Hide Forgot
Description of problem: It is not possible to start selfserv with a private key and certificate stored in PKCS#11 module. Version-Release number of selected component (if applicable): nss-3.27.1-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. generate private key and certificate 2. modutil -dbdir sql:./.pki/nssdb -add nsspem -libfile libnsspem.so -string "/home/test/cert.pem;/home/test/key.pem" -force 3. selfserv -d sql:./.pki/nssdb -n cert.pem -p 4433 -V tls1.0: -H 1 Actual results: NSS_Init failed. Expected results: server started, accepting TLS connections with cert.pem certificate Additional info: modules are initialised to Public access with PINs initialized
Hubert, is this a regression?
(In reply to Kai Engert (:kaie) from comment #3) > Hubert, is this a regression? I don't think so, but it would be a test blocker for proper test coverage of bug 1397979, it looks like an error on my part though, the nickname used is incorrect
The issue is caused by selfserv looking by default to the first token only. To use key in other token, a full syntax that specifies also the token name needs to be used. The simplest way to detect that, is to tell certutil to list certificates from all tokens, in this example: certutil -L -d sql:.pki/nssdb/ -h all which will print: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PEM Token #0:cert.pem u,u,u so the correct syntax to start selfserv is: selfserv -d sql:./.pki/nssdb -n 'PEM Token #0:cert.pem' -p 4433 -V tls1.0: -H 1