[Help-gnutls] Re: Error making certificate

devel dev001 at pas-world.com
Thu Mar 15 22:32:09 CET 2007


Well, now seems to work.
-> Key, csr, crt, .p12
But I can not import client certificates in any mail client.
Import .p12 without any problem, and CA certificate, but I can not see
the client certificate to sign mail, client certificate, and encryption
certificate to select it.
The test scripts:
To make CA
> certtool -p --bits 2048 >  ca.key
> echo "Key ready / Llave generada"
> 
> # Use --load-request or --infile ?
> certtool -s --outfile ca.crt --load-privkey ca.key
> echo "CA Generated / Peticion de certificado generada"
> certtool -i --infile ca.crt
> 
> 
To make client:
> PASS="gnutls"
> certtool -p > new-user.key
> #echo "Client Key Ready"
> 
> # Use --load-request or --infile ?
> 
> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS
> echo "CSR Ready"
> 
> certtool -q --outfile new-user.csr --to-p12 --load-privkey new-user.key --password $PASS
> 
> certtool -c --load-request new-user.csr --outfile new-user.crt --load-ca-certificate ca.crt --load-ca-privkey ca.key --load-privkey new-user.key --password $PASS
> echo "CRT Ready"
> 
> certtool --load-certificate new-user.crt --load-privkey new-user.key --to-p12 --outder --outfile new-user2.p12
> echo "P12 Ready"
> 
> certtool --p12-info --infile new-user.p12 --inder --password $PASS

Anyone works with mail sign certificate in any mail client?



El jue, 15-03-2007 a las 12:18 +0100, Simon Josefsson escribió:
> devel <dev001 at pas-world.com> writes:
> 
> > Where I can find 1.6.2 ?
> 
> Try the daily build first:
> 
> http://josefsson.org/daily/gnutls-1.6/gnutls-1.6-20070315.tar.gz
> 
> If it works for you, I'll release it as 1.6.2.
> 
> Thanks,
> Simon
> 
> >
> > El lun, 12-03-2007 a las 16:52 +0100, Simon Josefsson escribió:
> >> devel <dev001 at pas-world.com> writes:
> >> 
> >> > certtool (GnuTLS) 1.6.1
> >> > linux x64
> >> >
> >> >
> >> >> certtool -q --outfile new-user.csr
> >> > Certificate request data input in a shell, certtool ask for it.
> >> 
> >> Thanks!  I can reproduce it.  It seems pkix_asn1_tab.c wasn't
> >> re-generated after fixing the following problem in 1.6.1:
> >> 
> >>  ** Encode UID fields in DN's as DirectoryString.  Before GnuTLS
> >>  encoded and parsed UID fields as IA5String.  This was incorrect, it
> >>  should have used DirectoryString.  Now it will use DirectoryString
> >>  for the UID field, but for backwards compatibility it will also
> >>  accept IA5String UID's.  Reported by Max Kellermann
> >>  <max at duempel.org>.
> >> 
> >> I have fixed this in CVS for the 1.6.x branch:
> >> 
> >>  ** Regenerate the PKIX ASN.1 syntax tree.  For some reason, after
> >>  changing the ASN.1 type of ldap-UID in the last release, the
> >>  generated C file built from the ASN.1 schema was not refreshed.  This
> >>  can cause problems when reading/writing UID components inside X.500
> >>  Distinguished Names.  Reported by devel <dev001 at pas-world.com>.
> >> 
> >> Please test tomorrow's daily build and tell me if it solves the
> >> problem for you, and I can release 1.6.2.
> >> 
> >> Btw, if anyone wants something in 1.6.2, now would be the time to ask
> >> for it.
> >> 
> >> /Simon
> >> 
> >> >
> >> >
> >> >
> >> >
> >> > El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribió:
> >> >> devel <dev001 at pas-world.com> writes:
> >> >> 
> >> >> > Hello, I am trying to use certtool to make certificate, like another
> >> >> > times.
> >> >> > But this time, with another version of gnutls and other arch, my script
> >> >> > do not work. Here is de problem:
> >> >> >
> >> >> >
> >> >> >> certtool -p > new-user.key
> >> >> >
> >> >> > Work
> >> >> >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS
> >> >> >
> >> >> > fail, response of system after input parameters:
> >> >> >
> >> >> >> set_dn: ASN1 parser: Element was not found.
> >> >> >
> >> >> > Any suggestion?
> >> >> 
> >> >> Can you send me the CSR that trigger the problem?  Which version of
> >> >> GnuTLS are you using, and which version of GnuTLS worked before for
> >> >> you?
> >> >> 
> >> >> It sounds as if the CSR doesn't contain some field which certtool need
> >> >> to have.
> >> >> 
> >> >> /Simon
> >> > -- 
> >> > --
> >> > Devel in Precio http://www.pas-world.com
> > -- 
> > --
> > Devel in Precio http://www.pas-world.com
-- 
--
Devel in Precio http://www.pas-world.com






More information about the Gnutls-help mailing list