Re: Re: how to create keystore by using NSS certutil (Hubert Kario

[Kelly]

First,thank you.

i use the command you said "certutil -N -d sql:./nssdb/ " but not with "--empty-password"
it work ok.

and then i use command "certutil -A -d sql:./nssdb/ -n cert-nickname -a -i cert-in-ascii.pem"
like "certutil -A -d sql:./nssdb/ -n cert-nickname -a -i /home/l/Desktop/ASUE1.cer"
it said "certutil -A: trust is required for this command (-t)"
and then i input "certutil -A -t -d sql:./nssdb/ -n cert-nickname -a -i /home/l/Desktop/ASUE1.cer"
it reply "certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in old, unsupported format."

can you help me? thanks again.

[Hubert Kario]

-t requires a parameter, try

-t ',,'
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

[Hubert Kario]

On Tuesday 18 August 2015 14:28:35 Kelly wrote:
> Thanks again.
> i input the command you said, and it reply "Warning: ignoring
> private key. Consider to use pk12util" i want to know :
> 1, the cert has wrotten into it?

the one in the file

certutil can import just certificate, keys need to be imported from PKCS#12
files

see pkcs12 man page for openssl utility that allows you to convert a PEM
format cert and key pair to a pkcs12 file

then use pk12util to import it to NSS database

> 2, the cert i wrote has private key, like format follow:
> ------BEGIN CERTIFICATE-----
>
> ------END CERTIFICATE-----
> ------BEGIN EC PRIVATE KEY-----
>
> ------END EC PRIVATE KEY-----
>
>
> how can i to deal with it?
>

see above

> 3, can you help me to packaged the certutil tool into API function, then i
> can use it in my QT app?

sorry, I'm not familiar with C/C++ API of NSS, I can only suggest reading
sources of certutil, pk12util and online documentation here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference

> but i use command "certutil -L -n nick-name", it reply "certutil: function

> failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in old,
> unsupported format."

you need to always specify the database using -d otherwise you're using the
default from ~/.netscape

Currently a user default database is stored in ~/.pki/nssdb

> how can i get the cert i wrote in?
>
>
>
> i use command ""certutil -L -a -n nick-name -d sql:./nssdb/"
> it display the cert content with not private key

to export the key you must use pk12util, there's no other standard NSS tool to
do that

> kelly

>
> At 2015-08-17 19:15:33, "Hubert Kario" <hka...@redhat.com> wrote:
> >On Monday 17 August 2015 17:44:56 Kelly wrote:
> >> First,thank you.
> >>
> >> i use the command you said "certutil -N -d sql:./nssdb/ " but not with
> >> "--empty-password" it work ok.
> >>
> >> and then i use command "certutil -A -d sql:./nssdb/ -n cert-nickname -a
> >> -i cert-in-ascii.pem" like "certutil -A -d sql:./nssdb/ -n cert-nickname
> >> -a -i>>
> >> /home/l/Desktop/ASUE1.cer" it said "certutil -A: trust is required for
> >>
> >> this command (-t)"
> >> and then i input "certutil -A -t -d sql:./nssdb/ -n cert-nickname -a -i
> >> /home/l/Desktop/ASUE1.cer" it reply "certutil: function failed:
> >> SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in old,
> >> unsupported format."
> >
> >-t requires a parameter, try
> >
> >-t ',,'
>

> 宝宝的进口奶粉纸尿裤，1元全包了
>
>
>
> 宝宝的进口奶粉纸尿裤，1元全包了

[Kelly]

On Tuesday 18 August 2015 14:28:35 Kelly wrote:
> Thanks again.
> i input the command you said, and it reply "Warning: ignoring
> private key. Consider to use pk12util" i want to know :
> 1, the cert has wrotten into it?

the one in the file

certutil can import just certificate, keys need to be imported from PKCS#12
files

see pkcs12 man page for openssl utility that allows you to convert a PEM
format cert and key pair to a pkcs12 file

then use pk12util to import it to NSS database

can you explaine the keys you said in "keys need to be imported from PKCS#12 files" ?
it represent private key or the key needs when you install a p12 cert?


i have another question: when use certutil to create a nssdb, there will create cert9.db, key4.db and pkcs11.txt in home/nssdb/
and install cert an app need, and then if i cpoy those file to another pc, can it work ?
if can, the cert will no need to exist.

in fact i want to write cert into system store,
in windows i can use API CertOpenSystemStore,
but in linux, i can not.
the QCA (Qt Cryptographic Architecture ) surpport system store, i send my question to mail list of it, but no reply.

> 2, the cert i wrote has private key, like format follow:
> ------BEGIN CERTIFICATE-----
>
> ------END CERTIFICATE-----
> ------BEGIN EC PRIVATE KEY-----
>
> ------END EC PRIVATE KEY-----
>
>
> how can i to deal with it?
>

see above

> 3, can you help me to packaged the certutil tool into API function, then i
> can use it in my QT app?

sorry, I'm not familiar with C/C++ API of NSS, I can only suggest reading
sources of certutil, pk12util and online documentation here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference

> but i use command "certutil -L -n nick-name", it reply "certutil: function
> failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in old,
> unsupported format."

you need to always specify the database using -d otherwise you're using the
default from ~/.netscape

Currently a user default database is stored in ~/.pki/nssdb

> how can i get the cert i wrote in?
>
>
>
> i use command ""certutil -L -a -n nick-name -d sql:./nssdb/"
> it display the cert content with not private key

to export the key you must use pk12util, there's no other standard NSS tool to
do that

> kelly

[Hubert Kario]

On Thursday 20 August 2015 11:06:38 Kelly wrote:
> On Tuesday 18 August 2015 14:28:35 Kelly wrote:
> > Thanks again.
> >
> > i input the command you said, and it reply "Warning: ignoring
> >
> > private key. Consider to use pk12util" i want to know :
> > 1, the cert has wrotten into it?
>
> the one in the file
>
> certutil can import just certificate, keys need to be imported from PKCS#12
> files
>
> see pkcs12 man page for openssl utility that allows you to convert a PEM
> format cert and key pair to a pkcs12 file
>
> then use pk12util to import it to NSS database
>
>
> can you explaine the keys you said in "keys need to be imported from PKCS#12
> files" ?

the PEM files you have and PKCS#12 you need to create are just file formats
storing the same data

think .doc and .odp for text documents

> it represent private key or the key needs when you install a p12
> cert?

PKCS#12 is a just a bag holding the certificates and keys, the certificates
themselves are still X.509 certificates and the private keys are still PKCS#8
internally.

> i have another question: when use certutil to create a nssdb, there will
> create cert9.db, key4.db and pkcs11.txt in home/nssdb/ and install cert an
> app need, and then if i cpoy those file to another pc, can it work ?

yes, the nssdb is portable and can be copied between computers, including ones
that have different CPU architectures

> if
> can, the cert will no need to exist.

yes, if you have the certificate in nssdb you don't need it as a separate file

> in fact i want to write cert into system store,
> in windows i can use API CertOpenSystemStore,
> but in linux, i can not.

yes, it's not entirely standardised yet on Linux systems

But the current proposal (and something already used by RHEL, Fedora and
gnome-keyring) is to have the system-wide cert store in /etc/pki/nssdb. User
applications open this database and if they need to store certificates there,
it will be transparently handled by NSS by writing it to ~/.pki/nssdb.

In other words, by opening /etc/pki/nssdb you're opening two databases at the
same time - the one in /etc and the one in user home directory - getting both
the system certificates and user certificates



unrelated to crypto: when replying please prefix the lines you quote with
either ">" or "|", lack of them makes replying to you very hard