where does certutil put a cert's private keys?
fat.fuck
nor a network guy. so a lot of nss tool-related stuff is a foreign
language to me. please, help a certutil rookie make sense of the
world?
i'm experimenting with using client authn between a command-line
ldapsearch client (for this experiment, the one that comes with sun's
directory server resource kit v 5.2) and sun one directory server 5.1
(on solaris 9 sparc).
using openssl, i created a self-signed ca cert (and keys) plus an ldap
server cert (and keys) and a client cert (and keys); the client and
server certs are both signed by my self-signed ca cert. certs and keys
for all three (ca, server, client) are in pem format.
i successfully installed the server and ca certs into the directory
server; i then added the ca and client certs into $HOME/.netscape/
cert7.db using the following certutil command line:
certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert"
-t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
after running that command, i was able to successfully view the just-
added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
that leads me to my first question:
1. does that command implicitly add the cert's private key get into
$HOME/.netscape/key3.db?
2. if not, how do i add the cert's private key to key3.db?
the certutil docs (http://www.mozilla.org/projects/security/pki/nss/
tools/certutil.html) say,
"The Certificate Database Tool is a command-line utility that
can...display the contents of the key database..."
i've read and reread that page over and over; but i still can't figure
out which command to use to make certutil "display the contents of the
key database".
if it's any help, i'm using the binary version of certutil that came
precompiled as part of the sun one directory server resource kit 5.2
(dsrk52) on solaris 9 sparc.for what it's worth: the certs were
created on my mac with openssl, then jarred and ftp'd over to the sun
box.
as far as wanting to view keys, i'm guessing it's actually the
pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/
tools/pk12util.html) instead of certutil. is that right? if so, then
please can you also clear up a couple things about pk12util?
the pk12util docs say, "Import a certificate and private key from from
the p12file into the database." the way i read that description, it
implies that both the private key and cert get imported into the same
database ("into __the__ database"). am i understanding that correctly?
3. what exactly _does_ get added to key3.db?
4. how can i view what's in key3.db?
if you're interested, the reason for my questions stem from the
following ldapsearch error:
bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h
bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W
"**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)"
ldapssl_enable_clientauth: Bad parameter to an ldap routine
ldapssl_enable_clientauth: additional info: unable to find certificate
SSL error -8174 (security library: bad database.)
fat.fuck
hello forum,
i've answered a couple of my own questions; thanks to "http://
kb.mozillazine.org/Key3.db"
"key3.db contains a key used to encrypt and decrypt saved
passwords."
reading the pks12util docs further, i worked out that the cert's
private key must be inside cert7.db along with the cert; as this
command description suggests:
"-o p12file - Export certificate and private key, specified by the -
n option, from the database to the p12 file."
now, if anybody could help shed light on this error i'm getting using
my certs and keys for 2-way ssl, please chime in:
> ldapssl_enable_clientauth: Bad parameter to an ldap routine
> ldapssl_enable_clientauth: additional info: unable to find
certificate
> SSL error -8174 (security library: bad database.)
thanks in advance for your help.
Rich Megginson
No, not exactly - private keys are stored in key3.db - certs are stored
in cert7.db. What version of NSS are you using anyway? cert7.db is
really old - NSS switched to cert8.db a long time ago.
certutil -L will show you your certs.
certutil -L -n "myClientCert" will show you that particular cert
I suppose you could run ldapsearch with strace or truss to see what file
it cannot find or open.
If this is an ldapsearch issue, you might want to follow up to
mozilla.dev.tech.ldap
fat.fuck
thanks mr megginson,
i sincerely appreciate your reply.
i'm coming from a java keystore/openssl mentality. i'm trying to grok
certutil for the first time today. so please be patient with me if my
questions are stupid.
it still isn't obvious to me exactly when or how (of even, IF) the
private key (that was generated by openssl when i first created the ca
and client certs) got added into key3.db. how can i confirm whether or
certutil added the key to key3.db?
i didn't explicitlly supply the certs' private key file location to
the certutil command line when i added the certs to cert7.db
(although, the private key .pem files were in fact in the same
directory as the .pem cert files when i ran the certutil command).
if you could point me to some nss/certutil docs that describe the
process of adding an existing cert to cert7.db, i would be grateful.
in the meantime, i will go and rerun the ldapsearch command with truss
and strace like you suggested; and let you know the outcome. i will
also try to figure out what version of nss/certutil came bundled
precompiled with the sun one ds resource kit 5.2 that i'm using.
i guess i slavishly followed instructions from some tutorial that said
to use to "cert7.db in $HOME/.netscape". the cert7.db file is from the
only installation of netscape navigator on my circa 2002 sunblade 100
workstation.
thanks again for your help. be right back...
Eddy Nigg
>
> i didn't explicitlly supply the certs' private key file location to
> the certutil command line when i added the certs to cert7.db
> (although, the private key .pem files were in fact in the same
> directory as the .pem cert files when i ran the certutil command).
>
This most likely means that there is no private key stored, just the
public key/certificate. You'd need to provide a PKCS12 file instead
which includes the private key.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
fat.fuck
> Blog: https://blog.startcom.org
thanks for your reply mr. nigg,
> This most likely means that there is no private key stored, just the
> public key/certificate. You'd need to provide a PKCS12 file instead
> which includes the private key.
>
that makes sense. thanks, mr nigg. now, please, can you tell me how i
can view|list the private keys in key3.db once i've ran certutil with
a pkcs12 file?
> "The Certificate Database Tool is a command-line utility that
> can...display the contents of the key database..."
what is the certutil command that the above statement from the
certutil docs is referring to?
mr. megginson, i can't work out what version of nss/certutil came
bundled with the dsrk v 5.2 (is there a command i can run that would
tell me?). all i know is i downloaded the dsrk 5.2 binaries from sun
and installed it on my sun box on nov 25, 2006. so its safe to assume
i'm using whichever release of nss that was current on that date; i
guess.
i do know that the $HOME/.netscape on my sun box is from netscape
communicator 4.76. again, the only reason i used that location is
because the tutorial i was using instructed me to. and there just
happened to be a cert7.db file at that location. from now on, i will
use the cert8.db file in my "mozilla 1.4 for sun java desktop system
(solaris operating system edition)" profile.
also, running "truss ldapsearch..." spewed out a lot of gibberish that
i don't have time to decipher at the moment. thanks for the suggestion
anyway, mr. megginson.
thanks in advance to anybody else in the ng who can also fill me in on
anything that might be helpful.
fat.fuck
i remembered what documentation instructed me to use $HOME/.netscape/
cert7.db. it was sun's "Sun ONE Server Console 5.2 Server Management
Guide". the chapter on "Using SSL and TLS with Sun ONE Servers":
http://docs.sun.com/source/816-6704-10/ssl.html#22531
"Copy the Netscape Communicator certificate database files, cert7.db
and key3.db, that contain your certificates to your .mcc directory.
...
On UNIX systems, the cert7.db and key3.db files are located in your
home directory, /$HOME/.netscape. $HOME is your root directory if you
are running Administration Server as root. $HOME is your user home
directory if you are running Administration Server as a user, for
example, /home/username or /export/home/username.
..."
i know it's neither here nor there. but i was going crazy trying to
remember myself why i used cert7.db.
Arshad Noor
but here are some observations:
1) Keys are *never* stored in certN.db; they're always in keyN.db;
only certificates are in certN.db. The association between the
key and the cert is made via the cert's nickname (in your case:
myClientCert);
2) You do not have the Private Key of your client cert in your
keyN.db file, since you haven't imported it. You need to use
openssl to create a P12 file with your Private Key and cert,
and then use the pk12util to import the P12 to the Mozilla
(Netscape) databases (the key will automatically go to keyN.db
and the cert will go to certN.db); you need to get past this
problem before you can do anything with ClientAuth.
However, I would recommend that you get the LDAP working with SSL
but *without* ClientAuth to ensure that your server-side SSL is
setup correctly, first. Once you can access your directory server
over SSL without ClientAuth, the next step is to add ClientAuth.
Finally, if you're going to be using digital certificates, while
openssl will do the job for you, since you say you know Java, you
can also use keytool from the JDK to create your key, cert and P12 -
all using the same command; you can then just import the P12 to the
Mozilla databases. If you want to use an industrial-strength tool
for your certificates, either use DogTag or EJBCA.
Arshad Noor
StrongAuth, Inc.
fat.fuck wrote:
>> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h
>> bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W
>> "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)"
>> ldapssl_enable_clientauth: Bad parameter to an ldap routine
>> ldapssl_enable_clientauth: additional info: unable to find certificate
>> SSL error -8174 (security library: bad database.)
>
> now, if anybody could help shed light on this error i'm getting using
Nelson Bolyard
> first off: i am but a humble java programmer by trade; not a sysadmin;
> nor a network guy. so a lot of nss tool-related stuff is a foreign
> language to me. please, help a certutil rookie make sense of the
> world?
Welcome.
> using openssl, i created a self-signed ca cert (and keys) plus an ldap
> server cert (and keys) and a client cert (and keys); the client and
> server certs are both signed by my self-signed ca cert. certs and keys
> for all three (ca, server, client) are in pem format.
>
> i successfully installed the server and ca certs into the directory
> server; i then added the ca and client certs into $HOME/.netscape/
> cert7.db using the following certutil command line:
>
> certutil -A -a -i ./myClientCert.pem -n "myClientCert" -c "myCACert"
> -t "u,u,u" -d $HOME/.netscape (and a similar command for the ca cert)
>
> after running that command, i was able to successfully view the just-
> added cert with: "certutil -L -n myClientCert -d $HOME/.netscape
>
> that leads me to my first question:
>
> 1. does that command implicitly add the cert's private key get into
> $HOME/.netscape/key3.db?
No. That command only told certutil to import a cert, and only gave
certutil the name of the PEM file with the certificate.
> 2. if not, how do i add the cert's private key to key3.db?
NSS does not deal with private keys in PEM files. It only deals with
private keys in PKCS#12 files. You can get the OpenSSL utility program
to combine the PEM files for the cert and its private key into a single
PKCS#12 file, and then import that PKCS#12 file into NSS's databases
using NSS's utility program named pk12util. That's the only supported
way to import private keys from files into NSS.
> the certutil docs (http://www.mozilla.org/projects/security/pki/nss/
> tools/certutil.html) say,
>
> "The Certificate Database Tool is a command-line utility that
> can...display the contents of the key database..."
>
> i've read and reread that page over and over; but i still can't figure
> out which command to use to make certutil "display the contents of the
> key database".
certutil defines LOTS of single character command line options. Most of
the ones with capital letters (e.g. -A, -L, -K) specify a function that
certutil must perform. The lower case letters all supply other information
needed for that function. Some useful function options are:
-A -n X add a cert to the cert database and give it nickname X
-L list the nicknames of the certs in the database
-L -n X pretty print the details for the cert nicknamed X
-L -n X -r output the cert nicknamed X in binary
-L -n X -a output the cert nicknamed X in PEM format
-K list the private keys by nickname or public key value.
> if it's any help, i'm using the binary version of certutil that came
> precompiled as part of the sun one directory server resource kit 5.2
> (dsrk52) on solaris 9 sparc.for what it's worth:
That's pretty ancient now. I suggest you try NSS 3.11.x or 3.12.x
> as far as wanting to view keys, i'm guessing it's actually the
> pk12util tool i want (http://www.mozilla.org/projects/security/pki/nss/
> tools/pk12util.html) instead of certutil. is that right?
pk12util is a tool to deal with PKCS#12 files. PKCS#12 files contain
private keys and certs, and are used to transport a private key and its
related certs from one system or set of software to another. PKCS#12
is the one file format that is universally supported for this purpose
by all the major crypto software packages (including, but not limited
to: NSS, OpenSSL, and MS Windows).
> the pk12util docs say, "Import a certificate and private key from from
> the p12file into the database." the way i read that description, it
> implies that both the private key and cert get imported into the same
> database ("into __the__ database"). am i understanding that correctly?
The doc is missing a letter. Should be databaseS.
> 3. what exactly _does_ get added to key3.db?
keys. Private keys, and occasionally symmetric secret keys.
> 4. how can i view what's in key3.db?
Well, you can't see the actual private key values, but they wouldn't do
you much good even if you could. You can see information that helps
you figure out which certificate(s) they go with using the command
certutil -K <other arguments>
> if you're interested, the reason for my questions stem from the
> following ldapsearch error:
>
> bebop$ /development/projects/dsrk52/lib/ldapcsdk/tools/ldapsearch -h
> bebop -p 636 -Z -P /home/bebop/.netscape/cert7.db -N "myClientCert" -W
> "**********" -K /home/bebop/.netscape/key3.db -b "" "(objectClass=*)"
> ldapssl_enable_clientauth: Bad parameter to an ldap routine
> ldapssl_enable_clientauth: additional info: unable to find certificate
> SSL error -8174 (security library: bad database.)
I can't help you with ldapsearch, but I can help you with that error
message. That error message is very misleading. The error code -8174
really means either
- the thing for which you were searching could not be found in a DB, or
- you tried to add a thing to a DB that is already there.
depending on what you were trying to do when that error occurs.
Nelson Bolyard
> i remembered what documentation instructed me to use $HOME/.netscape/
> cert7.db. it was sun's "Sun ONE Server Console 5.2 Server Management
> Guide". the chapter on "Using SSL and TLS with Sun ONE Servers":
>
> http://docs.sun.com/source/816-6704-10/ssl.html#22531
>
> "Copy the Netscape Communicator certificate database files, cert7.db
> and key3.db, that contain your certificates to your .mcc directory.
> ...
> On UNIX systems, the cert7.db and key3.db files are located in your
> home directory, /$HOME/.netscape. $HOME is your root directory if you
> are running Administration Server as root. $HOME is your user home
> directory if you are running Administration Server as a user, for
> example, /home/username or /export/home/username.
> ..."
>
> i know it's neither here nor there. but i was going crazy trying to
> remember myself why i used cert7.db.
That document is 5 years old, and was written to describe a version of
the software that was released at that time. It was accurate when it
was written, and probably is still accurate for that software version.
fat.fuck
thanks mr. noor,
> However, I would recommend that you get the LDAP working with SSL
> but *without* ClientAuth to ensure that your server-side SSL is
> setup correctly, first. Once you can access your directory server
> over SSL without ClientAuth, the next step is to add ClientAuth.
>
i can confirm that ldap works successfully with ssl without
clientauth. my remote (and local) clients can bind to the server and
search over ssl.
> Finally, if you're going to be using digital certificates, while
> openssl will do the job for you, since you say you know Java, you
> can also use keytool from the JDK to create your key, cert and P12 -
> all using the same command; you can then just import the P12 to the
> Mozilla databases.
keytool sounds like a plan! please, mr. noor. won't you share the
specific keytool command with me (and future readers) in this thread?
you would be doing the community a huge favor. thanks in advance.
Arshad Noor
export a P12 file out of the JCE keystore - this cannot be
done by keytool yet - you can only import P12's in JDK6.
However, if you're still interested in keytool for generating
keys and certs, "keytool -help" or "man keytool" provide all
details.
David Stutzman
use openssl to package those things up into a PKCS#12 file and use
pk12util to import them.
First, copy the text of the keyfile into the certfile or vice versa
(or cat them both into a 3rd file), it doesn't matter as long as both
are in the same file. Then run either of the below commands where
file.pem is the file you just put the cert/key into. The second
command allows you to put some CA certs into the PKCS12 should you so
desire. The -name field ends up being the "Friendly name" and after
you import using pk12util it will be the nickname that you use to
reference the cert/key via NSS and the server products so choose
wisely there.
openssl pkcs12 -export -in file.pem -out file.p12 -name "Server-Cert"
openssl pkcs12 -export -in file.pem -out file.p12 -name "Server-Cert" -
certfile othercerts.pem
then to import to NSS, this is usually enough:
pk12util -i file.p12 -d [cert/key db location]
then list the contents of your DB:
certutil -L -d [cert/key db location]
if you see 3 u's after the nickname then you did it right and the cert
AND key are there:
$ nsscertutil -L -d .
Server-Cert
u,u,u