Generating EC keys with certtool

Nikos Mavrogiannopoulos nmav at
Thu Nov 10 20:58:37 CET 2011

On 11/10/2011 08:44 PM, Fabrice Gautier wrote:
> On Thu, Nov 10, 2011 at 11:16 AM, Nikos Mavrogiannopoulos
> <nmav at> wrote:
>> On 11/10/2011 07:48 PM, Fabrice Gautier wrote:
>>> Ahah, so it happens to work on one of my machines, but not on the other two.
>>> The machine were it works is a mac running Lion, the other two are
>>> macs running SnowLeopard.
>>> I'm recompiling gnutls from source on all of them, openssl is also
>>> recompiled (either from source or through macports) so I'm guessing
>>> that something went wrong while compiling. On some machine, I used the
>>> gmp that came with macport, on others I recompiled myself, so who
>>> knows where the problem lies...
>>> Is there a way to verify a CSR with gnutls's certtool ?
>> What do you mean verify a CSR? Verify the self signature? That is being
>> done automatically when it is signed.
> Ah yes, I see that. Openssl has a command to verify without signing.
> The reason I'm not using certtool to generate the request is that I
> already had a script to generate certs using openssl. The only reason
> I used certtool for the key was that gnutls does not read openssl ec
> keys (Thats the issue I reported a few days ago).
> After investigating, it appears that the problem lies in gnutls
> generating a bad EC key on the BAD system. Both gnutls and openssl (on
> both GOOD and BAD systems) will happily generate a CSR using that bad
> key, but both will fail the verification when trying to sign the CSR.

Can you send me that (bad) key? What kind of system is the BAD system?


More information about the Gnutls-help mailing list