Donny wrote: > > I need to export my private keys to pkcs12 format to put on another server. > My problem is I am running Iplanet 4.1 and I don't have a way to do this. > It seems pk12util will do this for me, but I have no idea where to find what > I need. I'm running Solaris 8 on a sparc platform. What do I need to > download to so I can install and run pk12util, and where can I find the > files needed? This is all pretty new to me so I'm not sure exactly what I > need to do here. Thanks
pk12util is one of many NSS utility programs. Another that will probably help you is certutil. I'm not sure which release of NSS corresponds exactly to the iPlanet server(s) you're using, but I'd guess that NSS 3.2.2 will work for you. You can download the NSS utility programs and shared libraries from this URL: ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_3_2_2_RTM/SunOS5.6_OPT.OBJ/nss-3.2.2.tar.gz You'll also need the NSPR shared libraries from ftp://ftp.mozilla.org/pub/nspr/releases/v4.1.2/SunOS5.6_OPT.OBJ/nspr-4.1.2.tar.gz These versions, produced in the summer of 2001, _should_ work for you, but you _might_ need older versions. Put all the shared libraries into a directory, and put that directory name into LD_LIBRARY_PATH. Put all the utility programs into a directory in your PATH. You'll need the pathname of the directory that contains your server's *cert7.db and *key3.db files. Those file names will probably have a prefix, e.g. if the filename is https-yourservername-cert7.db then the prefix is "https-yourservername-". Run the command certutil -L -d <db> -P <prefix> where <db> is the pathname of the directory that contains your cert7.db and key3.db files. Most NSS utilities use the same -d and -P options. If your prefix is empty, then drop the -P <prefix> option. That command will give you a list of "nicknames". The nickname for your server cert will be followed by the letters "u,u,u". Then run a command similar to this: pk12util -o exportfile -n nickname [-d certdir] [-P dbprefix] [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] where exportfile is the name of the .p12 file to be created, nickname is the nickname you found with certutil, enclosed in quotes if needed, The -d and -P options are as for certutil The -k or -K options specify the password that unlocks the key3.db file. The -K option names a file that contains the password. The -k option gives the password itself. Similarly, the -w or -W options specify the password that will protect the newly created .p12 file. -- Nelson B
