fat.fuck wrote: > first off: i am but a humble java programmer by trade; not a sysadmin; > nor a network guy. so a lot of nss tool-related stuff is a foreign > language to me. please, help a certutil rookie make sense of the > world?
Welcome. > using openssl, i created a self-signed ca cert (and keys) plus an ldap > server cert (and keys) and a client cert (and keys); the client and > server certs are both signed by my self-signed ca cert. certs and keys > for all three (ca, server, client) are in pem format. > > i successfully installed the server and ca certs into the directory > server; i then added the ca and client certs into $HOME/.netscape/ > cert7.db using the following certutil command line: > > certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert) > > after running that command, i was able to successfully view the just- > added cert with: "certutil -L -n myClientCert -d $HOME/.netscape > > that leads me to my first question: > > 1. does that command implicitly add the cert's private key get into > $HOME/.netscape/key3.db? No. That command only told certutil to import a cert, and only gave certutil the name of the PEM file with the certificate. > 2. if not, how do i add the cert's private key to key3.db? NSS does not deal with private keys in PEM files. It only deals with private keys in PKCS#12 files. You can get the OpenSSL utility program to combine the PEM files for the cert and its private key into a single PKCS#12 file, and then import that PKCS#12 file into NSS's databases using NSS's utility program named pk12util. That's the only supported way to import private keys from files into NSS. > the certutil docs (http://www.mozilla.org/projects/security/pki/nss/ > tools/certutil.html) say, > > "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..." > > i've read and reread that page over and over; but i still can't figure > out which command to use to make certutil "display the contents of the > key database". certutil defines LOTS of single character command line options. Most of the ones with capital letters (e.g. -A, -L, -K) specify a function that certutil must perform. The lower case letters all supply other information needed for that function. Some useful function options are: -A -n X add a cert to the cert database and give it nickname X -L list the nicknames of the certs in the database -L -n X pretty print the details for the cert nicknamed X -L -n X -r output the cert nicknamed X in binary -L -n X -a output the cert nicknamed X in PEM format -K list the private keys by nickname or public key value. > if it's any help, i'm using the binary version of certutil that came > precompiled as part of the sun one directory server resource kit 5.2 > (dsrk52) on solaris 9 sparc.for what it's worth: That's pretty ancient now. I suggest you try NSS 3.11.x or 3.12.x > as far as wanting to view keys, i'm guessing it's actually the > pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > tools/pk12util.html) instead of certutil. is that right? pk12util is a tool to deal with PKCS#12 files. PKCS#12 files contain private keys and certs, and are used to transport a private key and its related certs from one system or set of software to another. PKCS#12 is the one file format that is universally supported for this purpose by all the major crypto software packages (including, but not limited to: NSS, OpenSSL, and MS Windows). > the pk12util docs say, "Import a certificate and private key from from > the p12file into the database." the way i read that description, it > implies that both the private key and cert get imported into the same > database ("into __the__ database"). am i understanding that correctly? The doc is missing a letter. Should be databaseS. > 3. what exactly _does_ get added to key3.db? keys. Private keys, and occasionally symmetric secret keys. > 4. how can i view what's in key3.db? Well, you can't see the actual private key values, but they wouldn't do you much good even if you could. You can see information that helps you figure out which certificate(s) they go with using the command certutil -K <other arguments> > if you're interested, the reason for my questions stem from the > following ldapsearch error: > > bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.) I can't help you with ldapsearch, but I can help you with that error message. That error message is very misleading. The error code -8174 really means either - the thing for which you were searching could not be found in a DB, or - you tried to add a thing to a DB that is already there. depending on what you were trying to do when that error occurs. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
