[Pki-users] certutil: unable to generate key(s)
Fortunato
fortunato.montresor at earthlink.net
Wed Apr 29 19:35:58 UTC 2009
SOLVED.
That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil:
# certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6
Enter Password or Pin for "NSS Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
...
--
The bigger issue is that I wanted to create a Certificate Request using certutil.
-----Original Message-----
>From: Chandrasekar Kannan <ckannan at redhat.com>
>Sent: Apr 29, 2009 11:56 AM
>To: Fortunato <fortunato.montresor at earthlink.net>
>Cc: Marc Sauton <msauton at redhat.com>, pki-users at redhat.com
>Subject: Re: [Pki-users] certutil: unable to generate key(s)
>
>On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote:
>> Thanks!
>>
>> Fixed the -d option.
>>
>> Now I'm getting:
>>
>> Enter Password or Pin for "NSS Certificate DB":
>
> cat /var/lib/pki-sub-ca/conf/password.conf contains what you need.
> Look for internal token password.
>
>>
>> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed:
>>
>> tksTool -N -d .
>>
>> I assume the tksTool is part of pki-tks.
>>
>> -----Original Message-----
>> >From: Marc Sauton <msauton at redhat.com>
>> >Sent: Apr 29, 2009 11:42 AM
>> >To: Fortunato <fortunato.montresor at earthlink.net>
>> >Cc: pki-users at redhat.com
>> >Subject: Re: [Pki-users] certutil: unable to generate key(s)
>> >
>> >Marc Sauton wrote:
>> >> Fortunato wrote:
>> >>> Hello,
>> >>>
>> >>> I haven't found information on the topic but it looks like there's a
>> >>> problem with certutil - using IPv4.
>> >>>
>> >>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s
>> >>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d
>> >>> /var/lib/pki-sub-ca/ -1 -3 -6
>> >>> certutil: unable to generate key(s)
>> >>> : An I/O error occurred during security authorization.
>> >>>
>> >>> Any ideas would be welcome.
>> >>>
>> >>> _______________________________________________
>> >>> Pki-users mailing list
>> >>> Pki-users at redhat.com
>> >>> https://www.redhat.com/mailman/listinfo/pki-users
>> >>>
>> >> May want to tweak the -d option to point to the alias directory
>> >> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/
>> >> M.
>> >>
>> >> _______________________________________________
>> >> Pki-users mailing list
>> >> Pki-users at redhat.com
>> >> https://www.redhat.com/mailman/listinfo/pki-users
>> >Side note: the i/o error happens because of the missing NSS db files,
>> >either wrong alias directory with -d, or need a certutil -N -d <path> to
>> >create them.
>> >M.
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>--
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Chandrasekar Kannan -- ckannan at redhat.com
>Quality Engineering -- http://www.redhat.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
More information about the Pki-users
mailing list