On Dec 2, 8:59 pm, "fat.fuck" <[EMAIL PROTECTED]> wrote: > first off: i am but a humble java programmer by trade; not a sysadmin; > nor a network guy. so a lot of nss tool-related stuff is a foreign > language to me. please, help a certutil rookie make sense of the > world? > > i'm experimenting with using client authn between a command-line > ldapsearch client (for this experiment, the one that comes with sun's > directory server resource kit v 5.2) and sun one directory server 5.1 > (on solaris 9 sparc). > > using openssl, i created a self-signed ca cert (and keys) plus an ldap > server cert (and keys) and a client cert (and keys); the client and > server certs are both signed by my self-signed ca cert. certs and keys > for all three (ca, server, client) are in pem format. > > i successfully installed the server and ca certs into the directory > server; i then added the ca and client certs into $HOME/.netscape/ > cert7.db using the following certutil command line: > > certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) > > after running that command, i was able to successfully view the just- > added cert with: "certutil -L -n myClientCert -d $HOME/.netscape > > that leads me to my first question: > > 1. does that command implicitly add the cert's private key get into > $HOME/.netscape/key3.db? > > 2. if not, how do i add the cert's private key to key3.db? > > the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ > tools/certutil.html) say, > > "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..." > > i've read and reread that page over and over; but i still can't figure > out which command to use to make certutil "display the contents of the > key database". > > if it's any help, i'm using the binary version of certutil that came > precompiled as part of the sun one directory server resource kit 5.2 > (dsrk52) on solaris 9 sparc.for what it's worth: the certs were > created on my mac with openssl, then jarred and ftp'd over to the sun > box. > > as far as wanting to view keys, i'm guessing it's actually the > pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > tools/pk12util.html) instead of certutil. is that right? if so, then > please can you also clear up a couple things about pk12util? > > the pk12util docs say, "Import a certificate and private key from from > the p12file into the database." the way i read that description, it > implies that both the private key and cert get imported into the same > database ("into __the__ database"). am i understanding that correctly? > > 3. what exactly _does_ get added to key3.db? > > 4. how can i view what's in key3.db? > > if you're interested, the reason for my questions stem from the > following ldapsearch error: > > bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.)
hello forum, i've answered a couple of my own questions; thanks to "http:// kb.mozillazine.org/Key3.db" "key3.db contains a key used to encrypt and decrypt saved passwords." reading the pks12util docs further, i worked out that the cert's private key must be inside cert7.db along with the cert; as this command description suggests: "-o p12file - Export certificate and private key, specified by the - n option, from the database to the p12 file." now, if anybody could help shed light on this error i'm getting using my certs and keys for 2-way ssl, please chime in: > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) thanks in advance for your help. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
