Hide Forgot
---Problem Description--- When trying to generate a self-signed certificate using certutil and opencryptoki, certutil returns the error message: certutil: unable to find issuer with nickname ibmtest:cacert: Certificate extension not found. ---uname output--- Linux r1745015 2.6.32-114.0.1.el6.s390x #1 SMP Thu Feb 10 15:33:32 EST 2011 s390x s390x s390x GNU/Linux ---Debugger Data--- na Machine Type = s390x lpar ---Steps to Reproduce--- 1. mkdir ock_db 2. modutil -create -dbdir ock_db 3. modutil -add ock -libfile /usr/local/lib64/opencryptoki/libopencryptoki.so -mechanisms "RSA:AES:SHA1:SHA256:SHA512:SSL:TLS:RANDOM" -dbdir ock_db 4. certutil -N -d ock_db 5. certutil -S -h ibmtest -d ock_db -n cacert -s "CN=KlausK Certificate Authority, O=IBM.COM, C=US" -x -t CTu,CTu,CTu -g 1024 -m 1 -v 48 -2 -1 -5 At the prompts, enter: 5,9,n,y,10,y,5,6,7,9,n 6. certutil -R -h ibmtest -d ock_db -s "CN=r1745015.boeblingen.de.ibm.com, O=IBM, C=US" -o ock_db/tempcertreq -g 1024 7. certutil -C -h ibmtest -d ock_db -c ibmtest:cacert -i ock_db/tempcertreq -o ock_db/tempcert.der -m 3 -v 48 -1 -5 At the prompts, enter: 2,9,n,1,9,n certutil: unable to find issuer with nickname ibmtest:cacert: Certificate extension not found. ---Other Component Data--- Userspace tool common name: certutil The userspace tool has the following bit modes: 64bit Userspace rpm: nss-tools-3.12.9-5.el6.s390x Userspace tool obtained from project website: na NSS package versions: [root@r1745015 68236]# rpm -qa |grep ^nss nss-softokn-freebl-3.12.9-1.el6.s390 nss-3.12.9-5.el6.s390x nss-util-debuginfo-3.12.9-1.el6.s390x nss-softokn-3.12.9-3.el6.s390x nss-util-devel-3.12.9-1.el6.s390x nss-sysinit-3.12.9-5.el6.s390x nss-tools-3.12.9-5.el6.s390x nss-softokn-debuginfo-3.12.9-3.el6.s390x nss-softokn-freebl-3.12.9-3.el6.s390x nss-softokn-freebl-devel-3.12.9-3.el6.s390x nss-util-3.12.9-1.el6.s390x nss-devel-3.12.9-5.el6.s390x nss-debuginfo-3.12.9-5.el6.s390x nss-softokn-devel-3.12.9-3.el6.s390x We're using opencryptoki-2.4, which is not yet released.
Created attachment 496232 [details] PKCS#11 trace of teh certutil -S step
Created attachment 496233 [details] PKCS#11 trace of the certutil -R step
Created attachment 496234 [details] PKCS#11 trace of the certutil -C step
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
(In reply to comment #0) I haven't been able to reprodice the problem yet because I am having problems with step 3. > 3. modutil -add ock -libfile /usr/local/lib64/opencryptoki/libopencryptoki.so > -mechanisms > "RSA:AES:SHA1:SHA256:SHA512:SSL:TLS:RANDOM" -dbdir ock_db modutil is failing for me here and I'm trying to investigate why. I do have some questions about step 5 and step 7. > 5. certutil -S -h ibmtest -d ock_db -n cacert -s "CN=KlausK Certificate > Authority, O=IBM.COM, C=US" -x -t CTu,CTu,CTu -g 1024 -m 1 -v 48 -2 -1 -5 I notice that you pass "-n cacert" for the nickname here but then on step 7 > 7. certutil -C -h ibmtest -d ock_db -c ibmtest:cacert -i ock_db/tempcertreq -o > ock_db/tempcert.der .... you pass "-c ibmtest:cacert". According to the documentation at http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html that value should be either "the exact nickname or alias of the CA certificate" or "the CA's email address". "ibmtest:cacert: != "cacert" (as used on step 5) nor is it the ca's email address.
------- Comment From hannsj_uhl.com 2013-10-21 12:46 EDT------- fyi .. IBM is not pursuing this bugzilla and therefore this bugzilla can be closed ...