I checked the software token, it does not have any keys or certificates. I'm stuck and clueless here. <div>Below is the detailed steps I tried today to add a self signed certificate to database. But still the rsaprivate shows nochange. </div>
<div><br></div><div><br></div><div><br></div><div><div><b>bash-3.00# cd ../nssdb</b></div><div><b>bash-3.00# rm *</b></div><div><b>bash-3.00# certutil -N -d .</b></div><div>Enter a password which will be used to encrypt your keys.</div>
<div>The password should be at least 8 characters long,</div><div>and should contain at least one non-alphabetic character.</div><div><br></div><div>Enter new password:</div><div>Re-enter password:</div><div><b><br></b></div>
<div><br></div><div><b>bash-3.00# ls</b></div><div>cert8.db key3.db secmod.db</div><div><b>bash-3.00# chmod 777 *</b></div><div><b>bash-3.00# modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES</b></div>
<div>Module "Sun Crypto Accelerator" added to database.</div><div><b>bash-3.00# modutil -list -dbdir . </b></div><div>Listing of PKCS #11 Modules</div><div>-----------------------------------------------------------</div>
<div> 1. NSS Internal PKCS #11 Module</div><div> slots: 2 slots attached</div><div> status: loaded</div><div><br></div><div> slot: NSS Internal Cryptographic Services</div><div> token: NSS Generic Crypto Services</div>
<div><br></div><div> slot: NSS User Private Key and Certificate Services</div><div> token: NSS Certificate DB</div><div><br></div><div> 2. Sun Crypto Accelerator</div><div> library name: /usr/lib/libpkcs11.so</div>
<div> slots: 2 slots attached</div><div> status: loaded</div><div><br></div><div> slot: Sun Metaslot</div><div> token: Sun Metaslot</div><div><br></div><div> slot: Sun Crypto Softtoken</div>
<div> token: Sun Software PKCS#11 softtoken</div><div>-----------------------------------------------------------</div><div><b>bash-3.00# certutil -S -x -n "cert309" -t "u,u,u" -k rsa -g 1024 -v 120 -s "cn=nobody,ou=Org,o=Sun,L=Santa Clara,ST=California,C=US" -d . -h "Sun Metaslot"</b></div>
<div><b>Enter Password or Pin for "Sun Metaslot":</b></div><div><br></div><div>A random seed must be generated that will be used in the</div><div>creation of your key. One of the easiest ways to create a</div>
<div>
random seed is to use the timing of keystrokes on a keyboard.</div><div><br></div><div>To begin, type keys on the keyboard until this progress meter</div><div>is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!</div>
<div><br></div><div><br></div><div>Continue typing until the progress meter is full:</div><div><br></div><div>|************************************************************|</div><div><br></div><div>Finished. Press enter to continue:</div>
<div><br></div><div><br></div><div>Generating key. This may take a few moments...</div><div><br></div><div>Enter Password or Pin for "Sun Software PKCS#11 softtoken":</div><div><br></div><div><b>bash-3.00# certutil -K -d .</b></div>
<div>certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"</div><div>Enter Password or Pin for "NSS Certificate DB":</div><div>certutil: no keys found</div>
<div><b>bash-3.00# certutil -K -d . -h "Sun Software PKCS#11 softtoken"</b></div><div>certutil: Checking token "Sun Software PKCS#11 softtoken" in slot "Sun Crypto Softtoken"</div><div>Enter Password or Pin for "Sun Software PKCS#11 softtoken":</div>
<div>certutil: no keys found</div><div><b>bash-3.00# certutil -K -d . -h "Sun Metaslot"</b></div><div>certutil: Checking token "Sun Metaslot" in slot "Sun Metaslot"</div><div>Enter Password or Pin for "Sun Metaslot":</div>
<div>< 0> rsa 204a23dbb2e82d7d8c1495e3374dcd4462423e4c Sun Metaslot:cert309</div><div>< 1> rsa 54ea6d93df1cfef13064aedc6f6c7f0dce34e7b6 Sun Metaslot:cert147</div><div>< 2> rsa 34d4a4974cf325e735dd23bb3a6b4680249f3550 (orphan)</div>
<div>< 3> rsa 2018eecb4c05eb25cd30be4de6f13ccaeadcb43d Sun Metaslot:cert1151</div><div>< 4> rsa 61932a2d796fd8f6e82949059176e980cde5c55a sanCert</div><div>< 5> rsa 4e752a9b4a76c1462d9aec76de1617e08d07ff42 Sun Metaslot:ismc_cert</div>
<div><br></div><div><br></div><div><b>bash-3.00# certutil -L -d .</b></div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div>
<div><br></div><div><b>bash-3.00# certutil -L -d . -h "Sun Software PKCS#11 softtoken"</b></div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div>
<div><br></div><div>Enter Password or Pin for "Sun Software PKCS#11 softtoken":</div><div><b>bash-3.00# certutil -L -d . -h "Sun Metaslot"</b></div><div><br></div><div>Certificate Nickname Trust Attributes</div>
<div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>Enter Password or Pin for "Sun Metaslot":</div><div>Sun Metaslot:cert309 u,u,u</div>
<div>Sun Metaslot:cert147 u,u,u</div><div>Sun Metaslot:cert1151 u,u,u</div><div>Sun Metaslot:sanCert u,u,u</div>
<div>Sun Metaslot:CACERT CA ,,</div><div>Sun Metaslot:ismc_cert u,u,u</div><div><br></div><div><b> modutil -disable "NSS Internal PKCS #11 Module" -dbdir .</b></div>
<div><br></div><div>WARNING: Performing this operation while the browser is running could cause</div><div>corruption of your security databases. If the browser is currently running,</div><div>you should exit browser before continuing this operation. Type</div>
<div>'q <enter>' to abort, or <enter> to continue:</div><div><br></div><div>Slot "NSS Internal Cryptographic Services" disabled.</div><div>Slot "NSS User Private Key and Certificate Services" disabled.</div>
<div><br></div><div><b>bash-3.00# modutil -enable "Sun Crypto Accelerator" -dbdir .</b></div><div><br></div><div>WARNING: Performing this operation while the browser is running could cause</div><div>corruption of your security databases. If the browser is currently running,</div>
<div>you should exit browser before continuing this operation. Type</div><div>'q <enter>' to abort, or <enter> to continue:</div><div><br></div><div>Slot "Sun Metaslot" enabled.</div><div>Slot "Sun Crypto Softtoken" enabled.</div>
<div><br></div><div><br></div><div><br></div><div><br></div><br><div class="gmail_quote">On Wed, Aug 12, 2009 at 2:01 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Rishi Renjith wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Hello, The issue with the dummy DB was that some permissions to some files in it were not given. I did a chmod 777 to all files and now the dummy DB seems to be working fine. <br>
I configured the NSS database with the crypto card(sun sca6000) as follows. mkdir /opt/SMC/Apache2/nsscertdb<br>
<br>
cd /opt/SMC/Apache2/nsscertdb<br>
<br>
-certutil -N -d /opt/SMC/Apache2/nsscertdb<br>
<br>
-modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES<br>
modutil -list -dbdir /opt/SMC/Apache2/nssdb<br>
Using database directory /opt/SMC/Apache2/nssdb...<br>
<br>
Listing of PKCS #11 Modules<br>
-----------------------------------------------------------<br>
1. NSS Internal PKCS #11 Module<br>
slots: 2 slots attached<br>
status: loaded<br>
<br>
slot: NSS Internal Cryptographic Services<br>
token: NSS Generic Crypto Services<br>
<br>
slot: NSS User Private Key and Certificate Services<br>
token: NSS Certificate DB<br>
<br>
2. Sun Crypto Accelerator<br>
library name: /usr/lib/libpkcs11.so<br>
slots: 2 slots attached<br>
status: loaded<br>
<br>
slot: Sun Metaslot<br>
token: Sun Metaslot<br>
<br>
slot: Sun Crypto Softtoken<br>
token: Sun Software PKCS#11 softtoken<br>
-----------------------------------------------------------<br>
<br>
<br></div>
certutil -R -s "C=IN, O=NSN, OU=SPA2, CN=<a href="http://sandeeprc.eu.org" target="_blank">sandeeprc.eu.org</a> <<a href="http://sandeeprc.eu.org" target="_blank">http://sandeeprc.eu.org</a>>" -h "Sun Metaslot" -o ismc.csr -d . -a -n ismc_cert<div class="im">
<br>
<br>
(Got the CSR signed from CA Cert)<br>
certutil -A -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"<br>
<br>
certutil -A -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun Metaslot"<br>
<br>
certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"<br>
<br>
The certificate is verified corrrectly. In nss.conf, i gave the following directives to use this database<br>
<br>
Now in NSS.conf I added the following lines to use the hardware accelarator<br>
NSSNickname "Sun Metaslot:ismc_cert"<br>
NSSCertificateDatabase /opt/SMC/Apache2/nssdb<br>
<br>
Now everything is working fine, the requests are getting processed correctly. But the issue is that the rsaprivate value is not getting incremented in the kstat -n mca0 output. Which means that it is not using the hardware accelerator card. <br>
I have also given cryptoadm enable metaslot token=<tokenname> so as to use the hardware accelerator. <br>
Any suggestions? <br>
(When we try to use mod_ssl using the pkcs patch, it s correctly incrementing the rsaprivate values.)<br>
</div></blockquote>
<br>
Make sure that the software token does not have the given cert and private key (actually make sure it doesn't have a cert with the same Subject and a corresponding private key -- NOTE: it should be sufficient to just remove the private key). If you do that there is no way that you can make the connection without using the accelerator for the RSA private op (since NSS does not have access to the private key itself).<br>
<font color="#888888">
<br>
rob<br>
</font></blockquote></div><br></div>