As I understand the problem, the user has a Solaris box running a version of Solaris in which the program /usr/bin/passwd uses iPlanet's "LDAP SDK" library to communicate with LDAP and LDAPS servers for user authentication. LDAP SDK, in turn, uses NSS when communicating with LDAPS (LDAP over SSL) servers. Apparently /usr/bin/passwd configures NSS to find databases in /etc/ssl/certs.
The user experiences failures. It is believed that the CA cert for the CA that issued the LDAPS server's cert is not a known and trusted CA cert for the Solaris LDAPS client. So, the user/administrator is trying to add the CA cert to the database of trusted CA certs used by the LDAP SDK for /usr/bin/passwd using an unknown version of certutil. The attempt to add the CA cert results in an error stating that authentication for the private key DB has failed. I believe this particular failure (key DB authentication while trying to add a CA cert to the cert DB) is a new behavior in the NSS 3.4 certutil. So, I'd suggest that the user do these steps: a) back up the entire contents of /etc/ssl/certs so that you can always revert to a known good (?) state if something goes wrong. b) try using certutil from an older version of NSS, e.g. NSS 3.3 or NSS 3.2 and repeat the certutil -A command that you tried before. -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
