Product: Fedora Version: rawhide Component: nss
Elio Maldonado Batiz emaldona@redhat.com has canceled Bug Zapper triage@lists.fedoraproject.org's request for needinfo: Bug 546849: Certificate name confusion https://bugzilla.redhat.com/show_bug.cgi?id=546849
------- Additional Comments from Elio Maldonado Batiz emaldona@redhat.com I cannot reproduce the problem. I'm running rpm -q nspr nss nss-util nss-softokn nspr-4.8.9-2.fc16.x86_64 nss-3.13.1-7.fc16.elio.3.x86_64 nss-util-3.13.1-3.fc16.x86_64 nss-softokn-3.12.10-6.fc16.x86_64
This what I did to try to reproduce: - Copying and pasting may be faulty :-)
(1a) Generate the key pair for CA1 openssl genrsa -des3 -out ca1.key 1024 (1b) Generate the key pair for CA1 openssl genrsa -des3 -out ca2.key 1024
(2a) csr for ca1 openssl req -new -key ca1.key -out ca1.csr Enter pass phrase for ca1.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:CA Locality Name (eg, city) [Default City]:San Jose Organization Name (eg, company) [Default Company Ltd]:Dummy Inc Organizational Unit Name (eg, section) []:Testing Common Name (eg, your name or your server's hostname) []:myca Email Address []:emaldona@redhat.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
(2) csr for ca1 and ca2 openssl req -new -key ca1.key -out ca1.csr $ openssl req -new -key ca2.key -out ca2.csr -- at the prompts I gave the same answers
(3b) csr for 2 (
(4a) First self-signed cert $ openssl x509 -req -days 365 -in ca1.csr -signkey ca1.key -out ca1.crt Signature ok subject=/C=US/ST=California/L=San Jose/O=Dummy/OU=Test/CN=none Getting Private key Enter pass phrase for ca1.key: (4b) Second self-signed cert $ openssl x509 -req -days 365 -in ca2.csr -signkey ca2.key -out ca2.crt Signature ok subject=/C=US/ST=California/L=San Jose/O=Dummy/OU=Test/CN=none Getting Private key Enter pass phrase for ca2.key:
-- subject is the same
(5) Make empty directory and start a fresh NSS database $ rm -rf /tmp/cert/ $ mkdir /tmp/cert $ certutil -d sql:/tmp/cert/ -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Enter new password: Re-enter password:
(6) Import CA1 cert as fred $ certutil -d /tmp/cert -E -t TC,TC,TC -n "fred" -i ca1.crt Enter Password or Pin for "NSS Certificate DB":
(7) Import CA2 cert as wilma $ certutil -d /tmp/cert -E -t TC,TC,TC -n "wilma" -i ca2.crt Enter Password or Pin for "NSS Certificate DB":
(8) List the certs $ certutil -d sql:/tmp/cert/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
fred CT,C,C wilma CT,C,C
different names, good!
(8) List them by nickname certutil -d sql:/tmp/cert/ -L -n fred > fred.txt certutil -d sql:/tmp/cert/ -L -n wilma > wilma.txt 'diff fred.txt wilma.txt' shows edentical output
triage@lists.stg.fedoraproject.org