[kmf-discuss] signing/verifying certificates with pktool(1)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Jan 8 05:55:41 PST 2008
Jan Pechanec wrote:
> On Tue, 8 Jan 2008, Wyllys Ingersoll wrote:
>
>
>> Thanks! I will look into this. I think we will need to add new commands
>> to pktool and get them ARC approved since it is a new interface.
>>
>> I'm thinking of something like:
>>
>> pktool signcsr
>> [keystore=pkcs11|file|nss]
>> signkey=label/filename of signing key (label if keystore=PKCS11 or NSS,
>> filename if file)
>> csr=CSR filename
>> serial=serial number hex string
>> outcert=filename for resulting certificate.
>> outformat=pem|der
>>
>> pktool verifycert
>> [keystore=pkcs11|file|nss]
>> cert=label/filename of cert to be verified (label if keystore=PKCS11 or NSS,
>> filename if file)
>> verifier=label/filename of verifying (CA) cert
>>
>> The verifycert operation will return 0 for success, else an error. It will
>> also generate a
>> text message indicating the result ("success" or "failure").
>>
>
> looks good.
>
> I guess that specifying the policy is exactly what you don't want to
> do, right?
>
> would it use CRL or OCSP responder from the certificate extensions?
> Would specifying any of that as a command line argument make sense? However,
> it starts looking like that CA application you said would be better to
> integrate as a whole.
>
> J.
>
Oh, I think I misunderstood your "verify" operation. I was just
assuming it meant to verify
the signature. You want to also verify the OCSP/CRL issue, so that
would involve a bit more.
I think adding a "policy" option would be necessary so pktool knows
which policy to apply
before doing the CRL/OCSP requests.
-Wyllys
More information about the kmf-discuss
mailing list