[kmf-discuss] signing/verifying certificates with pktool(1)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Jan 7 07:45:49 PST 2008
Jan Pechanec wrote:
> On Mon, 7 Jan 2008, Wyllys Ingersoll wrote:
>
>
>> Jan Pechanec wrote:
>>
>>> hi, it seems that pktool(1) doesn't export signing/verifying
>>> capabilities of certificates that is present in underlying API. With signing
>>> I mean to provide CSR and a cert/key reference (presumably one of CA) to use
>>> for signing with CA's private key. Is there any plan to add such support?
>>>
>>> thanks, Jan.
>>>
>> It was intentionally left out. Signing a CSR is really the job of a CA
>> and we are not prepared to go down that path. One can easily write a
>> small utility using KMF functions that will sign a CSR using a particular
>> private key and generate a certificate, though.
>>
>
> I understand that. However, if one wants to create a small CA for
> its internal purposes, for example, then OpenSSL or NSS must be used. Since
> I can set CA certificate in the policy file for certificate verifications I
> thought it would be a nice feature to be able to use KMF only. J.
>
>
Yes, agreed. We had some discussion and investigation of what it would take
to add CA features to KMF, but came to the conclusion that it might just be
easier to incorporate an already existing open source CA project instead of
writing our own. This is still under investigation.
However, if all you want is the ability to sign a CSR with a particular
certificate, we could probably add just that feature to pktool. File an
RFE and I'm sure we can take a closer look at it, but I think it should be
fairly straightforward.
-Wyllys
More information about the kmf-discuss
mailing list