Closed Bug 441392 Opened 17 years ago Closed 2 years ago

Eliminate certutil's -G commnd

Categories

(NSS :: Tools, defect, P5)

Product:
NSS
Component:
Tools
Version:
3.12
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

I propose that we should eliminate certutil's -G command. It is useless for ordinary users, and is an ongoing source of confusion to users. Numerous public documents on how to use NSS mention it and explain it incorrectly. Nearly everyone who uses certutil -G really wants to use certutil -R (which generates a CSR). I believe that certutil -G is a hold over from a day, long ago, before PKCS11, when NSS gave nicknames to private keys as well as to certs. In those days, you would create a key pair and give it a nickname with certutil -G, then later, you coud generate a CSR from the nicknamed key pair, or delete the key pair by its nickname. But those days are long gone, and today, key pairs generated by certutil -G instantly become orphans. So, I propose to get rid of the command that creates these orphans. The only use of certutil -G in NSS test scripts that I could find is this one: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/tests/dbupgrade/dbupgrade.sh&rev=1.3#104 It is unclear to me why that script is using that particular command. Slavo, Bob, can you explain why?
Some ideas include: - Have -G output a message saying to use -R instead, or - Have -G just become a synonym for -R
Severity: normal → S3
Severity: S3 → S4
Status: NEW → RESOLVED
Closed: 2 years ago
Priority: -- → P5
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.