[Pki-users] certutil: unable to generate key(s)
Marc Sauton
msauton at redhat.com
Wed Apr 29 21:14:41 UTC 2009
Fortunato wrote:
> SOLVED.
>
> That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil:
>
>
use the option -z
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
http://directory.fedora.redhat.com/wiki/Howto:SSL
> # certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6
> Enter Password or Pin for "NSS Certificate DB":
>
> A random seed must be generated that will be used in the
> creation of your key. One of the easiest ways to create a
> random seed is to use the timing of keystrokes on a keyboard.
>
> To begin, type keys on the keyboard until this progress meter
> is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
>
>
> Continue typing until the progress meter is full:
>
> |************************************************************|
>
> ...
>
> --
>
> The bigger issue is that I wanted to create a Certificate Request using certutil.
>
>
>
> -----Original Message-----
>
>> From: Chandrasekar Kannan <ckannan at redhat.com>
>> Sent: Apr 29, 2009 11:56 AM
>> To: Fortunato <fortunato.montresor at earthlink.net>
>> Cc: Marc Sauton <msauton at redhat.com>, pki-users at redhat.com
>> Subject: Re: [Pki-users] certutil: unable to generate key(s)
>>
>> On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote:
>>
>>> Thanks!
>>>
>>> Fixed the -d option.
>>>
>>> Now I'm getting:
>>>
>>> Enter Password or Pin for "NSS Certificate DB":
>>>
>> cat /var/lib/pki-sub-ca/conf/password.conf contains what you need.
>> Look for internal token password.
>>
>>
>>> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed:
>>>
>>> tksTool -N -d .
>>>
>>> I assume the tksTool is part of pki-tks.
>>>
>>> -----Original Message-----
>>>
>>>> From: Marc Sauton <msauton at redhat.com>
>>>> Sent: Apr 29, 2009 11:42 AM
>>>> To: Fortunato <fortunato.montresor at earthlink.net>
>>>> Cc: pki-users at redhat.com
>>>> Subject: Re: [Pki-users] certutil: unable to generate key(s)
>>>>
>>>> Marc Sauton wrote:
>>>>
>>>>> Fortunato wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I haven't found information on the topic but it looks like there's a
>>>>>> problem with certutil - using IPv4.
>>>>>>
>>>>>> [root at localhost alias]# certutil -R -k rsa -g 2048 -s
>>>>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d
>>>>>> /var/lib/pki-sub-ca/ -1 -3 -6
>>>>>> certutil: unable to generate key(s)
>>>>>> : An I/O error occurred during security authorization.
>>>>>>
>>>>>> Any ideas would be welcome.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>
>>>>>>
>>>>> May want to tweak the -d option to point to the alias directory
>>>>> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/
>>>>> M.
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>> Side note: the i/o error happens because of the missing NSS db files,
>>>> either wrong alias directory with -d, or need a certutil -N -d <path> to
>>>> create them.
>>>> M.
>>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>> --
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Chandrasekar Kannan -- ckannan at redhat.com
>> Quality Engineering -- http://www.redhat.com
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list