Generating EC keys with certtool

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Thu Nov 10 21:08:46 CET 2011

On 11/10/2011 08:58 PM, Nikos Mavrogiannopoulos wrote:

>>> What do you mean verify a CSR? Verify the self signature? That is being
>>> done automatically when it is signed.
>> Ah yes, I see that. Openssl has a command to verify without signing.
>> The reason I'm not using certtool to generate the request is that I
>> already had a script to generate certs using openssl. The only reason
>> I used certtool for the key was that gnutls does not read openssl ec
>> keys (Thats the issue I reported a few days ago).
>> After investigating, it appears that the problem lies in gnutls
>> generating a bad EC key on the BAD system. Both gnutls and openssl (on
>> both GOOD and BAD systems) will happily generate a CSR using that bad
>> key, but both will fail the verification when trying to sign the CSR.
> Can you send me that (bad) key? What kind of system is the BAD system?

I just noticed it was attached. It is indeed incorrect. Did you run
"make check" on the gnutls source on that system? Could you provide
information about the CPU (32-bit/64-bit, endianness etc.).


More information about the Gnutls-help mailing list