Closed Bug 450288 Opened 16 years ago Closed 16 years ago

certutil reports error when trying to add cert to NSS database

Categories

(NSS :: Libraries, defect)

3.11.4
x86
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 385946

People

(Reporter: elio.maldonado.batiz, Unassigned)

Details

Attachments

(1 file)

2.83 KB, application/x-shellscript
Details
Yevgeniy Gubenko reported on mozilla.dev.tech.crypto

His report follows, edited to accomodate the screen:
I use NSS3.11.4 with NSPR 4.6.4 (for fips compliant usage).
Here are the steps I perform to add new certificate to NSS db:
Phase 1 -  Create a CA Certificate

# CA: Create NSS DB for CA
# Create the folder:
   mkdir /opt/nss/fipscadb/
# Create the DB
/opt/nss/bin/certutil -N -d /opt/nss/fipscadb/ -f /opt/nss/fipscadb/pwdfile.txt
# Make DB FIPS compliant:
/opt/nss/bin/modutil -fips true -dbdir /opt/nss/fipscadb
#  CA: Create a CA certificate for self signing in NSS CA db
opt/nss/bin/certutil -S -d /opt/nss/fipscadb/ -n cacert \
-s "CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -x -t "CTu,CTu,CTu" -v 120 \
-f /opt/nss/fipscadb/pwdfile.txt -z /opt/nss/fipscadb/noise.txt
#  CA: Export the certificates to a file
/opt/nss/bin/certutil -L -n cacert -a -d /opt/nss/fipscadb/ -o cacert.cer

# Phase 2 - Create a Server Certificate
# Server: Create NSS DB for Server
# Create the folder:
mkdir /opt/nss/fipsdb/
#  Create the DB
/opt/nss/bin/certutil -N -d /opt/nss/fipsdb/ -f /opt/nss/fipsdb/pwdfile.txt
#  Make DB FIPS compliant:
/opt/nss/bin/modutil -fips true -dbdir /opt/nss/fipsdb
#  Server: Create a server certificate request (.csr file)
/opt/nss/bin/certutil -R -a -o servercert.csr \
-s "CN=et, OU=org unit, O=org, L=TA, ST=AAA, C=BB" -p "650-555-8888" -d /opt/nss/fipsdb/ \
-f /opt/nss/fipsdb/pwdfile.txt -z /opt/nss/fipsdb/noise.txt
#  CA: Sign the CSR using NSS tools:
#  Copy the certificate request file from server to CA:
cp /opt/nss/fipsdb/servercert.csr /opt/nss/fipscadb/
#  Sign (output is .cer file):
/opt/nss/bin/certutil -C -c cacert -a -i /opt/nss/fipscadb/servercert.csr \
-o /opt/nss/fipscadb/servercert.cer -v 120 -f /opt/nss/fipscadb/pwdfile.txt -d /opt/nss/fipscadb/ \
-s "CN=et, OU=org unit, O=org, L=CC, ST=AAA, C=BB"
#  Server: Import the server certificate signed by CA using NSS tools
#  Copy the certificate file from CA to Server:
cp /opt/nss/fipscadb/servercert.cer /opt/nss/fipsdb/
#  Import certificate:
/opt/nss/bin/certutil -A -n servercert -t "p,p,p" \
-a -i /opt/nss/fipsdb/servercert.cer -d /opt/nss/fipsdb/

After last command I get an error: 
"certutil: could not add certificate to token or database: Error adding certificate to database."
If I don't perform modutil -fips on Server Database no error occurs.
Another way is to follow the steps inhttp://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1011987

With either step of steps I am able to reproduce the problem on NSS 3.11.4. It works fine on 3.12.0. I tried other 3.11.x's. tags. The problem persists on 3.11.9 while it is fixed in the latest code from the NSS_3_11_BRANCH. I used latest NSPR from trunk with latest NSS from branch via: cvs co NSPR; cvs co -r NSS_3_11_BRANCH NSS. 

When I tried the steps without using extensions (-2 -6 options) I could not reproduce the problem.

Summary: Error adding certificate to NSS database → certutil reports error when trying to add cert to NSS database
I can actually reproduce without extensions.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Elio, what changed between comment 1 (where you reported that you could 
not reproduce without cert extensions) and comment 2 (where you reported
that you could reproduce without cert extensions) ?
Attached file steps to reproduce
I used 3.11.9 the second time and slightly different steps. I have since
repeated in 3.11.4 and 3.11.9 and still see the failure extensions or not.
script attached.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: