Generating EC keys with certtool

[Nikos Mavrogiannopoulos]

On 11/10/2011 08:44 PM, Fabrice Gautier wrote:
> On Thu, Nov 10, 2011 at 11:16 AM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> On 11/10/2011 07:48 PM, Fabrice Gautier wrote:
>>
>>> Ahah, so it happens to work on one of my machines, but not on the other two.
>>> The machine were it works is a mac running Lion, the other two are
>>> macs running SnowLeopard.
>>> I'm recompiling gnutls from source on all of them, openssl is also
>>> recompiled (either from source or through macports) so I'm guessing
>>> that something went wrong while compiling. On some machine, I used the
>>> gmp that came with macport, on others I recompiled myself, so who
>>> knows where the problem lies...
>>> Is there a way to verify a CSR with gnutls's certtool ?
>>
>> What do you mean verify a CSR? Verify the self signature? That is being
>> done automatically when it is signed.
> Ah yes, I see that. Openssl has a command to verify without signing.
> The reason I'm not using certtool to generate the request is that I
> already had a script to generate certs using openssl. The only reason
> I used certtool for the key was that gnutls does not read openssl ec
> keys (Thats the issue I reported a few days ago).
> After investigating, it appears that the problem lies in gnutls
> generating a bad EC key on the BAD system. Both gnutls and openssl (on
> both GOOD and BAD systems) will happily generate a CSR using that bad
> key, but both will fail the verification when trying to sign the CSR.

Can you send me that (bad) key? What kind of system is the BAD system?

regards,
Nikos