can make this available if there is interest.
Maybe you can take over that documentation on mozdev and fix it.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
