Is there a pk1util that would allow for PKCS#1 management?  I think
that would be more useful than requiring a self-signed public key
wrapper for pk12util.

-Kyle H

On Thu, Apr 23, 2009 at 1:45 PM, Nelson B Bolyard <> wrote:
> Andriy Zakharchuk wrote, On 2009-04-23 12:07:
>> Hello all,
>> I have a keys database file (key3.db) and need to export a private key
>> from it, but can not do this.
> What version of the NSS utilities are you using?  version 3.??.??
>> certutil.exe -L -d .
>> gives empty output (empty line) and
>> certutil.exe -K -d .
>> gives following output
>> <0> AAA-update-key
>> <1> BBB-update-key
>> <2> CCC-update-key
> It that literally what you see?  Or do you see output with some long
> strings of hexadecimal characters, e.g.
>  <0> 0549d7e3a1b3c5d7f89 [...]
> ??
>> In other words I have a database with private keys but without
>> certificates (the database was created by McCoy tool).
> So, there is an application that uses NSS, named McCoy, that leaves
> users with DBs in a state where they cannot do what they want.
> Seems like this is an issue to raise with the McCoy developers.
> The NSS team really cannot support every application that uses NSS.
>> To export key I tried to use pk12util.
> Why do you want to export it?
> Is there some other tool into which you want to import it?
> Do you merely wish to make a backup?
> Your answers to these questions may lead to suggestions of alternative
> solutions.
>> In the command line I have to specify certificate
>> name (-n option), but I don't have any.
> Yes, NSS is intended for use in PKI applications, where use of public
> and private keys is done in accordance with normal PKI procedures.
> Someone has chosen to implement a non-PKI application, using "bare"
> keys without certs, and has not made the application sufficiently
> complete.  Now, the incomplete nature of that application is becoming
> an NSS problem.  :( :( :(
>> find user certs from nickname failed: security library: bad database.
> Right.
> pk12util is intended to export a cert and its associated private key
> together in a secure manner.  You don't have the primary one of those
> ingredients.
>> So the question is: is there any way to export private keys from such
>> database (probably smbd had similar problem with McCoy)?
> Bare private keys by themselves?
> NSS utility programs are intended to NOT do that.
> The idea is to NOT make it easy for the user to ruin his own security.
> NSS utilities are intended to support PKI.  In non-PKI crypto applications,
> it is the application developer's duty to provide the necessary
> functionality to be used with his application.
> NSS has an outstanding Request For Enhancement (RFE) asking that certutil
> have the ability to generate a Certificate Signing Request (CSR) from any
> private key, including "orphan" keys (those that are not associated with
> any certificates).  This is bug
> If that feature was implemented, you could use it to create a self signed
> cert, and with that, you could then use pk12util to export the cert and key.
> Perhaps you would like to implement that RFE.  The only changes required
> are (or, should be) in the utility program source code itself, and not in
> NSS's crypto libraries.
> --
> dev-tech-crypto mailing list
dev-tech-crypto mailing list

Reply via email to