Hmmm. Seems I've found ANOTHER bug or two in certutil.
The -R command ignores the -7 option.
The -C command expects the alt names as -7 options on the command line,
rather than in the .req file (apparently).
So, put the -7 option on the -C command, too.
I got good results with the following shell script:
DB=MJ
PASSWD=$DB/passwd.txt
RS=$DB/rand.seed
CANN=netauth.com
certutil -N -f $PASSWD -d $DB
certutil -S -s "cn=netauth ca,dc=netauth,dc=com" -n $CANN \
-f $PASSWD -z $RS -x -t "C,C,C" -d $DB
certutil -R -7 [EMAIL PROTECTED] -z $RS -f $PASSWD -o $DB/jimi.req -d $DB \
-s "[EMAIL PROTECTED],cn=jimi hendrix,ou=people,dc=netauth,dc=com"
certutil -C -i $DB/jimi.req -o $DB/jimi.crt -f $PASSWD -z $RS \
-7 [EMAIL PROTECTED] -c $CANN -d $DB
certutil -A -n [EMAIL PROTECTED] -f $PASSWD -t ",," -i $DB/jimi.crt -d $DB
certutil -R -s "[EMAIL PROTECTED],cn=tom jones,ou=people,dc=netauth,dc=com" \
-7 [EMAIL PROTECTED] -z $RS -f $PASSWD -o $DB/tom.req -d $DB
certutil -C -i $DB/tom.req -o $DB/tom.crt -f $PASSWD -z $RS \
-7 [EMAIL PROTECTED] -c $CANN -d $DB
certutil -A -n [EMAIL PROTECTED] -f $PASSWD -t ",," -i $DB/tom.crt -d $DB
certutil -L -d $DB
certutil -L -d $DB -n [EMAIL PROTECTED]
cmsutil -E -r [EMAIL PROTECTED] -i $DB/jimi.txt -d $DB -p foobar -o $DB/jimi.env
cmsutil -D -d $DB -i $DB/jimi.env -p foobar
Note also that I used empty trust for jimi and tom's certs.
That is sufficient and more appropriate for a real-world test.
Also, in a real world scenario, one would expect the rand.seed file to
be regenerated before each use, not used repeatedly.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
