On Wed, 25 May 2016, Andrew Cagney wrote:
I suspect the correct way is to create the certificate at the same
time as the key-pair (like certutil -S).
I was hoping to avoid that, but if that's what is needed we could do
that.
Since we're using NSS we should, perhaps, try to be more NSS like.
That's not "embrase and extend" :)
Otoh, we know how to find the key-pair using the ckaid so it can be
done in rsasigkey or showhostkey.
right.
(I still can't see the point of certutil -G (other than provide a
reference implementation for rsasigkey)).
It is probably just a tool that uses the nss libraries for the real
work. We cannot use it instead of rsasigkey because nss-utils do
not get FIPS certification unlike the nss library.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
