[kmf-discuss] signing/verifying certificates with pktool(1)
Huie-Ying Lee
huie-ying.lee at sun.com
Tue Jan 8 13:55:45 PST 2008
Wyllys Ingersoll wrote:
> Huie-Ying Lee wrote:
>> Wyllys Ingersoll wrote:
>>> Jan Pechanec wrote:
>>>> On Mon, 7 Jan 2008, Wyllys Ingersoll wrote:
>>>>
>>>>
>>>>> However, if all you want is the ability to sign a CSR with a
>>>>> particular
>>>>> certificate, we could probably add just that feature to pktool.
>>>>> File an
>>>>> RFE and I'm sure we can take a closer look at it, but I think it
>>>>> should be
>>>>> fairly straightforward.
>>>>>
>>>> done:
>>>>
>>>> 6648052 pktool(1) could allow certificate signing and verification
>>>>
>>>> thanks, J.
>>>>
>>>>
>>>
>>> Thanks! I will look into this. I think we will need to add new
>>> commands
>>> to pktool and get them ARC approved since it is a new interface.
>>>
>>> I'm thinking of something like:
>>>
>>> pktool signcsr
>>> [keystore=pkcs11|file|nss]
>>> signkey=label/filename of signing key (label if keystore=PKCS11 or
>>> NSS, filename if file)
>>> csr=CSR filename
>>> serial=serial number hex string
>>> outcert=filename for resulting certificate.
>>> outformat=pem|der
>>>
>>
>> Looks good. I would like to sugggest to change the outformat augument
>> to be optional
>> with "pem" as the default outformat.
>
> Agree - PEM is the default.
>
> -Wyllys
>
One thought just came to me ...
For the pkcs11 and NSS keystores, will it be useful if we add a "store=y|n"
argument to the signcsr subcommand, so that a copy of the output
certificate will be also stored in the keystore if "store=y" ?
This "store=y|n" argument should be optional, with "n" as the default.
Huie-Ying
More information about the kmf-discuss
mailing list