[Pki-users] certutil: unable to generate key(s)

Marc Sauton msauton at redhat.com
Wed Apr 29 21:14:41 UTC 2009


Fortunato wrote:
> SOLVED. 
>
> That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil:
>
>   
use the option -z
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
http://directory.fedora.redhat.com/wiki/Howto:SSL

>   # certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6
>   Enter Password or Pin for "NSS Certificate DB":
>
>   A random seed must be generated that will be used in the
>   creation of your key.  One of the easiest ways to create a
>   random seed is to use the timing of keystrokes on a keyboard.
>
>   To begin, type keys on the keyboard until this progress meter
>   is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
>
>
>   Continue typing until the progress meter is full:
>
>   |************************************************************|
>
>   ...
>
> --
>
> The bigger issue is that I wanted to create a Certificate Request using certutil.
>
>  
>
> -----Original Message-----
>   
>> From: Chandrasekar Kannan <ckannan at redhat.com>
>> Sent: Apr 29, 2009 11:56 AM
>> To: Fortunato <fortunato.montresor at earthlink.net>
>> Cc: Marc Sauton <msauton at redhat.com>, pki-users at redhat.com
>> Subject: Re: [Pki-users] certutil: unable to generate key(s)
>>
>> On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote:
>>     
>>> Thanks!
>>>
>>> Fixed the -d option. 
>>>
>>> Now I'm getting:
>>>
>>>   Enter Password or Pin for "NSS Certificate DB":
>>>       
>>    cat /var/lib/pki-sub-ca/conf/password.conf contains what you need.
>>    Look for internal token password. 
>>
>>     
>>> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed:
>>>
>>>   tksTool -N -d .
>>>
>>> I assume the tksTool is part of pki-tks.
>>>
>>> -----Original Message-----
>>>       
>>>> From: Marc Sauton <msauton at redhat.com>
>>>> Sent: Apr 29, 2009 11:42 AM
>>>> To: Fortunato <fortunato.montresor at earthlink.net>
>>>> Cc: pki-users at redhat.com
>>>> Subject: Re: [Pki-users] certutil: unable to generate key(s)
>>>>
>>>> Marc Sauton wrote:
>>>>         
>>>>> Fortunato wrote:
>>>>>           
>>>>>> Hello,
>>>>>>
>>>>>> I haven't found information on the topic but it looks like there's a 
>>>>>> problem with certutil - using IPv4.
>>>>>>
>>>>>>   [root at localhost alias]# certutil -R -k rsa -g 2048 -s 
>>>>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d 
>>>>>> /var/lib/pki-sub-ca/ -1 -3 -6
>>>>>>   certutil: unable to generate key(s)
>>>>>>   : An I/O error occurred during security authorization.
>>>>>>
>>>>>> Any ideas would be welcome.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>   
>>>>>>             
>>>>> May want to tweak the -d option to point to the alias directory 
>>>>> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/
>>>>> M.
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>           
>>>> Side note: the i/o error happens because of the missing NSS db files, 
>>>> either wrong alias directory with -d, or need a certutil -N -d <path> to 
>>>> create them.
>>>> M.
>>>>         
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>       
>> -- 
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Chandrasekar Kannan --  ckannan at redhat.com
>> Quality Engineering -- http://www.redhat.com
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>     
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>   




More information about the Pki-users mailing list