On 07/23/2010 12:41 PM, msg wrote: > msg <nos...@nospam.nowhere> wrote in > news:xns9dbd9d232636bnospamnospamnowh...@216.196.97.169: > > >> Greetings: >> >> The utility 'sec-key' bundled with Netscape Enterprise Server >> 3.63 only generates 1024 bit keys; finding a CA with good browser >> acceptance who will issue a 1024 bit cert is a problem. I need >> to find a way to generate a 2048 bit key-pair database file >> acceptable to NES 3.63 to use in generating a certificate request. >> >> I tried using openssl to generate the csr using the same challenge >> password that we used with a previous self-signed certificate; the >> crt returned from the CA installed well enough but the server >> complains of a password mismatch when we try to start it. >> >> I have now built NSS 3.12.3 and NSPR 4.8.4 on that system; is there >> a utility and/or api from NSS which would help me in this effort? >> 'certutil' and 'symkeyutil' don't seem to grok the NES cert and key >> database files. >> You may be stuck. I believe NES 3.63 ran using an older version of NSS that is available in the open source world (or even available as shared libraries, for that matter). I'm not sure if anyone has access to that old source library.
certutil will be able to read those old NES databases (we've yet to remove the code that knows how to update all the way from databases of the earliest version of NSS), but it does not write those databases. Those old versions of the netscape servers supposedly shipped their own versions of certutil, and more importantly, pk11util (which is probably the tool you want). If you have a copy that matches your NES, that might work for you. More likely you'll have to roll your own tool to import the key. Your best bet for trying to figure out the format is to look at the NSS update code an figure out how to write the data you need back. For the cert, the upgrade is here: http://mxr.mozilla.org/security/source/security/nss/lib/softoken/legacydb/pcertdb.c#4060 for the keydb, the upgrade is in two places. The basic upgrade is here: http://mxr.mozilla.org/security/source/security/nss/lib/softoken/legacydb/keydb.c#612 The second is to force a change password call when the password is first initialized. I don't know if NES is old enough to still be encrypting passwords in salted rc4 rather than salted DES. The latter may explain your password mismatch problem. bob >> All help is much appreciated. >> >> Michael >> > Further research suggests that the database files are in Berkeley DB > 1.85 format and that there are tools available (such as db_dump and > db_load) which might help. After a half day of web searching I have > not found a repository for the tools (db_1.85 library is easy to find) > and only one website that has html-ified versions of the source code. > Searching the Oracle site has proven fruitless unless I want to > install 2GB of some recent release. > > Does anyone have the Sleepcat Software Berkeley DB tools source code? > > Thanks, > > Michael >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
