I''m trying to get Windows Sync working on an evaluation copy of Red Hat Directory Server 7.1 SP3. I am stuck at the step where you export the directory server''s certificate to a file. I use this command: ./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert The response is: Enter Password or Pin for "NSS Certificate DB" After I enter the password, I get this error message: pk12util-bin: find user certs from nickname failed: security library: bad database. I have followed all the instructions for setting up SSL in the directory server and the admin server several times. The server and CA certificates have been requested and installed. Everything looks correct in the console screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files exist. I got tired of retyping the path to the pk12util file, so I copied it to the alias directory containing the certificates and databases. What are some things I can try to get pk12util working? Or is there another way to export the certificate and key so that I can import them into the Windows certificate store? Could this be an NSS problem? Should I look for an NSS update? I will try just about anything, but the boss is real keen on using Red Hat, as he believes the longer development cycle will make it easier to maintain in the long run. However, if Fedora Directory Server is the only option that works, I may be able to present it that way. I apologize for the off- topic question, but there doesn''t seem to be any support for the evaluation of RHDS. Thanks. -Glenn.
Glenn wrote:> I''m trying to get Windows Sync working on an evaluation copy of Red Hat > Directory Server 7.1 SP3. I am stuck at the step where you export the > directory server''s certificate to a file. I use this command: > > ./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert > > The response is: > > Enter Password or Pin for "NSS Certificate DB" > > After I enter the password, I get this error message: > > pk12util-bin: find user certs from nickname failed: security library: bad > database. > > I have followed all the instructions for setting up SSL in the directory > server and the admin server several times. The server and CA certificates > have been requested and installed. Everything looks correct in the console > screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files > exist. I got tired of retyping the path to the pk12util file, so I copied > it to the alias directory containing the certificates and databases. > > What are some things I can try to get pk12util working? Or is there another > way to export the certificate and key so that I can import them into the > Windows certificate store? Could this be an NSS problem? Should I look for > an NSS update? > > I will try just about anything, but the boss is real keen on using Red Hat, > as he believes the longer development cycle will make it easier to maintain > in the long run. However, if Fedora Directory Server is the only option > that works, I may be able to present it that way. I apologize for the off- > topic question, but there doesn''t seem to be any support for the evaluation > of RHDS. Thanks. -Glenn.You can try running: certutil -L -d . -P slapd-myserver- This will list the certificates and their nicknames. Or you can try: ''server-cert'' as the nickname instead of ''Server-Cert'' with pk21util. I believe nicknames are case sensitive. rob
Glenn wrote:> I''m trying to get Windows Sync working on an evaluation copy of Red Hat > Directory Server 7.1 SP3. I am stuck at the step where you export the > directory server''s certificate to a file. I use this command: > > ./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert > > The response is: > > Enter Password or Pin for "NSS Certificate DB" > > After I enter the password, I get this error message: > > pk12util-bin: find user certs from nickname failed: security library: bad > database. > > I have followed all the instructions for setting up SSL in the directory > server and the admin server several times. The server and CA certificates > have been requested and installed. Everything looks correct in the console > screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files > exist. I got tired of retyping the path to the pk12util file, so I copied > it to the alias directory containing the certificates and databases. > > What are some things I can try to get pk12util working? Or is there another > way to export the certificate and key so that I can import them into the > Windows certificate store? Could this be an NSS problem? Should I look for > an NSS update? >I''m not sure what the problem is, but you can skip this step. This step is only to backup your private key material for archival purposes. It is not required to do this step in order to get TLS working.> I will try just about anything, but the boss is real keen on using Red Hat, > as he believes the longer development cycle will make it easier to maintain > in the long run. However, if Fedora Directory Server is the only option > that works, I may be able to present it that way. I apologize for the off- > topic question, but there doesn''t seem to be any support for the evaluation > of RHDS. Thanks. -Glenn. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
are you sure you have the certificate (and key) named Server-Cert? You can check by doing a certutil -d . -P slapd-myserver- -L in the alias directory. I just created an empty security database, and did a pk12util. It correctly reported your error. --- [root@cseng tmp]# certutil -d . -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [root@cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert Enter Password or Pin for "NSS Certificate DB": pk12util: find user certs from nickname failed: security library: bad database. --- thomas Glenn wrote:>I''m trying to get Windows Sync working on an evaluation copy of Red Hat >Directory Server 7.1 SP3. I am stuck at the step where you export the >directory server''s certificate to a file. I use this command: > >./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert > >The response is: > >Enter Password or Pin for "NSS Certificate DB" > >After I enter the password, I get this error message: > >pk12util-bin: find user certs from nickname failed: security library: bad >database. > >I have followed all the instructions for setting up SSL in the directory >server and the admin server several times. The server and CA certificates >have been requested and installed. Everything looks correct in the console >screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files >exist. I got tired of retyping the path to the pk12util file, so I copied >it to the alias directory containing the certificates and databases. > >What are some things I can try to get pk12util working? Or is there another >way to export the certificate and key so that I can import them into the >Windows certificate store? Could this be an NSS problem? Should I look for >an NSS update? > >I will try just about anything, but the boss is real keen on using Red Hat, >as he believes the longer development cycle will make it easier to maintain >in the long run. However, if Fedora Directory Server is the only option >that works, I may be able to present it that way. I apologize for the off- >topic question, but there doesn''t seem to be any support for the evaluation >of RHDS. Thanks. -Glenn. > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Thanks to all for the quick replies. The problem was indeed that the correct nickname is "server-cert", not "Server-Cert". I am sure I tried this yesterday, but I guess that was yesterday. This command does not work: certutil -L -d . -P slapd-myserver- It returns this error: certutil-bin: NSS_Initialize failed: An I/O error occurred during security authorization. Part of the difficulty with certificates seems to be that the documentation for the utilities is so sparse. If I knew that the nickname referred to the name of a certificate rather than the name of the database file, this might have been helpful. I checked up2date, and it did download something called "nss-ldap", but this does not seem to have made a difference. I would like to be able to use certutil, so if you can think of any reasons why it is not working, please share. Thanks again for your help. -Glenn. ---------- Original Message ----------- From: Thomas Kwan <nkwan@redhat.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Wed, 15 Nov 2006 08:23:59 -0800 Subject: Re: [Fedora-directory-users] pk12util error> are you sure you have the certificate (and key) named Server-Cert? > You can check by doing a certutil -d . -P slapd-myserver- -L in > the alias directory. > > I just created an empty security database, and did a pk12util. > It correctly reported your error. > > --- > [root@cseng tmp]# certutil -d . -N > Enter a password which will be used to encrypt your keys. > The password should be at least 8 characters long, > and should contain at least one non-alphabetic character. > > Enter new password: > Re-enter password: > [root@cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert > Enter Password or Pin for "NSS Certificate DB": > pk12util: find user certs from nickname failed: security library: > bad database. > --- > > thomas >
Glenn wrote:> Thanks to all for the quick replies. The problem was indeed that the > correct nickname is "server-cert", not "Server-Cert". I am sure I tried > this yesterday, but I guess that was yesterday. This command does not work: > > certutil -L -d . -P slapd-myserver- > > It returns this error: > > certutil-bin: NSS_Initialize failed: An I/O error occurred during security > authorization. > > Part of the difficulty with certificates seems to be that the documentation > for the utilities is so sparse. If I knew that the nickname referred to the > name of a certificate rather than the name of the database file, this might > have been helpful. > > I checked up2date, and it did download something called "nss-ldap", but this > does not seem to have made a difference. > > I would like to be able to use certutil, so if you can think of any reasons > why it is not working, please share. Thanks again for your help. -Glenn.certutil is another NSS utility that ships with the directory server. It should be in the same place you found pk12util. rob
Glenn wrote:> Thanks to all for the quick replies. The problem was indeed that the > correct nickname is "server-cert", not "Server-Cert". I am sure I tried > this yesterday, but I guess that was yesterday. This command does not work: > > certutil -L -d . -P slapd-myserver- > > It returns this error: > > certutil-bin: NSS_Initialize failed: An I/O error occurred during security > authorization. >in the alias directory, do ls -al What do you see? If you have the files cert8.db and key3.db, try certutil -L -d .> Part of the difficulty with certificates seems to be that the documentation > for the utilities is so sparse. If I knew that the nickname referred to the > name of a certificate rather than the name of the database file, this might > have been helpful. > > I checked up2date, and it did download something called "nss-ldap", but this > does not seem to have made a difference. > > I would like to be able to use certutil, so if you can think of any reasons > why it is not working, please share. Thanks again for your help. -Glenn. > > > ---------- Original Message ----------- > From: Thomas Kwan <nkwan@redhat.com> > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users@redhat.com> > Sent: Wed, 15 Nov 2006 08:23:59 -0800 > Subject: Re: [Fedora-directory-users] pk12util error > > >> are you sure you have the certificate (and key) named Server-Cert? >> You can check by doing a certutil -d . -P slapd-myserver- -L in >> the alias directory. >> >> I just created an empty security database, and did a pk12util. >> It correctly reported your error. >> >> --- >> [root@cseng tmp]# certutil -d . -N >> Enter a password which will be used to encrypt your keys. >> The password should be at least 8 characters long, >> and should contain at least one non-alphabetic character. >> >> Enter new password: >> Re-enter password: >> [root@cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert >> Enter Password or Pin for "NSS Certificate DB": >> pk12util: find user certs from nickname failed: security library: >> bad database. >> --- >> >> thomas >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
certutil is one of the utility from Mozilla''s NSS project. Check this page out for certutil usage: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Regarding to your error, can you make sure you run certutil in your alias directory, and check if you have files named slapd-myserver-cert8.db, slapd-myserver-key3.db. -L specifies the directory where you have your security databases (cert8.db, key3.db, secmod.db) -P specifies the prefix to the security database files thomas Glenn wrote:>Thanks to all for the quick replies. The problem was indeed that the >correct nickname is "server-cert", not "Server-Cert". I am sure I tried >this yesterday, but I guess that was yesterday. This command does not work: > >certutil -L -d . -P slapd-myserver- > >It returns this error: > >certutil-bin: NSS_Initialize failed: An I/O error occurred during security >authorization. > >Part of the difficulty with certificates seems to be that the documentation >for the utilities is so sparse. If I knew that the nickname referred to the >name of a certificate rather than the name of the database file, this might >have been helpful. > >I checked up2date, and it did download something called "nss-ldap", but this >does not seem to have made a difference. > >I would like to be able to use certutil, so if you can think of any reasons >why it is not working, please share. Thanks again for your help. -Glenn. > > >---------- Original Message ----------- >From: Thomas Kwan <nkwan@redhat.com> >To: "General discussion list for the Fedora Directory server project." ><fedora-directory-users@redhat.com> >Sent: Wed, 15 Nov 2006 08:23:59 -0800 >Subject: Re: [Fedora-directory-users] pk12util error > > > >>are you sure you have the certificate (and key) named Server-Cert? >>You can check by doing a certutil -d . -P slapd-myserver- -L in >>the alias directory. >> >>I just created an empty security database, and did a pk12util. >>It correctly reported your error. >> >>--- >>[root@cseng tmp]# certutil -d . -N >>Enter a password which will be used to encrypt your keys. >>The password should be at least 8 characters long, >>and should contain at least one non-alphabetic character. >> >>Enter new password: >>Re-enter password: >>[root@cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert >>Enter Password or Pin for "NSS Certificate DB": >>pk12util: find user certs from nickname failed: security library: >>bad database. >>--- >> >>thomas >> >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
O.K., now I feel really dumb. I had certutil, certutil-bin, and all the database and certificate files in the alias directory. When I ran the command, I actually typed "myserver" instead of the name of the server! The command works fine when I type the correct server name. I''ve been at this too long, and I''m going for a cup of coffee now. Thanks again for your patient assistance. You guys are great! -Glenn. ---------- Original Message ----------- From: Thomas Kwan <nkwan@redhat.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Wed, 15 Nov 2006 08:58:59 -0800 Subject: Re: [Fedora-directory-users] pk12util error> certutil is one of the utility from Mozilla''s NSS project. > Check this page out for certutil usage: > > http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html > > Regarding to your error, can you make sure you run certutil in > your alias directory, and check if you have files named > slapd-myserver-cert8.db, slapd-myserver-key3.db. > > -L specifies the directory where you have your security databases > (cert8.db, key3.db, secmod.db) > -P specifies the prefix to the security database files > > thomas > > Glenn wrote: > > >Thanks to all for the quick replies. The problem was indeed that the > >correct nickname is "server-cert", not "Server-Cert". I am sure I tried > >this yesterday, but I guess that was yesterday. This command does notwork:> > > >certutil -L -d . -P slapd-myserver- > > > >It returns this error: > > > >certutil-bin: NSS_Initialize failed: An I/O error occurred duringsecurity> >authorization. > > > >Part of the difficulty with certificates seems to be that thedocumentation> >for the utilities is so sparse. If I knew that the nickname referred tothe> >name of a certificate rather than the name of the database file, thismight> >have been helpful. > > > >I checked up2date, and it did download something called "nss-ldap", butthis> >does not seem to have made a difference. > > > >I would like to be able to use certutil, so if you can think of anyreasons> >why it is not working, please share. Thanks again for your help. -Glenn.> > > > > >---------- Original Message ----------- > >From: Thomas Kwan <nkwan@redhat.com> > >To: "General discussion list for the Fedora Directory server project." > ><fedora-directory-users@redhat.com> > >Sent: Wed, 15 Nov 2006 08:23:59 -0800 > >Subject: Re: [Fedora-directory-users] pk12util error > > > > > > > >>are you sure you have the certificate (and key) named Server-Cert? > >>You can check by doing a certutil -d . -P slapd-myserver- -L in > >>the alias directory. > >> > >>I just created an empty security database, and did a pk12util. > >>It correctly reported your error. > >> > >>--- > >>[root@cseng tmp]# certutil -d . -N > >>Enter a password which will be used to encrypt your keys. > >>The password should be at least 8 characters long, > >>and should contain at least one non-alphabetic character. > >> > >>Enter new password: > >>Re-enter password: > >>[root@cseng tmp]# pk12util -d . -o a.p12 -n Server-Cert > >>Enter Password or Pin for "NSS Certificate DB": > >>pk12util: find user certs from nickname failed: security library: > >>bad database. > >>--- > >> > >>thomas > >> > >> > >> > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users@redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >------- End of Original Message -------