certutil currently cannot import private keys from a PEM file, it silently skips over private keys. We could improve usability by using two minor changes, which shouldn't cause any side effects: (a) If a user attempts to import a certificate in the ASCII format, search if the file contains the phrase "PRIVATE KEY". If it does, print a warning message "certutil cannot import private keys in this format, please use pk12util" but proceed as usual (import cert, skip key). (b) If a user explicitly requests to set the certificate to include "u" for any usage, then FAIL with an error like: "Usage u requires a private key, use pk12util to import a certificate with a private key."
I'm adjusting my (b) suggestion. Even in that scenario, I want to print a warning only, to change the existing behaviour as little as possible.
Created attachment 754375 [details] [diff] [review] Patch v1 This patch is slightly larger than expected, because we're operating on a file handle, which could be standard input, so we cannot read the file twice. This means, we must adjust the function that processes the input stream. Luckily that function is in the tool code, so the function can easily be changed, without breaking any API/ABI promises of the core NSS library.
Output with this change: $ certutil -A -d /tmp/bla/ -n test -a -i test.cert -t u,u,u Warning: ignoring private key. Consider to use pk12util. Notice: Trust flag u is set automatically if the private key is present.
Created attachment 754376 [details] [diff] [review] Patch v2
Comment on attachment 754376 [details] [diff] [review] Patch v2 r+ Of the changes, the warning on trying to set the 'u' bits are probably the most useful. bob