answersLogoWhite

0


Best Answer

Creating a cert7.db could be really tricky in some case.

Basically there is two way you can obtain one:

* By installing a old Netscape browser (v.4.79 would do the trick) and to fetch it in your user profile (please complete this procedure if you choose to do so). * Use the Netscape Network Security Service (NSS) tool set (currently maintained by mozilla).

The NSS tools include a utility called certutil, which is able (among other things), to translate a traditional security certificate (in PEM or CER format) into a cert7.db file... sounds like exactly what you need. The problem is that version newer than 3.2 of the nss toolkits only create cert8.db file, which are not compatible with some ldap client. You can still try to use one of those but you may ran into problems.

If you intend to use a package from your Linux distribution (like libnss3-tool for debian) in order to generate a cert7.db file, you have to make sure that it's old enough (take note that the current description of the libnss3-tool package for debian wrongly describe it as being able to generate cert7.db).

Alternatively you can grab a older version of the toolkit on this FTP site (successfully tested with version 3.2.2):

ftp.mozilla.org/pub/mozilla.org/security/nss/releases Once extracted, simply copy the libraries in the ./lib subdir into a place where you system can found them (for example /usr/lib). Then you can run the certutil utililty located in the /bin subdir. You'll also need a working installation of the NetScape Portable Runtime Library (NPSR). Your distribution maybe provide it (as long as you have a version >= 4, there should be no problem).

If you're ready, you can proceed with the first step: creating the empty database for storing the certificates. First, you'll have to create the directory to store the database (the default is $home/.netscape):

mkdir /home/user/.netscape

(if you don't do so, you'll get a very clear error message saying: certutil: NSS_Initialize failed: security library: bad database.) Once it's done you can add your CA certificate by executing something like that:

: certutil -A -n "certificateName" -t "C,C,C" -a -i certFile -d path

:

; -A says that we want to add a certificate to the database. -n tell the nickname related to this certificate (for example "CACert Org."), this is not a critical parameter, -t provide the "Trust attributes" of the certificate (we'll see this later), -a say that the certificate is in ASCII format (PEM), do not use it if you're certificate is in CER format, -i gives the path to the certificate file and finally -d should be the path to directory containing the database ($home/.netscape, by default). If your certificate has been signed by a root CA, your database we'll need to include your server certificate AND the certificate of the Root CA.

The certificate of the root CA (or from your server certificate if self-signed), should contains at least the following trust attribute: "C,,". It's says that this CA provide trusted server certificates for SSL connection. You can expand this attribute to "C,C,C" if it the CA you're using also authenticate certificate intended to be used for S/MIME content (ie: email) or cryptographic operation on generic objects. The attribute "T" does the same but considering client certificates. If you want to trust all content signed by your CA may specify: "CT,CT,CT".

If your server certificate is not self signed, you have to separately add it by using the p attribute which will specify that he's a trusted peer (=server, by opposition to the 'u' attribute for client certificate), so at least: "p,,,".

In this way you cert7.db file should be complete.

It's very difficult to unterstand why, for such a critical feature, LDAP clients still use a certificate database in this old and non-open format, without providing any utility to create simply such database.

If you want to learn more about trust attributes:

http://docs.sun.com/source/816-6732-10/authctn.html Or about the cert7.db format: http://www.mozilla.org/projects/security/pki/nss/db_formats.html

User Avatar

Wiki User

15y ago
This answer is:
User Avatar

Add your answer:

Earn +20 pts
Q: How do you insert an SSL certificate in a cert7.db file You have an LDAP server running with SSL. You need a cert7.db file with the LDAP's certificate on the client box. How do you do that?
Write your answer...
Submit
Still have questions?
magnify glass
imp
Related questions

What does certificate of live birth mean?

A certificate of live birth is you birth certificate that says,"So and So was born alive at Insert Time on Insert Date." ------- That is false. A Certificate of Live Birth is NOT a Birth Certificate. The data from Birth Certificates is transcribed into a computer database and COLBs are generated from that information. While COLBs are generally accepted in lieu of the BC, it is not the same thing.


What does no text to insert mean for a signature on a text message mean?

It generally means that you have not set the default signature in the "options" or "preferences" tab of your email client.


What allows you to insert and remove devices while the computer is running?

Plug & Play devices can be inserted/removed while Computer is running.


Sample letter to inform clients of moving to a new office?

Dear <insert client's name here> We are moving! As of <insert date here> we'll be located at <insert address here> We chose this location because <insert reason here> (Sample reasons include better building, more convenient to the clients, offers better features for clients, etc) Please call us at <insert telephone number here> if you have any questions.


Is it possible to insert a external Drive that connects to your computer using a USB cable while the computer is turned on and running?

TRUE


How do you install a game for PC?

If it is on a CD, you can insert it into your computer. There could be an installer that autoruns. If it was downloaded, try running the .exe file.


How do you check if a mail server is running?

In a terminal, type "ps aux | grep [insert name of mail server]". If you see more than one process listed, the server is running. Otherwise, it is not.


What can I do to help with arch pain while running?

Arch pain while running can be relieved or prevented by wearing a podiatrist prescribed insert and a great pair of running shoes. After running, put ice on the tender area for 20 mins. If your pain persist you should always consult a physician.


Is it possible to insert external drive that connect to your computer using a USB cable while the computer is on and running?

Yes - Windows accepts external hardware while it's running without any problems !


Is it possible to insert an external drive that connects to your computer using a USB cable while the computer is on and running?

Yes - Windows accepts external hardware while it's running without any problems !


Can a Playstation 2 be ruined if opened while running?

No. But the game freezes, Says 'Please insert the disk back' (Or something) and you have to turn it off and on.


Is it it possible to insert an external drive that connects to your computer using a USB cable while the computer is turned on and running?

Yes, you can using USB.