Hmmm. Seems I've found ANOTHER bug or two in certutil. The -R command ignores the -7 option. The -C command expects the alt names as -7 options on the command line, rather than in the .req file (apparently). So, put the -7 option on the -C command, too.
I got good results with the following shell script:
DB=MJ
PASSWD=$DB/passwd.txt
RS=$DB/rand.seed
CANN=netauth.com
certutil -N -f $PASSWD -d $DB
certutil -S -s "cn=netauth ca,dc=netauth,dc=com" -n $CANN \
-f $PASSWD -z $RS -x -t "C,C,C" -d $DB
certutil -R -7 [EMAIL PROTECTED] -z $RS -f $PASSWD -o $DB/jimi.req -d $DB \
-s "[EMAIL PROTECTED],cn=jimi hendrix,ou=people,dc=netauth,dc=com"
certutil -C -i $DB/jimi.req -o $DB/jimi.crt -f $PASSWD -z $RS \
-7 [EMAIL PROTECTED] -c $CANN -d $DB
certutil -A -n [EMAIL PROTECTED] -f $PASSWD -t ",," -i $DB/jimi.crt -d $DB
certutil -R -s "[EMAIL PROTECTED],cn=tom jones,ou=people,dc=netauth,dc=com" \
-7 [EMAIL PROTECTED] -z $RS -f $PASSWD -o $DB/tom.req -d $DB
certutil -C -i $DB/tom.req -o $DB/tom.crt -f $PASSWD -z $RS \
-7 [EMAIL PROTECTED] -c $CANN -d $DB
certutil -A -n [EMAIL PROTECTED] -f $PASSWD -t ",," -i $DB/tom.crt -d $DB
certutil -L -d $DB
certutil -L -d $DB -n [EMAIL PROTECTED]
cmsutil -E -r [EMAIL PROTECTED] -i $DB/jimi.txt -d $DB -p foobar -o $DB/jimi.env
cmsutil -D -d $DB -i $DB/jimi.env -p foobar
Note also that I used empty trust for jimi and tom's certs. That is sufficient and more appropriate for a real-world test. Also, in a real world scenario, one would expect the rand.seed file to be regenerated before each use, not used repeatedly.
Nelson,
Thanks for the friendly help. I think this will allow me to carry on with my tests.
BR, Mike _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
