Andriy Zakharchuk wrote, On 2009-04-23 12:07: > Hello all, > > I have a keys database file (key3.db) and need to export a private key > from it, but can not do this.
What version of the NSS utilities are you using? version 3.??.?? > certutil.exe -L -d . > > gives empty output (empty line) and > > certutil.exe -K -d . > > gives following output > > <0> AAA-update-key > <1> BBB-update-key > <2> CCC-update-key It that literally what you see? Or do you see output with some long strings of hexadecimal characters, e.g. <0> 0549d7e3a1b3c5d7f89 [...] ?? > In other words I have a database with private keys but without > certificates (the database was created by McCoy tool). So, there is an application that uses NSS, named McCoy, that leaves users with DBs in a state where they cannot do what they want. Seems like this is an issue to raise with the McCoy developers. The NSS team really cannot support every application that uses NSS. > To export key I tried to use pk12util. Why do you want to export it? Is there some other tool into which you want to import it? Do you merely wish to make a backup? Your answers to these questions may lead to suggestions of alternative solutions. > In the command line I have to specify certificate > name (-n option), but I don't have any. Yes, NSS is intended for use in PKI applications, where use of public and private keys is done in accordance with normal PKI procedures. Someone has chosen to implement a non-PKI application, using "bare" keys without certs, and has not made the application sufficiently complete. Now, the incomplete nature of that application is becoming an NSS problem. :( :( :( > find user certs from nickname failed: security library: bad database. Right. pk12util is intended to export a cert and its associated private key together in a secure manner. You don't have the primary one of those ingredients. > So the question is: is there any way to export private keys from such > database (probably smbd had similar problem with McCoy)? Bare private keys by themselves? NSS utility programs are intended to NOT do that. The idea is to NOT make it easy for the user to ruin his own security. NSS utilities are intended to support PKI. In non-PKI crypto applications, it is the application developer's duty to provide the necessary functionality to be used with his application. NSS has an outstanding Request For Enhancement (RFE) asking that certutil have the ability to generate a Certificate Signing Request (CSR) from any private key, including "orphan" keys (those that are not associated with any certificates). This is bug https://bugzilla.mozilla.org/show_bug.cgi?id=430198 If that feature was implemented, you could use it to create a self signed cert, and with that, you could then use pk12util to export the cert and key. Perhaps you would like to implement that RFE. The only changes required are (or, should be) in the utility program source code itself, and not in NSS's crypto libraries. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto