On Dec 2, 11:02 pm, Rich Megginson <[EMAIL PROTECTED]> wrote: > fat.fuck wrote: > > On Dec 2, 8:59 pm, "fat.fuck" <[EMAIL PROTECTED]> wrote: > >> first off: i am but a humble java programmer by trade; not a sysadmin; > >> nor a network guy. so a lot of nss tool-related stuff is a foreign > >> language to me. please, help a certutil rookie make sense of the > >> world? > > >> i'm experimenting with using client authn between a command-line > >> ldapsearch client (for this experiment, the one that comes with sun's > >> directory server resource kit v 5.2) and sun one directory server 5.1 > >> (on solaris 9 sparc). > > >> using openssl, i created a self-signed ca cert (and keys) plus an ldap > >> server cert (and keys) and a client cert (and keys); the client and > >> server certs are both signed by my self-signed ca cert. certs and keys > >> for all three (ca, server, client) are in pem format. > > >> i successfully installed the server and ca certs into the directory > >> server; i then added the ca and client certs into $HOME/.netscape/ > >> cert7.db using the following certutil command line: > > >> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > >> -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) > > >> after running that command, i was able to successfully view the just- > >> added cert with: "certutil -L -n myClientCert -d $HOME/.netscape > > >> that leads me to my first question: > > >> 1. does that command implicitly add the cert's private key get into > >> $HOME/.netscape/key3.db? > > >> 2. if not, how do i add the cert's private key to key3.db? > > >> the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ > >> tools/certutil.html) say, > > >> "The Certificate Database Tool is a command-line utility that > >> can...display the contents of the key database..." > > >> i've read and reread that page over and over; but i still can't figure > >> out which command to use to make certutil "display the contents of the > >> key database". > > >> if it's any help, i'm using the binary version of certutil that came > >> precompiled as part of the sun one directory server resource kit 5.2 > >> (dsrk52) on solaris 9 sparc.for what it's worth: the certs were > >> created on my mac with openssl, then jarred and ftp'd over to the sun > >> box. > > >> as far as wanting to view keys, i'm guessing it's actually the > >> pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > >> tools/pk12util.html) instead of certutil. is that right? if so, then > >> please can you also clear up a couple things about pk12util? > > >> the pk12util docs say, "Import a certificate and private key from from > >> the p12file into the database." the way i read that description, it > >> implies that both the private key and cert get imported into the same > >> database ("into __the__ database"). am i understanding that correctly? > > >> 3. what exactly _does_ get added to key3.db? > > >> 4. how can i view what's in key3.db? > > >> if you're interested, the reason for my questions stem from the > >> following ldapsearch error: > > >> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > >> bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > >> "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > >> ldapssl_enable_clientauth: Bad parameter to an ldap routine > >> ldapssl_enable_clientauth: additional info: unable to find certificate > >> SSL error -8174 (security library: bad database.) > > > hello forum, > > > i've answered a couple of my own questions; thanks to "http:// > > kb.mozillazine.org/Key3.db" > > > "key3.db contains a key used to encrypt and decrypt saved > > passwords." > > > reading the pks12util docs further, i worked out that the cert's > > private key must be inside cert7.db along with the cert; as this > > command description suggests: > > > "-o p12file - Export certificate and private key, specified by the - > > n option, from the database to the p12 file." > > No, not exactly - private keys are stored in key3.db - certs are stored > in cert7.db. What version of NSS are you using anyway? cert7.db is > really old - NSS switched to cert8.db a long time ago. > > certutil -L will show you your certs. > certutil -L -n "myClientCert" will show you that particular cert > > I suppose you could run ldapsearch with strace or truss to see what file > it cannot find or open. > > If this is an ldapsearch issue, you might want to follow up to > mozilla.dev.tech.ldap > > > > > now, if anybody could help shed light on this error i'm getting using > > my certs and keys for 2-way ssl, please chime in: > > > > ldapssl_enable_clientauth: Bad parameter to an ldap routine > > > ldapssl_enable_clientauth: additional info: unable to find > > certificate > > > SSL error -8174 (security library: bad database.) > > > thanks in advance for your help.
thanks mr megginson, i sincerely appreciate your reply. i'm coming from a java keystore/openssl mentality. i'm trying to grok certutil for the first time today. so please be patient with me if my questions are stupid. it still isn't obvious to me exactly when or how (of even, IF) the private key (that was generated by openssl when i first created the ca and client certs) got added into key3.db. how can i confirm whether or certutil added the key to key3.db? i didn't explicitlly supply the certs' private key file location to the certutil command line when i added the certs to cert7.db (although, the private key .pem files were in fact in the same directory as the .pem cert files when i ran the certutil command). if you could point me to some nss/certutil docs that describe the process of adding an existing cert to cert7.db, i would be grateful. in the meantime, i will go and rerun the ldapsearch command with truss and strace like you suggested; and let you know the outcome. i will also try to figure out what version of nss/certutil came bundled precompiled with the sun one ds resource kit 5.2 that i'm using. i guess i slavishly followed instructions from some tutorial that said to use to "cert7.db in $HOME/.netscape". the cert7.db file is from the only installation of netscape navigator on my circa 2002 sunblade 100 workstation. thanks again for your help. be right back... _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
