Re: openssl key/cert - NS key/cert db
Nelson B. Bolyard wrote: .p12 files contain the nickname for the certs. When mozilla imports a cert from a .p12 file, it uses the nickname found in the .p12 file. If I'm not mistaken, iPlanet web server requires that the server's cert have a particular nickname. It's possible that this was a requirement of the 5.x server but not the 6.x server. Julien, can you tell us what nickname the server cert should have? The default name used by all versions of NES is Server-Cert . It is however configurable. In NES / iWS 4.x versions, you set the nickname of the cert in magnus.conf using the CERTDefaultNickname directive. This has to be set manually - there is no admin UI support for it. In 6.x , the nickname of the cert is configurable through the UI. It is stored in server.xml within the SSLPARAMS structure.
Re: openssl key/cert - NS key/cert db
liug wrote: Nelson B. Bolyard [EMAIL PROTECTED] wrote: liug wrote: How can I use the NSS tools to convert a openssl generated key pem file to netscape key3.db ? I believe there is some OpenSSL program that will create a .p12 file (a.k.a PFX file) from your key/cert. Mozilla can import the .p12 file. quick question: does iplanet webserver6 support 1024bit key? Yes. By default it will use 1024 bits in fact. my openssl generated key is 1024bit, could it be a problem that I can't import into iplanet? No, that can't be the problem. btw, I have an apache webserver with ssl key/cert, and I need to convert to iplanet6. You could open a bug against NSS and send us the P12 file by e-mail if you are comfortable with doing that, so that we could see what the problem is. Otherwise you will have to create a new key cert.
Re: openssl key/cert - NS key/cert db
liug wrote: How can I use the NSS tools to convert a openssl generated key pem file to netscape key3.db ? Thanks! Frank You probably can't convert it, because a pem file is a simple collection of certs, but a key3.db is a complex database. You might want to create a database and use appropriate tools to import your certificate/keys into the key3.db. You could try using a Mozilla build and use the certificate manager UI, or you could use the command line program certutil, some documentation exists here: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Kai
Re: openssl key/cert - NS key/cert db
liug wrote: 4) now try to import it (I already have key3.db and cert7.db created). pk12util -i test2.p12 -d . it gives: pk12util: PKCS12 decode validate bags failed: The user pressed cancel. any ideas? thanks! frank Did you specify a password on your p12 file when you created it ? Does your database have a password set ? In either of these cases, you must pass parameters to pk12util on the command-line. I don't believe it will prompt you for the password. The parameters are -K slotpw (where slotpw is your database password) and -W p12pw (password of your p12 file). An easier way is to use PSM in Mozilla and click Import, and it will prompt you for any passwords you need to enter.
Re: openssl key/cert - NS key/cert db
Julien Pierre [EMAIL PROTECTED] wrote: liug wrote: 4) now try to import it (I already have key3.db and cert7.db created). pk12util -i test2.p12 -d . it gives: pk12util: PKCS12 decode validate bags failed: The user pressed cancel. any ideas? thanks! frank Did you specify a password on your p12 file when you created it ? Does your database have a password set ? In either of these cases, you must pass parameters to pk12util on the command-line. I don't believe it will prompt you for the password. The parameters are -K slotpw (where slotpw is your database password) and -W p12pw (password of your p12 file). An easier way is to use PSM in Mozilla and click Import, and it will prompt you for any passwords you need to enter. tried using -K -W option, same error. btw, pk12util does prompt for the passwd: pk12util -i test2.p12 -d . Enter Password or Pin for NSS Certificate DB: Enter password for PKCS12 file: forgot the mention that I am using the tools that comes with SunONE Webserver 6.0sp5 (aka iplanet webserver). I had to export LD_LIBRARY_PATH=/opt/iplanet6/bin/https/lib export PATH=/opt/iplanet6/bin/https/admin/bin:$PATH ls /opt/iplanet6/bin/https/admin/bin ACL.class clmod import restore AclApplet.classclrem importCore rmhttp AclParser.classclxfer importInfo rsrcpckr IdenACE.class commit importSecurity sec-migrate PermACE.class confaccimportUserssecurity ResponseACE.class confadmimportWebPub setlang RightVector.class cronctrl importWebPubInfo snmpcomm aclinput distaclindex snmpmctl advdistadminstallsnmptrpc adv.keydnedit lgaccess status adv.recdoauth migratestopadm avaeditdomodify migrateLocalDB tutor calcount dosearch modutilutil certutil dsconfig nsesvars viewacc ciphersedit perl viewerr cladd60genscreen pk12util clctrl getlangrename frank