User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170420084331 Steps to reproduce: Description of problem: when inputting a Subject Key Identifier or Authority Key Identifier, it is not clear how to input binary data. The correct method is to put a hex-encoded value, WITHOUT octet/group separation and WITH a 0x prefix. But the manpage does not mention this. Without these conditions, the value is interpreted literally (which is probably not what the user wants). I had to read source code to work this out >_<. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Sign a certificate using a CA and requesting the --extSKID: [~/nssdb] root# certutil -d . -f pwdfile.txt -C \ -i req.csr -o ext.crt -z /etc/motd -c ca2 --extSKID Adding Subject Key ID extension. Enter value for the key identifier fields,enter to omit: 4171ac49be1c9b915ce69336b80264ce323c37be Is this a critical extension [y/N]? n Actual results: Observe that certutil has interpreted the input literally: [~/nssdb] root# openssl x509 -text < ext.crt | grep -A 1 "Subject Key Ident" X509v3 Subject Key Identifier: 34:31:37:31:61:63:34:39:62:65:31:63:39:62:39:31:35:63:65:36:39:33:33:36:62:38:30:32:36:34:63:65:33:32:33:63:33:37:62:65 41:71:AC:49:BE:1C:9B:91:5C:E6:93:36:B8:02:64:CE:32:3C:37:BE Expected results: This is the expected result. The problem is that the way to get certutil to interpret the value as hex is totally undocumented. If the input had been prefixed with "0x", the correct interpretation occurs: [~/nssdb] root# openssl x509 -text < ext.crt | grep -A 1 "Subject Key Ident" X509v3 Subject Key Identifier: 41:71:AC:49:BE:1C:9B:91:5C:E6:93:36:B8:02:64:CE:32:3C:37:BE This must be documented in the man page.
Bulk change per wleung.
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.