You were right about the absence of a certificate in generated with JKS format
client.private file.
But unfortunately, attempt to generate the self-signed certificate for the
keystore,
then converting it to PKCS12 format (client.privatepkcs12) and finally,
import it to NSS database result with the same error.
Here is the output I get when I use pk12util -l command, as you suggested:
pk12util -l client.privatepkcs12
Enter password for PKCS12 file:
Key(shrouded):
Friendly Name: acemsclientprivate
Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number: 1212490559 (0x4845233f)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=cnname,OU=ouname,O=oname,L=lname,ST
=stname,C=c..."
Validity:
Not Before: Tue Jun 03 10:55:59 2008
Not After : Mon Sep 01 10:55:59 2008
Subject: " cnname,OU=ouname,O=oname,L=lname,ST
=stname,C=c..."
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
93:d7:c6:1d:d9:86:5e:27:e4:a2:b0:04:0c:cc:34:19:
65:e7:a0:fe:71:32:27:e7:4d:91:c3:df:41:c0:8e:a9:
bb:b1:ce:b3:88:ad:b5:b5:61:1a:58:71:bb:d5:5b:26:
41:87:4f:25:2c:96:6c:ef:e5:b4:43:aa:a9:f7:d2:c1:
41:76:7c:72:c6:78:98:66:ea:1f:d4:2b:15:67:7f:cc:
07:6b:b3:87:14:0b:09:b3:a8:d4:1c:bb:fc:5f:88:47:
6f:bd:4d:03:c6:a1:ea:e8:d9:da:a2:ff:b6:93:82:63:
e3:af:b6:09:4e:9c:92:1e:92:ce:d7:11:f4:41:95:1b
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
50:d7:ec:20:29:c0:fd:93:6e:07:3f:c4:f9:ab:e2:b4:
aa:b8:30:97:08:11:bc:b6:10:20:0c:5f:49:03:91:6f:
01:d9:f5:a0:79:8a:81:06:de:f7:a6:7e:cb:6f:af:ff:
06:78:c6:18:a0:4a:7e:4e:97:59:d1:43:ae:7b:27:7a:
77:ad:9b:8c:08:53:36:19:4d:26:7b:16:8b:09:b7:f9:
bb:6c:95:16:ff:ae:09:dc:9e:89:ed:64:d8:9d:d5:3e:
09:46:4f:2d:99:58:d0:5f:c7:08:fa:3f:9c:16:78:7e:
58:81:8c:86:18:5a:5f:a4:34:c3:1d:a1:90:4d:bf:49
Fingerprint (MD5):
57:55:35:DC:F8:EA:4E:41:80:55:CD:DE:40:F1:13:16
Fingerprint (SHA1):
6F:EA:8D:EF:FF:06:BC:20:78:13:AE:54:40:B9:1E:62:8F:97:6A:64
Friendly Name: CN= cnname,OU= ouname,O= oname,L= lname,ST= stname,C= cname
Can you see something wrong?
-----Original Message-----
From: Nelson B Bolyard [mailto:[EMAIL PROTECTED]
Sent: Sunday, June 01, 2008 23:01
To: mozilla's crypto code discussion list
Subject: Re: Problems importing pkcs12 keystore to NSS
Yevgeniy Gubenko wrote, On 2008-06-01 02:48:
> I'm trying to migrate JKS keystore entries to NSS 3.11.4 database and
> get an exception.
> I'm working on Solaris 10.
> I wonder what I am doing wrong.
> These are the the prerequisites I perform:
>
> certutil -N -f pwdfile.txt -d . (Create NSS DB)
>
> modutil -fips true -dbdir /opt/nss/fipsdb (Enable fips mode)
>
> keytool -importkeystore -srckeystore client.private -srcstoretype JKS
> -deststoretype PKCS12 -destkeystore client.privatepkcs12 (Convert JKS
> keystore file client.private to pkcs12 format)
Does that command put a private key AND a certificate into the PKCS12
file? Or does it put only a private key into the PKCS12 file?
NSS wants to import the private key and the cert from the same PKCS12
file. I don't think it will import just a private key without the
corresponding cert.
> pk12util -i client.privatepkcs12 -d . (import pkcs12 file to NSS database)
>
> Here I get the following exception:
>
> pk12util: PKCS12 decode import bags failed: Unable to import. Error
> attempting to import private key.
This error has several causes, and is a little ambiguous, but I'd start
by checking to see if the PKCS12 file has a cert for that key in it.
In NSS version 3.10 and later versions, pk12util has a third command
option, in addition to -i (import) and -o (export) there is -l (that's
ell, as in list). You can use it to list the contents of your PKCS#12
file. It won't show you the actual values of encrypted keys or encrypted
certs, but it will at least list the keys, and the certs, and it will
show the values (contents) of unencrypted certs, if any.
________________________________
This email and any files transmitted with it are confidential material. They
are intended solely for the use of the designated individual or entity to whom
they are addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or
copying of this communication is strictly prohibited and may be unlawful.
If you have received this email in error please immediately notify the sender
and delete or destroy any copy of this message
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
