fat.fuck wrote:
On Dec 2, 8:59 pm, "fat.fuck" <[EMAIL PROTECTED]> wrote:
first off: i am but a humble java programmer by trade; not a sysadmin;
nor a network guy. so a lot of nss tool-related stuff is a foreign
language to me. please, help a certutil rookie make sense of the
world?
i'm experimenting with using client authn between a command-line
ldapsearch client (for this experiment, the one that comes with sun's
directory server resource kit v 5.2) and sun one directory server 5.1
(on solaris 9 sparc).
using openssl, i created a self-signed ca cert (and keys) plus an ldap
server cert (and keys) and a client cert (and keys); the client and
server certs are both signed by my self-signed ca cert. certs and keys
for all three (ca, server, client) are in pem format.
i successfully installed the server and ca certs into the directory
server; i then added the ca and client certs into $HOME/.netscape/
cert7.db using the following certutil command line:
certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert"
-t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
after running that command, i was able to successfully view the just-
added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
that leads me to my first question:
1. does that command implicitly add the cert's private key get into
$HOME/.netscape/key3.db?
2. if not, how do i add the cert's private key to key3.db?
the certutil docs (http://www.mozilla.org/projects/security/pki/nss/
tools/certutil.html) say,
"The Certificate Database Tool is a command-line utility that
can...display the contents of the key database..."
i've read and reread that page over and over; but i still can't figure
out which command to use to make certutil "display the contents of the
key database".
if it's any help, i'm using the binary version of certutil that came
precompiled as part of the sun one directory server resource kit 5.2
(dsrk52) on solaris 9 sparc.for what it's worth: the certs were
created on my mac with openssl, then jarred and ftp'd over to the sun
box.
as far as wanting to view keys, i'm guessing it's actually the
pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/
tools/pk12util.html) instead of certutil. is that right? if so, then
please can you also clear up a couple things about pk12util?
the pk12util docs say, "Import a certificate and private key from from
the p12file into the database." the way i read that description, it
implies that both the private key and cert get imported into the same
database ("into __the__ database"). am i understanding that correctly?
3. what exactly _does_ get added to key3.db?
4. how can i view what's in key3.db?
if you're interested, the reason for my questions stem from the
following ldapsearch error:
bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h
bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W
"**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)"
ldapssl_enable_clientauth: Bad parameter to an ldap routine
ldapssl_enable_clientauth: additional info: unable to find certificate
SSL error -8174 (security library: bad database.)
hello forum,
i've answered a couple of my own questions; thanks to "http://
kb.mozillazine.org/Key3.db"
"key3.db contains a key used to encrypt and decrypt saved
passwords."
reading the pks12util docs further, i worked out that the cert's
private key must be inside cert7.db along with the cert; as this
command description suggests:
"-o p12file - Export certificate and private key, specified by the -
n option, from the database to the p12 file."
No, not exactly - private keys are stored in key3.db - certs are stored
in cert7.db. What version of NSS are you using anyway? cert7.db is
really old - NSS switched to cert8.db a long time ago.
certutil -L will show you your certs.
certutil -L -n "myClientCert" will show you that particular cert
I suppose you could run ldapsearch with strace or truss to see what file
it cannot find or open.
If this is an ldapsearch issue, you might want to follow up to
mozilla.dev.tech.ldap
now, if anybody could help shed light on this error i'm getting using
my certs and keys for 2-way ssl, please chime in:
> ldapssl_enable_clientauth: Bad parameter to an ldap routine
> ldapssl_enable_clientauth: additional info: unable to find
certificate
> SSL error -8174 (security library: bad database.)
thanks in advance for your help.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
