[Swan-dev] nss vs newhostkey / showhostkey

Paul Wouters paul at nohats.ca
Wed May 25 20:31:59 UTC 2016

On Wed, 25 May 2016, Andrew Cagney wrote:

>>> I suspect the correct way is to create the certificate at the same
>>> time as the key-pair (like certutil -S).
>> I was hoping to avoid that, but if that's what is needed we could do
>> that.
> Since we're using NSS we should, perhaps, try to be more NSS like.

That's not "embrase and extend" :)

> Otoh, we know how to find the key-pair using the ckaid so it can be
> done in rsasigkey or showhostkey.


> (I still can't see the point of certutil -G (other than provide a
> reference implementation for rsasigkey)).

It is probably just a tool that uses the nss libraries for the real
work. We cannot use it instead of rsasigkey because nss-utils do
not get FIPS certification unlike the nss library.


More information about the Swan-dev mailing list