[Help-gnutls] Re: Thinking in public

Simon Josefsson jas at extundo.com
Tue Jul 19 17:08:17 CEST 2005


"Fco .J. Arias" <javi at productshome.com> writes:

> Hello,
> I'm testing gnutls some time, and only see this problems (no bugs).
> -With option --template <> in certtool, fields without value are
> generated in blank.
> -Certtool do not accept all fields needed to generate a certificate in
> command line.
> - strange Syntax of certtool, --load-request --infile
> - information printed by program to user is little, and while user is
> learning gnutls syntax can be generated incorrect certificates.

Right.  Certtool appear to be somewhat hastily written.

> For this reasons, make a CA is difficult for normal user.
> Scripts like this can't solve this problem:
>> #generate a user CA signed certificate.
>> PASS="lula"
>> certtool -p > new-user.key
>> # Use --load-request or --infile ? 
>> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS --template certtool.cfg
>> #certtool -q --outfile new-user.csr --to-p12 --load-privkey new-user.key --password $PASS 
>> certtool -c --load-request new-user.csr --outfile new-user.crt --load-ca-certificate ca.crt --load-ca-privkey ca.key --load-privkey new-user.key --password $PASS
>> certtool --load-certificate new-user.crt --load-privkey new-user.key --to-p12 --outder --outfile new-user.p12
>> certtool --p12-info --infile new-user.p12 --inder --password $PASS
>
> Is a good idea modify certtool?
> Can be a good idea make an executable to manage a non professional
> simple Certificate Authority? 
>
> Should I modify certtool?

Absolutely!  Having more command line tools to expose the GnuTLS
library's functionality to non-programmers is a good idea.  If you
have ideas on what a good command line interface would be for use as a
CA, please explain and discuss.  Large parts of the code is probably
already present in certtool, but it could use a rewrite in order to be
more user friendly.

In general, I think it is better to have several small tools for
specific purposes, rather than to try and put them all into one tool.
But managing a X.509 PKI's is such a mess that you need to support
many formats for the same thing, which leads to that one tool probably
must be able to read all formats.

You will need to sign a copyright disclaimer if you want to propose
substantial patches though.

Thanks,
Simon





More information about the Gnutls-help mailing list