Jakub Scholz-2 wrote
> Hi Peter,
>
> You do not have the private key properly loaded with the rest of the
> certificate in your database. The database listing looks like this
> with a private key properly loaded:
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> cbgc03 u,u,u
>
> The "u" sign indicates that you have a user certificate / private key.
> With the "certutil -R" command you generated only a certificate
> request which needs to be signed by certification authority. Do you
> want to use signed or self-signed certificate? In case self-signed is
> OK for you, you can create it for example like this:
>
> certutil -S -d ./server_db/ -n yourCertNickName -s "CN=my.host.com" -g
> 2048 -Z SHA512
>
> In case you want to use signed certificate, have the CSR file you have
> signed by your CA and then load the CRT file which they give you in
> return using following command:
>
> certutil -A -d ./server_db/ -i signed.crt -n yourCertNickName
>
> Afterwards your certificate database be correct ...
>
> Regards
> Jakub
The -R generates the private key AND the certificate signing request. I
submitted that CSR to our cert provider (Thawte) and received back a
certificate that I imported using -A. The import went fine as did the import
of the intermediary certs; the cert comes back as valid. I have been unable
to set the u (-t) either as part of the import or as a modification (-M)
later. There are no error messages; the output of -L looks the same as in my
original post.
I don't disagree that there might be a problem with the key but I don't know
why since it was generated with the csr and a valid cert was imported in
response. Also, I am also not sure that is the problem. On another system
here is the output:
LIST PRIVATE KEYS:
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa a33333333333333333333333333333333
CN=aaaaaa.bbb.cccccc.com,OU=zzzzz,O=qqqqqqq,L=Anywhere,ST=NY,C=US
LIST CERTS:
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Thawte 2 CT,,
aaaaaa.bbb.cccccc.com ,,
Thawte 1 CT,,
CN=aaaaaa.bbb.cccccc.com,OU=zzzzz,O=qqqqqqq,L=Anywhere,ST=NY,C=US u,u,u
But when I run qpidd, I still get:
error Failed to initialise SSL plugin: Failed to retrieve private key from
certificate (qpid/sys/ssl/SslSocket.cpp:186)
On this system the key was generated with keytool and the key/cert combo
(p12) was imported via pk12util. It looks better but still same error
message (albeit at a different line in the code (186 vs. 206).
--
View this message in context:
http://qpid.2158936.n2.nabble.com/Broker-SSL-Config-tp7582284p7582306.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
