[kmf-discuss] signing/verifying certificates with pktool(1)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Jan 8 14:04:01 PST 2008
Huie-Ying Lee wrote:
> Wyllys Ingersoll wrote:
>> Huie-Ying Lee wrote:
>>> Wyllys Ingersoll wrote:
>>>> Jan Pechanec wrote:
>>>>> On Mon, 7 Jan 2008, Wyllys Ingersoll wrote:
>>>>>
>>>>>
>>>>>> However, if all you want is the ability to sign a CSR with a
>>>>>> particular
>>>>>> certificate, we could probably add just that feature to pktool.
>>>>>> File an
>>>>>> RFE and I'm sure we can take a closer look at it, but I think it
>>>>>> should be
>>>>>> fairly straightforward.
>>>>>>
>>>>> done:
>>>>>
>>>>> 6648052 pktool(1) could allow certificate signing and
>>>>> verification
>>>>>
>>>>> thanks, J.
>>>>>
>>>>>
>>>>
>>>> Thanks! I will look into this. I think we will need to add new
>>>> commands
>>>> to pktool and get them ARC approved since it is a new interface.
>>>>
>>>> I'm thinking of something like:
>>>>
>>>> pktool signcsr
>>>> [keystore=pkcs11|file|nss]
>>>> signkey=label/filename of signing key (label if keystore=PKCS11
>>>> or NSS, filename if file)
>>>> csr=CSR filename
>>>> serial=serial number hex string
>>>> outcert=filename for resulting certificate.
>>>> outformat=pem|der
>>>>
>>>
>>> Looks good. I would like to sugggest to change the outformat
>>> augument to be optional
>>> with "pem" as the default outformat.
>>
>> Agree - PEM is the default.
>>
>> -Wyllys
>>
>
> One thought just came to me ...
>
> For the pkcs11 and NSS keystores, will it be useful if we add a
> "store=y|n" argument to the signcsr subcommand, so that a copy of the
> output
> certificate will be also stored in the keystore if "store=y" ?
>
> This "store=y|n" argument should be optional, with "n" as the default.
>
> Huie-Ying
Yes, that sounds good to me.
-w
More information about the kmf-discuss
mailing list