[kmf-discuss] signing/verifying certificates with pktool(1)
Huie-Ying Lee
huie-ying.lee at sun.com
Tue Jan 8 13:03:19 PST 2008
Wyllys Ingersoll wrote:
> Jan Pechanec wrote:
>> On Mon, 7 Jan 2008, Wyllys Ingersoll wrote:
>>
>>
>>> However, if all you want is the ability to sign a CSR with a particular
>>> certificate, we could probably add just that feature to pktool. File an
>>> RFE and I'm sure we can take a closer look at it, but I think it should be
>>> fairly straightforward.
>>>
>> done:
>>
>> 6648052 pktool(1) could allow certificate signing and verification
>>
>> thanks, J.
>>
>>
>
> Thanks! I will look into this. I think we will need to add new commands
> to pktool and get them ARC approved since it is a new interface.
>
> I'm thinking of something like:
>
> pktool signcsr
> [keystore=pkcs11|file|nss]
> signkey=label/filename of signing key (label if keystore=PKCS11 or
> NSS, filename if file)
> csr=CSR filename
> serial=serial number hex string
> outcert=filename for resulting certificate.
> outformat=pem|der
>
Looks good. I would like to sugggest to change the outformat augument to be optional
with "pem" as the default outformat.
Huie-Ying
> pktool verifycert
> [keystore=pkcs11|file|nss]
> cert=label/filename of cert to be verified (label if keystore=PKCS11
> or NSS, filename if file)
> verifier=label/filename of verifying (CA) cert
>
> The verifycert operation will return 0 for success, else an error. It
> will also generate a
> text message indicating the result ("success" or "failure").
>
>
>
> This is just my initial thoughts on how to do it, please feel free to
> add to it or make suggestions.
>
> -Wyllys
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discuss
More information about the kmf-discuss
mailing list