From https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185577 Description of problem: When I run "certutil -R" and supply an email address using the -y flag, I get an error message. Version-Release number of selected component (if applicable): nss-tools-3.11-4 How reproducible: Always Steps to Reproduce: 1. mkdir /tmp/z 2. certutil -d /tmp/z -N 3. certutil -d /tmp/z -R -s 'cn=Nalin Dahyabhai' -a -o /tmp/z/nalin.req -y firstname.lastname@example.org Actual results: I get this error message: certutil -y: incorrect public exponent 0.Must be 3, 17, or 65537. Expected results: certutil would usually ask me to help it seed its RNG, and proceed as normally
The -y option is for the public exponent only, we wouldn't want to overload this meaning. The -R command honors the -S command extension options -7 Create an email subject alt name extension certutil -d /tmp/z -R -s 'cn=Nalin Dahyabhai' -a -o /tmp/z/nalin.req -s email@example.com works as the reporter expected. Wouldn't this be the proper way?
Yep, looks like you're right -- the short-form ('-h') help output must be wrong.
Also, the documentation for the -7 -8 and -0 options are wrong or missing. Patch forthcoming.
Created attachment 331775 [details] [diff] [review] patch v1 How's this?
Comment on attachment 331775 [details] [diff] [review] patch v1 I don't know what the SSO-Password is, maybe you'd want to use a more obvious string. Besides from that the changes in the patch seem to match the information in secuCommandFlag options_init, so r+
If you create a new patch, and your only change is a more descriptive string for SSO, my r+ shall still apply.
Kai, as you may recall, certutil has both a "short" and a "long" usage message, obtained with certutil -h and certutil -H respectively. With this patch, the short message describes certutil's -T option as: Usage: certutil -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile] [-0 SSO-password] and the long usage message describes it as: -T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal) -0 SSO-password Set token's Site Security Officer password Do you think that SSO-password needs more explanation than that?
cmd/certutil/certutil.c; new revision: 1.141; previous revision: 1.140
Nelson, thanks for the clarification, you're right, that seems sufficient.