Closed
Bug 450288
Opened 16 years ago
Closed 16 years ago
certutil reports error when trying to add cert to NSS database
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 385946
People
(Reporter: elio.maldonado.batiz, Unassigned)
Details
Attachments
(1 file)
2.83 KB,
application/x-shellscript
|
Details |
Yevgeniy Gubenko reported on mozilla.dev.tech.crypto His report follows, edited to accomodate the screen: I use NSS3.11.4 with NSPR 4.6.4 (for fips compliant usage). Here are the steps I perform to add new certificate to NSS db: Phase 1 - Create a CA Certificate # CA: Create NSS DB for CA # Create the folder: mkdir /opt/nss/fipscadb/ # Create the DB /opt/nss/bin/certutil -N -d /opt/nss/fipscadb/ -f /opt/nss/fipscadb/pwdfile.txt # Make DB FIPS compliant: /opt/nss/bin/modutil -fips true -dbdir /opt/nss/fipscadb # CA: Create a CA certificate for self signing in NSS CA db opt/nss/bin/certutil -S -d /opt/nss/fipscadb/ -n cacert \ -s "CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -x -t "CTu,CTu,CTu" -v 120 \ -f /opt/nss/fipscadb/pwdfile.txt -z /opt/nss/fipscadb/noise.txt # CA: Export the certificates to a file /opt/nss/bin/certutil -L -n cacert -a -d /opt/nss/fipscadb/ -o cacert.cer # Phase 2 - Create a Server Certificate # Server: Create NSS DB for Server # Create the folder: mkdir /opt/nss/fipsdb/ # Create the DB /opt/nss/bin/certutil -N -d /opt/nss/fipsdb/ -f /opt/nss/fipsdb/pwdfile.txt # Make DB FIPS compliant: /opt/nss/bin/modutil -fips true -dbdir /opt/nss/fipsdb # Server: Create a server certificate request (.csr file) /opt/nss/bin/certutil -R -a -o servercert.csr \ -s "CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -p "650-555-8888" -d /opt/nss/fipsdb/ \ -f /opt/nss/fipsdb/pwdfile.txt -z /opt/nss/fipsdb/noise.txt # CA: Sign the CSR using NSS tools: # Copy the certificate request file from server to CA: cp /opt/nss/fipsdb/servercert.csr /opt/nss/fipscadb/ # Sign (output is .cer file): /opt/nss/bin/certutil -C -c cacert -a -i /opt/nss/fipscadb/servercert.csr \ -o /opt/nss/fipscadb/servercert.cer -v 120 -f /opt/nss/fipscadb/pwdfile.txt -d /opt/nss/fipscadb/ \ -s "CN=et, OU=org unit, O=org, L=CC, ST=AAA, C=BB" # Server: Import the server certificate signed by CA using NSS tools # Copy the certificate file from CA to Server: cp /opt/nss/fipscadb/servercert.cer /opt/nss/fipsdb/ # Import certificate: /opt/nss/bin/certutil -A -n servercert -t "p,p,p" \ -a -i /opt/nss/fipsdb/servercert.cer -d /opt/nss/fipsdb/ After last command I get an error: "certutil: could not add certificate to token or database: Error adding certificate to database." If I don't perform modutil -fips on Server Database no error occurs.
Reporter | ||
Comment 1•16 years ago
|
||
Another way is to follow the steps inhttp://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011987 With either step of steps I am able to reproduce the problem on NSS 3.11.4. It works fine on 3.12.0. I tried other 3.11.x's. tags. The problem persists on 3.11.9 while it is fixed in the latest code from the NSS_3_11_BRANCH. I used latest NSPR from trunk with latest NSS from branch via: cvs co NSPR; cvs co -r NSS_3_11_BRANCH NSS. When I tried the steps without using extensions (-2 -6 options) I could not reproduce the problem.
Reporter | ||
Updated•16 years ago
|
Summary: Error adding certificate to NSS database → certutil reports error when trying to add cert to NSS database
Reporter | ||
Comment 2•16 years ago
|
||
I can actually reproduce without extensions.
Reporter | ||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Comment 4•16 years ago
|
||
Elio, what changed between comment 1 (where you reported that you could not reproduce without cert extensions) and comment 2 (where you reported that you could reproduce without cert extensions) ?
Reporter | ||
Comment 5•16 years ago
|
||
Reporter | ||
Comment 6•16 years ago
|
||
I used 3.11.9 the second time and slightly different steps. I have since repeated in 3.11.4 and 3.11.9 and still see the failure extensions or not. script attached.
You need to log in
before you can comment on or make changes to this bug.
Description
•