Re: [Pki-users] certutil: unable to generate key(s)

SOLVED. That did the trick, but there were other plain-text items in the file. Additionally there are additional inputs involved when using certutil:

# certutil -R -k rsa -g 2048 -s "CN=cisco1.stargatecommand.mil" -o cisco1.cert -v 12 -d . -1 -3 -6 Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| ... -- The bigger issue is that I wanted to create a Certificate Request using certutil. -----Original Message----- > From: Chandrasekar Kannan <ckannan(a)redhat.com&gt; > Sent: Apr 29, 2009 11:56 AM > To: Fortunato <fortunato.montresor(a)earthlink.net&gt; > Cc: Marc Sauton <msauton(a)redhat.com&gt;, pki-users(a)redhat.com > Subject: Re: [Pki-users] certutil: unable to generate key(s) > > On Wed, 2009-04-29 at 11:52 -0700, Fortunato wrote: > >> Thanks! >> >> Fixed the -d option. >> >> Now I'm getting: >> >> Enter Password or Pin for "NSS Certificate DB": >> > cat /var/lib/pki-sub-ca/conf/password.conf contains what you need. > Look for internal token password. > > >> I did not set this Password/PIN. All the docs reference tksTool. I don't want to fubar more things but it looks like the following is needed: >> >> tksTool -N -d . >> >> I assume the tksTool is part of pki-tks. >> >> -----Original Message----- >> >>> From: Marc Sauton <msauton(a)redhat.com&gt; >>> Sent: Apr 29, 2009 11:42 AM >>> To: Fortunato <fortunato.montresor(a)earthlink.net&gt; >>> Cc: pki-users(a)redhat.com >>> Subject: Re: [Pki-users] certutil: unable to generate key(s) >>> >>> Marc Sauton wrote: >>> >>>> Fortunato wrote: >>>> >>>>> Hello, >>>>> >>>>> I haven't found information on the topic but it looks like there's a >>>>> problem with certutil - using IPv4. >>>>> >>>>> [root@localhost alias]# certutil -R -k rsa -g 2048 -s >>>>> "CN=cisco1.localdomain.com" -o cisco1.cert -v 12 -d >>>>> /var/lib/pki-sub-ca/ -1 -3 -6 >>>>> certutil: unable to generate key(s) >>>>> : An I/O error occurred during security authorization. >>>>> >>>>> Any ideas would be welcome. >>>>> >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users(a)redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>>> >>>> May want to tweak the -d option to point to the alias directory >>>> <path-to-alias-dir>, not just /var/lib/pki-sub-ca/ >>>> M. >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users(a)redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>> Side note: the i/o error happens because of the missing NSS db files, >>> either wrong alias directory with -d, or need a certutil -N -d <path> to >>> create them. >>> M. >>> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > -- > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Chandrasekar Kannan -- ckannan(a)redhat.com > Quality Engineering -- http://www.redhat.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users