[Swan-dev] nss vs newhostkey / showhostkey

Paul Wouters paul at nohats.ca
Wed May 25 19:29:35 UTC 2016

On Wed, 25 May 2016, Andrew Cagney wrote:

> I suspect the correct way is to create the certificate at the same
> time as the key-pair (like certutil -S).

I was hoping to avoid that, but if that's what is needed we could do

>> Yes. It would be nice if we could still give it an identifier and log
>> that into NSS for the key, similar to the "friendly_name" of
>> certificates. But I do not know if nss supports that.
> Looks like it.  For instance, if I remove east's certificate vis:
>  certutil -D -n east -d ...
> I can still list "east"s key-pair vis:
>  certutil -K -n east ...

Oh yeah. I just tested it too and that works. So that's a good sign!

>> If we can set those to something specified, that would be great. Like
>> FQDN per default?
> The --hostname option to rsasigkey?  Currently that is used for little
> more than to print the domain name in a comment.  It could be used as
> a nickname though.
> I think --nickname would be better option -- nss calls them nicknames
> -- perhaps default to hostname).

works for me.


More information about the Swan-dev mailing list