first off: i am but a humble java programmer by trade; not a sysadmin; nor a network guy. so a lot of nss tool-related stuff is a foreign language to me. please, help a certutil rookie make sense of the world?
i'm experimenting with using client authn between a command-line ldapsearch client (for this experiment, the one that comes with sun's directory server resource kit v 5.2) and sun one directory server 5.1 (on solaris 9 sparc).
using openssl, i created a self-signed ca cert (and keys) plus an ldap server cert (and keys) and a client cert (and keys); the client and server certs are both signed by my self-signed ca cert. certs and keys for all three (ca, server, client) are in pem format.
i successfully installed the server and ca certs into the directory server; i then added the ca and client certs into $HOME/.netscape/ cert7.db using the following certutil command line:
certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
after running that command, i was able to successfully view the just- added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
that leads me to my first question:
1. does that command implicitly add the cert's private key get into $HOME/.netscape/key3.db?
2. if not, how do i add the cert's private key to key3.db?
"The Certificate Database Tool is a command-line utility that can...display the contents of the key database..."
i've read and reread that page over and over; but i still can't figure out which command to use to make certutil "display the contents of the key database".
if it's any help, i'm using the binary version of certutil that came precompiled as part of the sun one directory server resource kit 5.2 (dsrk52) on solaris 9 sparc.for what it's worth: the certs were created on my mac with openssl, then jarred and ftp'd over to the sun box.
as far as wanting to view keys, i'm guessing it's actually the pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ tools/pk12util.html) instead of certutil. is that right? if so, then please can you also clear up a couple things about pk12util?
the pk12util docs say, "Import a certificate and private key from from the p12file into the database." the way i read that description, it implies that both the private key and cert get imported into the same database ("into __the__ database"). am i understanding that correctly?
3. what exactly _does_ get added to key3.db?
4. how can i view what's in key3.db?
if you're interested, the reason for my questions stem from the following ldapsearch error:
bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" ldapssl_enable_clientauth: Bad parameter to an ldap routine ldapssl_enable_clientauth: additional info: unable to find certificate SSL error -8174 (security library: bad database.)
> first off: i am but a humble java programmer by trade; not a sysadmin; > nor a network guy. so a lot of nss tool-related stuff is a foreign > language to me. please, help a certutil rookie make sense of the > world?
> i'm experimenting with using client authn between a command-line > ldapsearch client (for this experiment, the one that comes with sun's > directory server resource kit v 5.2) and sun one directory server 5.1 > (on solaris 9 sparc).
> using openssl, i created a self-signed ca cert (and keys) plus an ldap > server cert (and keys) and a client cert (and keys); the client and > server certs are both signed by my self-signed ca cert. certs and keys > for all three (ca, server, client) are in pem format.
> i successfully installed the server and ca certs into the directory > server; i then added the ca and client certs into $HOME/.netscape/ > cert7.db using the following certutil command line:
> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
> after running that command, i was able to successfully view the just- > added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
> that leads me to my first question:
> 1. does that command implicitly add the cert's private key get into > $HOME/.netscape/key3.db?
> 2. if not, how do i add the cert's private key to key3.db?
> "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..."
> i've read and reread that page over and over; but i still can't figure > out which command to use to make certutil "display the contents of the > key database".
> if it's any help, i'm using the binary version of certutil that came > precompiled as part of the sun one directory server resource kit 5.2 > (dsrk52) on solaris 9 sparc.for what it's worth: the certs were > created on my mac with openssl, then jarred and ftp'd over to the sun > box.
> as far as wanting to view keys, i'm guessing it's actually the > pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > tools/pk12util.html) instead of certutil. is that right? if so, then > please can you also clear up a couple things about pk12util?
> the pk12util docs say, "Import a certificate and private key from from > the p12file into the database." the way i read that description, it > implies that both the private key and cert get imported into the same > database ("into __the__ database"). am i understanding that correctly?
> 3. what exactly _does_ get added to key3.db?
> 4. how can i view what's in key3.db?
> if you're interested, the reason for my questions stem from the > following ldapsearch error:
> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.)
hello forum,
i've answered a couple of my own questions; thanks to "http:// kb.mozillazine.org/Key3.db"
"key3.db contains a key used to encrypt and decrypt saved passwords."
reading the pks12util docs further, i worked out that the cert's private key must be inside cert7.db along with the cert; as this command description suggests:
"-o p12file - Export certificate and private key, specified by the - n option, from the database to the p12 file."
now, if anybody could help shed light on this error i'm getting using my certs and keys for 2-way ssl, please chime in:
> ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.)
fat.fuck wrote: > On Dec 2, 8:59 pm, "fat.fuck" <javafreelan...@gmail.com> wrote: >> first off: i am but a humble java programmer by trade; not a sysadmin; >> nor a network guy. so a lot of nss tool-related stuff is a foreign >> language to me. please, help a certutil rookie make sense of the >> world?
>> i'm experimenting with using client authn between a command-line >> ldapsearch client (for this experiment, the one that comes with sun's >> directory server resource kit v 5.2) and sun one directory server 5.1 >> (on solaris 9 sparc).
>> using openssl, i created a self-signed ca cert (and keys) plus an ldap >> server cert (and keys) and a client cert (and keys); the client and >> server certs are both signed by my self-signed ca cert. certs and keys >> for all three (ca, server, client) are in pem format.
>> i successfully installed the server and ca certs into the directory >> server; i then added the ca and client certs into $HOME/.netscape/ >> cert7.db using the following certutil command line:
>> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" >> -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
>> after running that command, i was able to successfully view the just- >> added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
>> that leads me to my first question:
>> 1. does that command implicitly add the cert's private key get into >> $HOME/.netscape/key3.db?
>> 2. if not, how do i add the cert's private key to key3.db?
>> "The Certificate Database Tool is a command-line utility that >> can...display the contents of the key database..."
>> i've read and reread that page over and over; but i still can't figure >> out which command to use to make certutil "display the contents of the >> key database".
>> if it's any help, i'm using the binary version of certutil that came >> precompiled as part of the sun one directory server resource kit 5.2 >> (dsrk52) on solaris 9 sparc.for what it's worth: the certs were >> created on my mac with openssl, then jarred and ftp'd over to the sun >> box.
>> as far as wanting to view keys, i'm guessing it's actually the >> pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ >> tools/pk12util.html) instead of certutil. is that right? if so, then >> please can you also clear up a couple things about pk12util?
>> the pk12util docs say, "Import a certificate and private key from from >> the p12file into the database." the way i read that description, it >> implies that both the private key and cert get imported into the same >> database ("into __the__ database"). am i understanding that correctly?
>> 3. what exactly _does_ get added to key3.db?
>> 4. how can i view what's in key3.db?
>> if you're interested, the reason for my questions stem from the >> following ldapsearch error:
>> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h >> bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W >> "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" >> ldapssl_enable_clientauth: Bad parameter to an ldap routine >> ldapssl_enable_clientauth: additional info: unable to find certificate >> SSL error -8174 (security library: bad database.)
> hello forum,
> i've answered a couple of my own questions; thanks to "http:// > kb.mozillazine.org/Key3.db"
> "key3.db contains a key used to encrypt and decrypt saved > passwords."
> reading the pks12util docs further, i worked out that the cert's > private key must be inside cert7.db along with the cert; as this > command description suggests:
> "-o p12file - Export certificate and private key, specified by the - > n option, from the database to the p12 file."
No, not exactly - private keys are stored in key3.db - certs are stored in cert7.db. What version of NSS are you using anyway? cert7.db is really old - NSS switched to cert8.db a long time ago.
certutil -L will show you your certs. certutil -L -n "myClientCert" will show you that particular cert
I suppose you could run ldapsearch with strace or truss to see what file it cannot find or open.
If this is an ldapsearch issue, you might want to follow up to mozilla.dev.tech.ldap
> fat.fuck wrote: > > On Dec 2, 8:59 pm, "fat.fuck" <javafreelan...@gmail.com> wrote: > >> first off: i am but a humble java programmer by trade; not a sysadmin; > >> nor a network guy. so a lot of nss tool-related stuff is a foreign > >> language to me. please, help a certutil rookie make sense of the > >> world?
> >> i'm experimenting with using client authn between a command-line > >> ldapsearch client (for this experiment, the one that comes with sun's > >> directory server resource kit v 5.2) and sun one directory server 5.1 > >> (on solaris 9 sparc).
> >> using openssl, i created a self-signed ca cert (and keys) plus an ldap > >> server cert (and keys) and a client cert (and keys); the client and > >> server certs are both signed by my self-signed ca cert. certs and keys > >> for all three (ca, server, client) are in pem format.
> >> i successfully installed the server and ca certs into the directory > >> server; i then added the ca and client certs into $HOME/.netscape/ > >> cert7.db using the following certutil command line:
> >> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > >> -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
> >> after running that command, i was able to successfully view the just- > >> added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
> >> that leads me to my first question:
> >> 1. does that command implicitly add the cert's private key get into > >> $HOME/.netscape/key3.db?
> >> 2. if not, how do i add the cert's private key to key3.db?
> >> "The Certificate Database Tool is a command-line utility that > >> can...display the contents of the key database..."
> >> i've read and reread that page over and over; but i still can't figure > >> out which command to use to make certutil "display the contents of the > >> key database".
> >> if it's any help, i'm using the binary version of certutil that came > >> precompiled as part of the sun one directory server resource kit 5.2 > >> (dsrk52) on solaris 9 sparc.for what it's worth: the certs were > >> created on my mac with openssl, then jarred and ftp'd over to the sun > >> box.
> >> as far as wanting to view keys, i'm guessing it's actually the > >> pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > >> tools/pk12util.html) instead of certutil. is that right? if so, then > >> please can you also clear up a couple things about pk12util?
> >> the pk12util docs say, "Import a certificate and private key from from > >> the p12file into the database." the way i read that description, it > >> implies that both the private key and cert get imported into the same > >> database ("into __the__ database"). am i understanding that correctly?
> >> 3. what exactly _does_ get added to key3.db?
> >> 4. how can i view what's in key3.db?
> >> if you're interested, the reason for my questions stem from the > >> following ldapsearch error:
> > i've answered a couple of my own questions; thanks to "http:// > > kb.mozillazine.org/Key3.db"
> > "key3.db contains a key used to encrypt and decrypt saved > > passwords."
> > reading the pks12util docs further, i worked out that the cert's > > private key must be inside cert7.db along with the cert; as this > > command description suggests:
> > "-o p12file - Export certificate and private key, specified by the - > > n option, from the database to the p12 file."
> No, not exactly - private keys are stored in key3.db - certs are stored > in cert7.db. What version of NSS are you using anyway? cert7.db is > really old - NSS switched to cert8.db a long time ago.
> certutil -L will show you your certs. > certutil -L -n "myClientCert" will show you that particular cert
> I suppose you could run ldapsearch with strace or truss to see what file > it cannot find or open.
> If this is an ldapsearch issue, you might want to follow up to > mozilla.dev.tech.ldap
> > now, if anybody could help shed light on this error i'm getting using > > my certs and keys for 2-way ssl, please chime in:
> > > ldapssl_enable_clientauth: Bad parameter to an ldap routine > > > ldapssl_enable_clientauth: additional info: unable to find > > certificate > > > SSL error -8174 (security library: bad database.)
> > thanks in advance for your help.
thanks mr megginson,
i sincerely appreciate your reply.
i'm coming from a java keystore/openssl mentality. i'm trying to grok certutil for the first time today. so please be patient with me if my questions are stupid.
it still isn't obvious to me exactly when or how (of even, IF) the private key (that was generated by openssl when i first created the ca and client certs) got added into key3.db. how can i confirm whether or certutil added the key to key3.db?
i didn't explicitlly supply the certs' private key file location to the certutil command line when i added the certs to cert7.db (although, the private key .pem files were in fact in the same directory as the .pem cert files when i ran the certutil command).
if you could point me to some nss/certutil docs that describe the process of adding an existing cert to cert7.db, i would be grateful.
in the meantime, i will go and rerun the ldapsearch command with truss and strace like you suggested; and let you know the outcome. i will also try to figure out what version of nss/certutil came bundled precompiled with the sun one ds resource kit 5.2 that i'm using.
i guess i slavishly followed instructions from some tutorial that said to use to "cert7.db in $HOME/.netscape". the cert7.db file is from the only installation of netscape navigator on my circa 2002 sunblade 100 workstation.
> i didn't explicitlly supply the certs' private key file location to > the certutil command line when i added the certs to cert7.db > (although, the private key .pem files were in fact in the same > directory as the .pem cert files when i ran the certutil command).
This most likely means that there is no private key stored, just the public key/certificate. You'd need to provide a PKCS12 file instead which includes the private key.
> > i didn't explicitlly supply the certs' private key file location to > > the certutil command line when i added the certs to cert7.db > > (although, the private key .pem files were in fact in the same > > directory as the .pem cert files when i ran the certutil command).
> This most likely means that there is no private key stored, just the > public key/certificate. You'd need to provide a PKCS12 file instead > which includes the private key.
> This most likely means that there is no private key stored, just the > public key/certificate. You'd need to provide a PKCS12 file instead > which includes the private key.
that makes sense. thanks, mr nigg. now, please, can you tell me how i can view|list the private keys in key3.db once i've ran certutil with a pkcs12 file?
> "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..."
what is the certutil command that the above statement from the certutil docs is referring to?
mr. megginson, i can't work out what version of nss/certutil came bundled with the dsrk v 5.2 (is there a command i can run that would tell me?). all i know is i downloaded the dsrk 5.2 binaries from sun and installed it on my sun box on nov 25, 2006. so its safe to assume i'm using whichever release of nss that was current on that date; i guess.
i do know that the $HOME/.netscape on my sun box is from netscape communicator 4.76. again, the only reason i used that location is because the tutorial i was using instructed me to. and there just happened to be a cert7.db file at that location. from now on, i will use the cert8.db file in my "mozilla 1.4 for sun java desktop system (solaris operating system edition)" profile.
also, running "truss ldapsearch..." spewed out a lot of gibberish that i don't have time to decipher at the moment. thanks for the suggestion anyway, mr. megginson.
thanks in advance to anybody else in the ng who can also fill me in on anything that might be helpful.
> On 3 Dec, 00:29, Eddy Nigg <eddy_n...@startcom.org> wrote:
> > On 12/03/2008 02:20 AM, fat.fuck:
> > > i didn't explicitlly supply the certs' private key file location to > > > the certutil command line when i added the certs to cert7.db > > > (although, the private key .pem files were in fact in the same > > > directory as the .pem cert files when i ran the certutil command).
> > This most likely means that there is no private key stored, just the > > public key/certificate. You'd need to provide a PKCS12 file instead > > which includes the private key.
> > This most likely means that there is no private key stored, just the > > public key/certificate. You'd need to provide a PKCS12 file instead > > which includes the private key.
> that makes sense. thanks, mr nigg. now, please, can you tell me how i > can view|list the private keys in key3.db once i've ran certutil with > a pkcs12 file?
> > "The Certificate Database Tool is a command-line utility that > > can...display the contents of the key database..."
> what is the certutil command that the above statement from the > certutil docs is referring to?
> mr. megginson, i can't work out what version of nss/certutil came > bundled with the dsrk v 5.2 (is there a command i can run that would > tell me?). all i know is i downloaded the dsrk 5.2 binaries from sun > and installed it on my sun box on nov 25, 2006. so its safe to assume > i'm using whichever release of nss that was current on that date; i > guess.
> i do know that the $HOME/.netscape on my sun box is from netscape > communicator 4.76. again, the only reason i used that location is > because the tutorial i was using instructed me to. and there just > happened to be a cert7.db file at that location. from now on, i will > use the cert8.db file in my "mozilla 1.4 for sun java desktop system > (solaris operating system edition)" profile.
> also, running "truss ldapsearch..." spewed out a lot of gibberish that > i don't have time to decipher at the moment. thanks for the suggestion > anyway, mr. megginson.
> thanks in advance to anybody else in the ng who can also fill me in on > anything that might be helpful.
i remembered what documentation instructed me to use $HOME/.netscape/ cert7.db. it was sun's "Sun ONE Server Console 5.2 Server Management Guide". the chapter on "Using SSL and TLS with Sun ONE Servers":
"Copy the Netscape Communicator certificate database files, cert7.db and key3.db, that contain your certificates to your .mcc directory. ... On UNIX systems, the cert7.db and key3.db files are located in your home directory, /$HOME/.netscape. $HOME is your root directory if you are running Administration Server as root. $HOME is your user home directory if you are running Administration Server as a user, for example, /home/username or /export/home/username. ..."
i know it's neither here nor there. but i was going crazy trying to remember myself why i used cert7.db.
I've never had to use ClientAuth with Sun's Directory Server, but here are some observations:
1) Keys are *never* stored in certN.db; they're always in keyN.db; only certificates are in certN.db. The association between the key and the cert is made via the cert's nickname (in your case: myClientCert);
2) You do not have the Private Key of your client cert in your keyN.db file, since you haven't imported it. You need to use openssl to create a P12 file with your Private Key and cert, and then use the pk12util to import the P12 to the Mozilla (Netscape) databases (the key will automatically go to keyN.db and the cert will go to certN.db); you need to get past this problem before you can do anything with ClientAuth.
However, I would recommend that you get the LDAP working with SSL but *without* ClientAuth to ensure that your server-side SSL is setup correctly, first. Once you can access your directory server over SSL without ClientAuth, the next step is to add ClientAuth.
Finally, if you're going to be using digital certificates, while openssl will do the job for you, since you say you know Java, you can also use keytool from the JDK to create your key, cert and P12 - all using the same command; you can then just import the P12 to the Mozilla databases. If you want to use an industrial-strength tool for your certificates, either use DogTag or EJBCA.
fat.fuck wrote: > first off: i am but a humble java programmer by trade; not a sysadmin; > nor a network guy. so a lot of nss tool-related stuff is a foreign > language to me. please, help a certutil rookie make sense of the > world?
> using openssl, i created a self-signed ca cert (and keys) plus an ldap > server cert (and keys) and a client cert (and keys); the client and > server certs are both signed by my self-signed ca cert. certs and keys > for all three (ca, server, client) are in pem format.
> i successfully installed the server and ca certs into the directory > server; i then added the ca and client certs into $HOME/.netscape/ > cert7.db using the following certutil command line:
> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert" > -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
> after running that command, i was able to successfully view the just- > added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
> that leads me to my first question:
> 1. does that command implicitly add the cert's private key get into > $HOME/.netscape/key3.db?
No. That command only told certutil to import a cert, and only gave certutil the name of the PEM file with the certificate.
> 2. if not, how do i add the cert's private key to key3.db?
NSS does not deal with private keys in PEM files. It only deals with private keys in PKCS#12 files. You can get the OpenSSL utility program to combine the PEM files for the cert and its private key into a single PKCS#12 file, and then import that PKCS#12 file into NSS's databases using NSS's utility program named pk12util. That's the only supported way to import private keys from files into NSS.
> "The Certificate Database Tool is a command-line utility that > can...display the contents of the key database..."
> i've read and reread that page over and over; but i still can't figure > out which command to use to make certutil "display the contents of the > key database".
certutil defines LOTS of single character command line options. Most of the ones with capital letters (e.g. -A, -L, -K) specify a function that certutil must perform. The lower case letters all supply other information needed for that function. Some useful function options are:
-A -n X add a cert to the cert database and give it nickname X -L list the nicknames of the certs in the database -L -n X pretty print the details for the cert nicknamed X -L -n X -r output the cert nicknamed X in binary -L -n X -a output the cert nicknamed X in PEM format -K list the private keys by nickname or public key value.
> if it's any help, i'm using the binary version of certutil that came > precompiled as part of the sun one directory server resource kit 5.2 > (dsrk52) on solaris 9 sparc.for what it's worth:
That's pretty ancient now. I suggest you try NSS 3.11.x or 3.12.x
> as far as wanting to view keys, i'm guessing it's actually the > pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/ > tools/pk12util.html) instead of certutil. is that right?
pk12util is a tool to deal with PKCS#12 files. PKCS#12 files contain private keys and certs, and are used to transport a private key and its related certs from one system or set of software to another. PKCS#12 is the one file format that is universally supported for this purpose by all the major crypto software packages (including, but not limited to: NSS, OpenSSL, and MS Windows).
> the pk12util docs say, "Import a certificate and private key from from > the p12file into the database." the way i read that description, it > implies that both the private key and cert get imported into the same > database ("into __the__ database"). am i understanding that correctly?
The doc is missing a letter. Should be databaseS.
> 3. what exactly _does_ get added to key3.db?
keys. Private keys, and occasionally symmetric secret keys.
> 4. how can i view what's in key3.db?
Well, you can't see the actual private key values, but they wouldn't do you much good even if you could. You can see information that helps you figure out which certificate(s) they go with using the command certutil -K <other arguments>
> if you're interested, the reason for my questions stem from the > following ldapsearch error:
> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h > bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W > "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)" > ldapssl_enable_clientauth: Bad parameter to an ldap routine > ldapssl_enable_clientauth: additional info: unable to find certificate > SSL error -8174 (security library: bad database.)
I can't help you with ldapsearch, but I can help you with that error message. That error message is very misleading. The error code -8174 really means either - the thing for which you were searching could not be found in a DB, or - you tried to add a thing to a DB that is already there. depending on what you were trying to do when that error occurs.
ff wrote: > i remembered what documentation instructed me to use $HOME/.netscape/ > cert7.db. it was sun's "Sun ONE Server Console 5.2 Server Management > Guide". the chapter on "Using SSL and TLS with Sun ONE Servers":
> "Copy the Netscape Communicator certificate database files, cert7.db > and key3.db, that contain your certificates to your .mcc directory. > ... > On UNIX systems, the cert7.db and key3.db files are located in your > home directory, /$HOME/.netscape. $HOME is your root directory if you > are running Administration Server as root. $HOME is your user home > directory if you are running Administration Server as a user, for > example, /home/username or /export/home/username. > ..."
> i know it's neither here nor there. but i was going crazy trying to > remember myself why i used cert7.db.
That document is 5 years old, and was written to describe a version of the software that was released at that time. It was accurate when it was written, and probably is still accurate for that software version.
> I've never had to use ClientAuth with Sun's Directory Server, > but here are some observations:
> 1) Keys are *never* stored in certN.db; they're always in keyN.db; > only certificates are in certN.db. The association between the > key and the cert is made via the cert's nickname (in your case: > myClientCert);
> 2) You do not have the Private Key of your client cert in your > keyN.db file, since you haven't imported it. You need to use > openssl to create a P12 file with your Private Key and cert, > and then use the pk12util to import the P12 to the Mozilla > (Netscape) databases (the key will automatically go to keyN.db > and the cert will go to certN.db); you need to get past this > problem before you can do anything with ClientAuth.
> However, I would recommend that you get the LDAP working with SSL > but *without* ClientAuth to ensure that your server-side SSL is > setup correctly, first. Once you can access your directory server > over SSL without ClientAuth, the next step is to add ClientAuth.
> Finally, if you're going to be using digital certificates, while > openssl will do the job for you, since you say you know Java, you > can also use keytool from the JDK to create your key, cert and P12 - > all using the same command; you can then just import the P12 to the > Mozilla databases. If you want to use an industrial-strength tool > for your certificates, either use DogTag or EJBCA.
> > now, if anybody could help shed light on this error i'm getting using > > my certs and keys for 2-way ssl, please chime in:
> > > ldapssl_enable_clientauth: Bad parameter to an ldap routine > > > ldapssl_enable_clientauth: additional info: unable to find > > certificate > > > SSL error -8174 (security library: bad database.)
> > thanks in advance for your help.
thanks mr. noor,
> However, I would recommend that you get the LDAP working with SSL > but *without* ClientAuth to ensure that your server-side SSL is > setup correctly, first. Once you can access your directory server > over SSL without ClientAuth, the next step is to add ClientAuth.
i can confirm that ldap works successfully with ssl without clientauth. my remote (and local) clients can bind to the server and search over ssl.
> Finally, if you're going to be using digital certificates, while > openssl will do the job for you, since you say you know Java, you > can also use keytool from the JDK to create your key, cert and P12 - > all using the same command; you can then just import the P12 to the > Mozilla databases.
keytool sounds like a plan! please, mr. noor. won't you share the specific keytool command with me (and future readers) in this thread? you would be doing the community a huge favor. thanks in advance.
I must apologize; I was in error about keytool being able to export a P12 file out of the JCE keystore - this cannot be done by keytool yet - you can only import P12's in JDK6.
However, if you're still interested in keytool for generating keys and certs, "keytool -help" or "man keytool" provide all details.
fat.fuck wrote: > On 2 Dec, 22:11, Arshad Noor <arshad.n...@strongauth.com> wrote: >> Finally, if you're going to be using digital certificates, while >> openssl will do the job for you, since you say you know Java, you >> can also use keytool from the JDK to create your key, cert and P12 - >> all using the same command; you can then just import the P12 to the >> Mozilla databases.
> keytool sounds like a plan! please, mr. noor. won't you share the > specific keytool command with me (and future readers) in this thread? > you would be doing the community a huge favor. thanks in advance.
Since you say you originally created the key/cert with openssl, just use openssl to package those things up into a PKCS#12 file and use pk12util to import them.
First, copy the text of the keyfile into the certfile or vice versa (or cat them both into a 3rd file), it doesn't matter as long as both are in the same file. Then run either of the below commands where file.pem is the file you just put the cert/key into. The second command allows you to put some CA certs into the PKCS12 should you so desire. The -name field ends up being the "Friendly name" and after you import using pk12util it will be the nickname that you use to reference the cert/key via NSS and the server products so choose wisely there.
