first off: i am but a humble java programmer by trade; not a sysadmin; nor a network guy. so a lot of nss tool-related stuff is a foreign language to me. please, help a certutil rookie make sense of the world?
i'm experimenting with using client authn between a command-line ldapsearch client (for this experiment, the one that comes with sun's directory server resource kit v 5.2) and sun one directory server 5.1 (on solaris 9 sparc). using openssl, i created a self-signed ca cert (and keys) plus an ldap server cert (and keys) and a client cert (and keys); the client and server certs are both signed by my self-signed ca cert. certs and keys for all three (ca, server, client) are in pem format. i successfully installed the server and ca certs into the directory server; i then added the ca and client certs into $HOME/.netscape/ cert7.db using the following certutil command line: certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) after running that command, i was able to successfully view the just- added cert with: "certutil -L -n myClientCert -d $HOME/.netscape that leads me to my first question: 1. does that command implicitly add the cert's private key get into $HOME/.netscape/key3.db? 2. if not, how do i add the cert's private key to key3.db? the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ tools/certutil.html) say, "The Certificate Database Tool is a command-line utility that can...display the contents of the key database..." i've read and reread that page over and over; but i still can't figure out which command to use to make certutil "display the contents of the key database". if it's any help, i'm using the binary version of certutil that came precompiled as part of the sun one directory server resource kit 5.2 (dsrk52) on solaris 9 sparc.for what it's worth: the certs were created on my mac with openssl, then jarred and ftp'd over to the sun box. as far as wanting to view keys, i'm guessing it's actually the pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ tools/pk12util.html) instead of certutil. is that right? if so, then please can you also clear up a couple things about pk12util? the pk12util docs say, "Import a certificate and private key from from the p12file into the database." the way i read that description, it implies that both the private key and cert get imported into the same database ("into __the__ database"). am i understanding that correctly? 3. what exactly _does_ get added to key3.db? 4. how can i view what's in key3.db? if you're interested, the reason for my questions stem from the following ldapsearch error: bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" ldapssl_enable_clientauth: Bad parameter to an ldap routine ldapssl_enable_clientauth: additional info: unable to find certificate SSL error -8174 (security library: bad database.) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
