[Swan-dev] nss vs newhostkey / showhostkey
Paul Wouters
paul at nohats.ca
Wed May 25 20:31:59 UTC 2016
On Wed, 25 May 2016, Andrew Cagney wrote:
>>> I suspect the correct way is to create the certificate at the same
>>> time as the key-pair (like certutil -S).
>>
>>
>> I was hoping to avoid that, but if that's what is needed we could do
>> that.
>
> Since we're using NSS we should, perhaps, try to be more NSS like.
That's not "embrase and extend" :)
> Otoh, we know how to find the key-pair using the ckaid so it can be
> done in rsasigkey or showhostkey.
right.
> (I still can't see the point of certutil -G (other than provide a
> reference implementation for rsasigkey)).
It is probably just a tool that uses the nss libraries for the real
work. We cannot use it instead of rsasigkey because nss-utils do
not get FIPS certification unlike the nss library.
Paul
More information about the Swan-dev
mailing list