There seems to be some functionality of keyutil that never made it into other tools. It looks like pk12util is meant to handle key extraction or importing, but it works with both cert and key at the same time and only seems to support cert7.db files. symkeyutil is built by default in the nss build, but doesn't seem to be currently working right.
If I need to to move certs and keys from one set of databases to another, how is it done? What is the proper way to back up a key generated by a certificate request? When certutil -R is run, an unnamed key gets put in the key database but there's no way to get it out until the cert is signed and installed and the key gets the nickname of the cert. At least as far as I can tell. If a certificate signing request is generated by some other tool (like 'openssl genrsa -out host.key 1024; openssl req -new -key host.key -out \ host.csr') and then signed, is there a way to import the key and cert into the "trust" database together without converting them to a pkcs12 file and using pk12util? Some software products (like Sun Java Enterprise System) use versions of the nss tools that don't seem to be compatible with the latest builds and don't ship with pk12util. When I use the latest pk12util to load the certificate and key, the Sun certutil can see the cert and key but can't validate them. certutil: could not find certificate named "test1": security library: bad database. Any input? Mainly what I want is a reliable way to back up my keys and certificates starting at the initial CSR. Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342 _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
