[Pki-users] certutil: unable to generate key(s)

Marc Sauton msauton at redhat.com
Wed Apr 29 19:06:27 UTC 2009 

Fortunato wrote:
> Thanks!
>
> Fixed the -d option. 
>
> Now I'm getting:
>
>   Enter Password or Pin for "NSS Certificate DB":
>
> I did not set this Password/PIN.
means you are creating new NSS db files in the directory specified
>  All the docs reference tksTool.
not in:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Managing_Certificates-Requesting_and_Receiving_Certificates.html#Administration_Guide-Requesting_Certificates-Requesting_Certificates_using_certutil
may be in:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Token_Key_Service-Using_HSM_for_Generating_Keys.html
?
>  I don't want to fubar more things but it looks like the following is needed:
>
>   tksTool -N -d .
>   
will do it too, just make sure you are doing this in the directory you 
want to.
> I assume the tksTool is part of pki-tks.
>   
yes, you can verify with a
rpm -qf /usr/bin/tkstool
should get something with the string:
pki-native-tools

not sure why you want to use tkstool instead of certutil, or what may be 
the bigger issue.
> -----Original Message-----
>   
>> From: Marc Sauton <msauton at redhat.com>
>> Sent: Apr 29, 2009 11:42 AM
>> To: Fortunato <fortunato.montresor at earthlink.net>
>> Cc: pki-users at redhat.com
>> Subject: Re: [Pki-users] certutil: unable to generate key(s)
>>
>> Marc Sauton wrote:
>>     
>>> Fortunato wrote:
>>>       
>>>> Hello,
>>>>
>>>> I haven't found information on the topic but it looks like there's a 
>>>> problem with certutil - using IPv4.
>>>>
>>>>   [root at localhost alias]# certutil -R -k rsa -g 2048 -s 
>>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d 
>>>> /var/lib/pki-sub-ca/ -1 -3 -6
>>>>   certutil: unable to generate key(s)
>>>>   : An I/O error occurred during security authorization.
>>>>
>>>> Any ideas would be welcome.
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>   
>>>>         
>>> May want to tweak the -d option to point to the alias directory 
>>> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/
>>> M.
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>       
>> Side note: the i/o error happens because of the missing NSS db files, 
>> either wrong alias directory with -d, or need a certutil -N -d <path> to 
>> create them.
>> M.
>>     
>
>

More information about the Pki-users mailing list