Re: Netscape Enterprise Server 3.63 2048 bit ssl cert
msg nos...@nospam.nowhere wrote in news:xns9dbd9d232636bnospamnospamnowh...@216.196.97.169: Greetings: The utility 'sec-key' bundled with Netscape Enterprise Server 3.63 only generates 1024 bit keys; finding a CA with good browser acceptance who will issue a 1024 bit cert is a problem. I need to find a way to generate a 2048 bit key-pair database file acceptable to NES 3.63 to use in generating a certificate request. I tried using openssl to generate the csr using the same challenge password that we used with a previous self-signed certificate; the crt returned from the CA installed well enough but the server complains of a password mismatch when we try to start it. I have now built NSS 3.12.3 and NSPR 4.8.4 on that system; is there a utility and/or api from NSS which would help me in this effort? 'certutil' and 'symkeyutil' don't seem to grok the NES cert and key database files. All help is much appreciated. Michael Further research suggests that the database files are in Berkeley DB 1.85 format and that there are tools available (such as db_dump and db_load) which might help. After a half day of web searching I have not found a repository for the tools (db_1.85 library is easy to find) and only one website that has html-ified versions of the source code. Searching the Oracle site has proven fruitless unless I want to install 2GB of some recent release. Does anyone have the Sleepcat Software Berkeley DB tools source code? Thanks, Michael -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Netscape Enterprise Server 3.63 2048 bit ssl cert
msg nos...@nospam.nowhere wrote in news:xns9dbe952da1bf1nospamnospamnowh...@216.196.97.169: snip Does anyone have the Sleepcat Software Berkeley DB tools source code? Specifically for db 1.85. FWIW, ftp://ftp.sunfreeware.com/pub/SOURCES has a few packages, the earliest of which contains the utilities is 'db-2.7.7.tar.gz'. Since it contains 'dump_db185' I have yet to see if it has a compatible db_load utility for 1.85 format databases. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Netscape Enterprise Server 3.63 2048 bit ssl cert
On 07/23/2010 12:41 PM, msg wrote: msg nos...@nospam.nowhere wrote in news:xns9dbd9d232636bnospamnospamnowh...@216.196.97.169: Greetings: The utility 'sec-key' bundled with Netscape Enterprise Server 3.63 only generates 1024 bit keys; finding a CA with good browser acceptance who will issue a 1024 bit cert is a problem. I need to find a way to generate a 2048 bit key-pair database file acceptable to NES 3.63 to use in generating a certificate request. I tried using openssl to generate the csr using the same challenge password that we used with a previous self-signed certificate; the crt returned from the CA installed well enough but the server complains of a password mismatch when we try to start it. I have now built NSS 3.12.3 and NSPR 4.8.4 on that system; is there a utility and/or api from NSS which would help me in this effort? 'certutil' and 'symkeyutil' don't seem to grok the NES cert and key database files. You may be stuck. I believe NES 3.63 ran using an older version of NSS that is available in the open source world (or even available as shared libraries, for that matter). I'm not sure if anyone has access to that old source library. certutil will be able to read those old NES databases (we've yet to remove the code that knows how to update all the way from databases of the earliest version of NSS), but it does not write those databases. Those old versions of the netscape servers supposedly shipped their own versions of certutil, and more importantly, pk11util (which is probably the tool you want). If you have a copy that matches your NES, that might work for you. More likely you'll have to roll your own tool to import the key. Your best bet for trying to figure out the format is to look at the NSS update code an figure out how to write the data you need back. For the cert, the upgrade is here: http://mxr.mozilla.org/security/source/security/nss/lib/softoken/legacydb/pcertdb.c#4060 for the keydb, the upgrade is in two places. The basic upgrade is here: http://mxr.mozilla.org/security/source/security/nss/lib/softoken/legacydb/keydb.c#612 The second is to force a change password call when the password is first initialized. I don't know if NES is old enough to still be encrypting passwords in salted rc4 rather than salted DES. The latter may explain your password mismatch problem. bob All help is much appreciated. Michael Further research suggests that the database files are in Berkeley DB 1.85 format and that there are tools available (such as db_dump and db_load) which might help. After a half day of web searching I have not found a repository for the tools (db_1.85 library is easy to find) and only one website that has html-ified versions of the source code. Searching the Oracle site has proven fruitless unless I want to install 2GB of some recent release. Does anyone have the Sleepcat Software Berkeley DB tools source code? Thanks, Michael -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Netscape Enterprise Server 3.63 2048 bit ssl cert
On 2010-07-23 13:48 PDT, Robert Relyea wrote: You may be stuck. I believe NES 3.63 ran using an older version of NSS that is available in the open source world (or even available as shared ^ NOT! libraries, for that matter). I'm not sure if anyone has access to that old source library. Bob, I think you left an important word out of the above sentence. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Netscape Enterprise Server 3.63 2048 bit ssl cert
Greetings: The utility 'sec-key' bundled with Netscape Enterprise Server 3.63 only generates 1024 bit keys; finding a CA with good browser acceptance who will issue a 1024 bit cert is a problem. I need to find a way to generate a 2048 bit key-pair database file acceptable to NES 3.63 to use in generating a certificate request. I tried using openssl to generate the csr using the same challenge password that we used with a previous self-signed certificate; the crt returned from the CA installed well enough but the server complains of a password mismatch when we try to start it. I have now built NSS 3.12.3 and NSPR 4.8.4 on that system; is there a utility and/or api from NSS which would help me in this effort? 'certutil' and 'symkeyutil' don't seem to grok the NES cert and key database files. All help is much appreciated. Michael -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
