Andriy Zakharchuk wrote, On 2009-04-23 12:07:
> Hello all,
> I have a keys database file (key3.db) and need to export a private key 
> from it, but can not do this.

What version of the NSS utilities are you using?  version 3.??.??

> certutil.exe -L -d .
> gives empty output (empty line) and
> certutil.exe -K -d .
> gives following output
> <0> AAA-update-key
> <1> BBB-update-key
> <2> CCC-update-key

It that literally what you see?  Or do you see output with some long
strings of hexadecimal characters, e.g.
  <0> 0549d7e3a1b3c5d7f89 [...]


> In other words I have a database with private keys but without 
> certificates (the database was created by McCoy tool). 

So, there is an application that uses NSS, named McCoy, that leaves
users with DBs in a state where they cannot do what they want.
Seems like this is an issue to raise with the McCoy developers.
The NSS team really cannot support every application that uses NSS.

> To export key I tried to use pk12util. 

Why do you want to export it?
Is there some other tool into which you want to import it?
Do you merely wish to make a backup?

Your answers to these questions may lead to suggestions of alternative

> In the command line I have to specify certificate 
> name (-n option), but I don't have any. 

Yes, NSS is intended for use in PKI applications, where use of public
and private keys is done in accordance with normal PKI procedures.
Someone has chosen to implement a non-PKI application, using "bare"
keys without certs, and has not made the application sufficiently
complete.  Now, the incomplete nature of that application is becoming
an NSS problem.  :( :( :(

> find user certs from nickname failed: security library: bad database.

pk12util is intended to export a cert and its associated private key
together in a secure manner.  You don't have the primary one of those

> So the question is: is there any way to export private keys from such 
> database (probably smbd had similar problem with McCoy)?

Bare private keys by themselves?
NSS utility programs are intended to NOT do that.
The idea is to NOT make it easy for the user to ruin his own security.

NSS utilities are intended to support PKI.  In non-PKI crypto applications,
it is the application developer's duty to provide the necessary
functionality to be used with his application.

NSS has an outstanding Request For Enhancement (RFE) asking that certutil
have the ability to generate a Certificate Signing Request (CSR) from any
private key, including "orphan" keys (those that are not associated with
any certificates).  This is bug

If that feature was implemented, you could use it to create a self signed
cert, and with that, you could then use pk12util to export the cert and key.

Perhaps you would like to implement that RFE.  The only changes required
are (or, should be) in the utility program source code itself, and not in
NSS's crypto libraries.
dev-tech-crypto mailing list

Reply via email to