signtool option -G generates a new public-private key pair and certificate. It takes the nickname of the new certificate as an argument. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of the Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of the Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
Important Before installing new keys and certificates in the key and certificate databases, you must set the database password (if you have not done so already). To set the password for the key and certificate databases currently being used by Communicator, click the Security icon in the Communicator toolbar, click Passwords, and click Set Password to create a password.
WARNING: If you intend to install the new key pair and certificate in the Communicator databases, you must exit Communicator before using the Netscape Signing Tool to generate the object-signing certificate. Otherwise, you risk corrupting your certificate and key databases.Certificates contain standard information about the entity they identify, such as the common name and organization name. The Netscape Signing Tool prompts you for this information when you run the command with the
-G option. However, all of the requested fields are optional for test certificates. If you do not enter a common name, the tool provides a default name. In the following example, the user input is in boldface:
% signtool -G MyTestCertThe certificate information is read from standard input. Therefore, the information can be read from a file using the redirection operator (
using certificate directory: /u/someuser/.netscape
Enter certificate information. All fields are optional. Acceptable
characters are numbers, letters, spaces, and apostrophes.
certificate common name: Test Object Signing Certificate
organization: Netscape Communications Corp.
organization unit: Server Products Division
state or province: California
country (must be exactly 2 characters): US
username: someuser
email address: someuser@netscape.com
Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
generated public/private key pair
certificate request generated
certificate has been signed
certificate "MyTestCert" added to database
Exported certificate to x509.raw and x509.cacert.
%
<) in some operating systems. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line. Make sure there is a newline character at the end of the last line. Then run signtool with standard input redirected from your file as follows:
% signtool -G MyTestCert <inputfileThe prompts show up on the screen, but the responses will be automatically read from the file. The password will still be read from the console unless you use the
-p option to give the password on the command line.
-d option (or, with Unix versions of the Netscape Signing Tool only, if you omit the -d option). If you do install the certificate and keys in the Communicator database when you create your test certificate, the certificate will thenceforth be trusted as a CA.
If you do not install the certificate and keys in Communicator at the time you create them, or if you want to install them in additional copies of Communicator on other machines, you can use the x509.cacert file that signtool generates automatically when it creates the certificate. This file contains the certificate in base-64-encoded form. The file can be read into any copy of Communicator if the file is posted on a web page.
To make the x509.cacert file accessible from a web page, follow these steps:
<a href="x509.cacert">Click Here to Import My Object-Signing Test Certificate</a>
.cacert. Depending on your web server, this may involve editing a configuration file or using an administration tool. x509.cacert file. Importing the certificate only allows other people to use software that you have signed.
Last Updated: 06/19/98 13:23:51
Any sample code included above is provided for your use on an "AS IS" basis, under the Netscape License Agreement - Terms of Use