Generating EC keys with certtool

Fabrice Gautier fabrice.gautier at
Thu Nov 10 21:59:28 CET 2011

On Thu, Nov 10, 2011 at 12:08 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at> wrote:
> On 11/10/2011 08:58 PM, Nikos Mavrogiannopoulos wrote:
>>>> What do you mean verify a CSR? Verify the self signature? That is being
>>>> done automatically when it is signed.
>>> Ah yes, I see that. Openssl has a command to verify without signing.
>>> The reason I'm not using certtool to generate the request is that I
>>> already had a script to generate certs using openssl. The only reason
>>> I used certtool for the key was that gnutls does not read openssl ec
>>> keys (Thats the issue I reported a few days ago).
>>> After investigating, it appears that the problem lies in gnutls
>>> generating a bad EC key on the BAD system. Both gnutls and openssl (on
>>> both GOOD and BAD systems) will happily generate a CSR using that bad
>>> key, but both will fail the verification when trying to sign the CSR.
>> Can you send me that (bad) key? What kind of system is the BAD system?
> I just noticed it was attached. It is indeed incorrect. Did you run
> "make check" on the gnutls source on that system? Could you provide
> information about the CPU (32-bit/64-bit, endianness etc.).

The bad systems are a MacBook Pro (Intel Core i7 / MacBokPro6,2) and a
Mac Pro (Quad-Core Intel Xeon / MacPro4,1), both running Snow Leopard
Those are using gnutls 3.0.7
Those  register as x86_64-apple-darwin10.8.0

The good system is an iMac (Intel Core i7 / iMac12,2)  running Lion (10.7.2)
This is with gnutls 3.0.5
This one  register as x86_64-apple-darwin11.2.0

I had to disable assembly and hardware acceleration for nettle and
gnutls because assembly would not compile.

make check failed in all cases with "../gl/getopt.h:197: error:
redefinition of 'struct option'"

-- Fabrice

More information about the Gnutls-help mailing list