Red Hat Bugzilla – Bug 441889
use of certutil in admin guide contains errors and problems.
Last modified: 2015-01-04 18:31:50 EST
Description of problem:
Contains a description on how to generate some certificates, but it has a number
of issues. Nelson points them out below:
beyonddc wrote, On 2008-04-09 09:43:
> > Hi group,
> > I have some question about certutil.
> > When you create an individual certificate and add it to a certificate
> > database with the "-S" command, does it also generate key pair for
> > you?
> > I'm following the instruction in "Red Hat Directory Server 7.1
> > Administrator Guide" to use certutil to create a self-sign
> > certificate.
> > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
Ugh! That section needs to be rewritten, IMO.
Among its problems:
- shows the generation of a "noise" file with little or no entropy.
- reuses that noise file in the generation of multiple keys.
- doesn't explain what to do with the generated CA cert
- doesn't explain that this is for testing only, not for production use.
> > I got very confused in step 5 in the "Using certutil" section in the
> > "RH DS 7.1 Admin Guide" about generating standalone key pair with the
> > "-G" command and then it seems like it is not using it at all
> > afterward because the manual then go on and explain using the "-S"
> > command to create and add self-signed and server certificates.
Yeah, step 5 is a no-op.
> > I just want to have a second eyes to look at the few steps documented
> > in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that
> > step 5 in the "Using certutil" section to generate a key pair with the
> > "-G" command is not necessary.
1. Don't use vi (or any text editor) to generate a noise file.
> > dd bs=256 count=1 if=/dev/urandom of=noise
Note: it's not a text file, so drop the .txt suffix
2. Don't re-use noise files. Run that dd command immediately before each
and every command (such as certutil) that uses the noise file as an input,
to get a fresh noise file. And rm that file right after it is used once.
3. Export that CA cert (without the private key) to a file, so that it
can be imported into clients who will then trust it as a CA for issuing
SSL server certs.
> > certutil -L -d . -n "CA certificate" -a -o /tmp/rootcert.pem
4. Import that CA cert into the client and trust it to issue SSL server
certs. The exact method depends on the client. For NSS-based clients
it would be something like:
> > certutil -A -d client-dir -n "CA certificate" -a -t C,, -i /tmp/rootcert.pem
With the exception of the file and directory locations, can the same procedure
be used for 7.1 as I have in comment #2?
2. get rid of the tmp stuff - use this instead:
"Make a copy of all files in this directory in a safe location e.g. tar cf
/tmp/backup.tar * - in case something goes wrong, you can restore from the backup"
3. pwdfile is not used for key db at server startup - that's what pin.txt is
for. pwdfile is only used when generating new certs/keys. Note that both
pwdfile and pin.txt contain the same password (by default) but those two files
have different formats - they cannot be interchanged.
6. should be "Server certificates for other servers" instead of "Server
certificates to for other servers"
Created attachment 306859 [details]
7.1 SSL chapter
Comment #5: Done for 8.0+. Docbot link:
For 7.1, I went back to my 7.1 Frame files, applied some lost bug fixes since
then, and then put in the edits. I can't post it on DocBot (Frame v XML
differences and whatnot), but I've attached the HTML output.
This is live for 7.1 and 8.0 and the changes have been applied to 8.1. I'm changing the status to modified.
These changes are live in the 8.1 docs at http://www.redhat.com/docs/manuals/dir-server/8.1. Closing.