Closed Bug 61953 Opened 24 years ago Closed 24 years ago

certutil cannot create certificate (non-self-signed)

Categories

(NSS :: Tools, defect, P3)

Product:
NSS
Component:
Tools
Platform:
Sun
Solaris
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: chrisk, Assigned: wtc)

Details

I'm trying to create a little certificate infrastructure for our internal regression tests. I envisioned using certutil to create a self-signed CA cert, then a couple of user certificates signed by that CA cert, plus a server cert. I can generate the self-signed CA cert, but when trying to sign a user cert with the CA cert, I run into this: ---------------------------------------------------------------------------- $ /share/builds/components/nss/NSS_3_1_RTM/SunOS5.6_DBG.OBJ/bin/certutil -S -d /tmp/gencert.14422/client -n alpha -s "E=alpha@testcentral.com, CN=Franzl Alpha, UID=alpha, OU=People, O=TestCentral, C=US" -c cacert -t u,pu,u -g 1024 -m 2 -v 48 -f /tmp/gencert.14422/client/pw.txt -1 -5 A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signning key 6 - CRL signning key Other to finish 2 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signning key 6 - CRL signning key Other to finish 9 Is this a critical extension [y/n]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for futuer use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 0 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for futuer use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 9 Is this a critical extension [y/n]? n certutil: unable to find issuer with nickname cacert: Certificate extension not found. certutil: could not obtain certificate from file: Certificate extension not found. ----------------------------------------------------------------------------- I have verified that the certdb in /tmp/gencert.14422/client contains a self-signed cert nicknamed "cacert". However, it does not seem to be able to find it. It turns out that PK11_FindCertFromNickname() in line 1645 of certutil.c returns NULL. If I change this code to use CERT_FindCertByNickname, it'll find the certificate with no problems, but it will bail out a few lines later when PK11_FindKeyByAnyCert() returns NULL. The error message "Certficate extension not found" is generated earlier, somewhere not connected to the problem - PORT_GetError() returns this error already before calling PK11_FindCertFromNickname(), and PK11_FindCertFromNickname() does not call PORT_SetError() at all. I cannot use certutil as intended or documented, so IMHO the severity of this bug must be "blocker". Please contact me if you want the script that reproduces the problem.
Further tracing to the code lent me to the code in pkcs11.c:3425 (add_cert_to_list) which seems to indicate that the "u" trust bit must be set for the CA cert. Doing this turned out to fix the problem, i.e. I can now create a user cert signed by the local CA cert. Sorry for the false alert. Anyway, having this documented in Bugzilla might help others.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.