Yevgeniy Gubenko wrote, On 2008-06-01 02:48: > I’m trying to migrate JKS keystore entries to NSS 3.11.4 database and > get an exception. > I’m working on Solaris 10. > I wonder what I am doing wrong. > These are the the prerequisites I perform: > > certutil -N -f pwdfile.txt -d . (Create NSS DB) > > modutil -fips true -dbdir /opt/nss/fipsdb (Enable fips mode) > > keytool -importkeystore -srckeystore client.private -srcstoretype JKS > -deststoretype PKCS12 -destkeystore client.privatepkcs12 (Convert JKS > keystore file client.private to pkcs12 format)
Does that command put a private key AND a certificate into the PKCS12 file? Or does it put only a private key into the PKCS12 file? NSS wants to import the private key and the cert from the same PKCS12 file. I don't think it will import just a private key without the corresponding cert. > pk12util -i client.privatepkcs12 -d . (import pkcs12 file to NSS database) > > Here I get the following exception: > > pk12util: PKCS12 decode import bags failed: Unable to import. Error > attempting to import private key. This error has several causes, and is a little ambiguous, but I'd start by checking to see if the PKCS12 file has a cert for that key in it. In NSS version 3.10 and later versions, pk12util has a third command option, in addition to -i (import) and -o (export) there is -l (that's ell, as in list). You can use it to list the contents of your PKCS#12 file. It won't show you the actual values of encrypted keys or encrypted certs, but it will at least list the keys, and the certs, and it will show the values (contents) of unencrypted certs, if any. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
