[Swan-dev] nss vs newhostkey / showhostkey
Paul Wouters
paul at nohats.ca
Wed May 25 19:29:35 UTC 2016
On Wed, 25 May 2016, Andrew Cagney wrote:
> I suspect the correct way is to create the certificate at the same
> time as the key-pair (like certutil -S).
I was hoping to avoid that, but if that's what is needed we could do
that.
>> Yes. It would be nice if we could still give it an identifier and log
>> that into NSS for the key, similar to the "friendly_name" of
>> certificates. But I do not know if nss supports that.
>
> Looks like it. For instance, if I remove east's certificate vis:
>
> certutil -D -n east -d ...
>
> I can still list "east"s key-pair vis:
>
> certutil -K -n east ...
Oh yeah. I just tested it too and that works. So that's a good sign!
>> If we can set those to something specified, that would be great. Like
>> FQDN per default?
>
> The --hostname option to rsasigkey? Currently that is used for little
> more than to print the domain name in a comment. It could be used as
> a nickname though.
> I think --nickname would be better option -- nss calls them nicknames
> -- perhaps default to hostname).
works for me.
Paul
More information about the Swan-dev
mailing list