[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-crypto
Subject:    Re: pk12util export problems
From:       Nelson B <NOnelsonSPAM () NObolyard ! comSPAM ! netscape ! com>
Date:       2003-07-13 3:04:14
[Download RAW message or body]

Anil Akurathi wrote:

>    I am trying to use pk12util tool to export certificates from the Netscape
> Certificate Store. I downloaded the sources and compiled those for Windows.
> I could use the program to Import certificates to the Netscape certifcate
> store. However, I am not able to figure out how to use this utility for
> exporting certificates.
> 
>    The usage of the utility is as follows:
[usage snipped]
>     What do I have to pass as the parameter for option "-n". I couldn't
> figure out what the certname is? I can look at the Netscape preferences and
> look at the certificates that are currently there in the certificate store.
> I tried using the following command where "Anil" is the Subject Name of a
> certificate and get the following error.
> 
> pk12util.exe -o C:\Temp\Debug\ExportCert3.c -n "NSS Certificate DB:Anil"
> 
> c:\Anil\work\Nss\pk12util\Debug\pk12util.exe: find user certs from nickname
> failed: security library: bad database.

Hi Anil,

Here's some additional info that should be helpful.

First, since certificate subject names are often *very* long, NSS (mozilla's
package of crypto libraries and utilitiy programs) gives certs "nicknames".
To see the nicknames of the certs in your certdb, you need to build the
program "certutil"  and run it with the -L  (list) option.

Second, all the NSS programs that use the cert database need to be told on
the command line the name of the directory in which to find the DB files.
They all use the -d option for this.

Third, you need to be sure that you're not running mozilla or any other
program that uses the DBs when you run any of the NSS command line utilities
on the DBs.  The DB library that NSS uses corrupts DBs when more than one
program accesses the DBs at the same time.

I suggest you exit your mozilla/Netscape browser, and then copy the
cert*.db, key3.db and secmod.db files to another directory, say
c:\temp\DBs and then use those copies for the command line tools.

certutil.exe -d C:\temp\DBs -L

will list the nicknames and trust flags for the certs in the DB.
Let's say you find a cert with a nickname of "Anil's cert".
Then, to export, you'd use a command something like this:

pk12util.exe -o C:\temp\Debug\ExportCert3.p12 -d C:\temp\DBs -k masterpw
-w p12filepw

where masterpw is the password for your browser's key DB, and p12filepw
is the password that will protect the newly created .p12 file.

The "NSS Certificate DB:" prefix should not be necessary.  That's the
default.

--
Nelson Bolyard


[prev in list] [next in list] [prev in thread] [next in thread]