How do you insert an SSL certificate in a cert7.db file You have an LDAP server running with SSL. You need a cert7.db file with the LDAP's certificate on the client box. How do you do that?

Creating a cert7.db could be really tricky in some case.

Basically there is two way you can obtain one:

• By installing a old Netscape browser (v.4.79 would do the trick) and to fetch it in your user profile (please complete this procedure if you choose to do so).
• Use the Netscape Network Security Service (NSS) tool set (currently maintained by mozilla).
  

The NSS tools include a utility called certutil, which is able (among other things), to translate a traditional security certificate (in PEM or CER format) into a cert7.db file... sounds like exactly what you need. The problem is that version newer than 3.2 of the nss toolkits only create cert8.db file, which are not compatible with some ldap client. You can still try to use one of those but you may ran into problems.

If you intend to use a package from your Linux distribution (like libnss3-tool for debian) in order to generate a cert7.db file, you have to make sure that it's old enough (take note that the current description of the libnss3-tool package for debian wrongly describe it as being able to generate cert7.db).

Alternatively you can grab a older version of the toolkit on this FTP site (successfully tested with version 3.2.2):

ftp.mozilla.org/pub/mozilla.org/security/nss/releases

Once extracted, simply copy the libraries in the ./lib subdir into a place where you system can found them (for example /usr/lib). Then you can run the certutil utililty located in the /bin subdir.

You'll also need a working installation of the NetScape Portable Runtime Library (NPSR). Your distribution maybe provide it (as long as you have a version >= 4, there should be no problem).

If you're ready, you can proceed with the first step: creating the empty database for storing the certificates. First, you'll have to create the directory to store the database (the default is $home/.netscape):

(if you don't do so, you'll get a very clear error message saying: certutil: NSS_Initialize failed: security library: bad database.)

Once it's done you can add your CA certificate by executing something like that:

certutil -A -n "certificateName" -t "C,C,C" -a -i certFile -d path

-A says that we want to add a certificate to the database. -n tell the nickname related to this certificate (for example "CACert Org."), this is not a critical parameter, -t provide the "Trust attributes" of the certificate (we'll see this later), -a say that the certificate is in ASCII format (PEM), do not use it if you're certificate is in CER format, -i gives the path to the certificate file and finally -d should be the path to directory containing the database ($home/.netscape, by default).

If your certificate has been signed by a root CA, your database we'll need to include your server certificate AND the certificate of the Root CA.

The certificate of the root CA (or from your server certificate if self-signed), should contains at least the following trust attribute: "C,,". It's says that this CA provide trusted server certificates for SSL connection. You can expand this attribute to "C,C,C" if it the CA you're using also authenticate certificate intended to be used for S/MIME content (ie: email) or cryptographic operation on generic objects. The attribute "T" does the same but considering client certificates. If you want to trust all content signed by your CA may specify: "CT,CT,CT".

If your server certificate is not self signed, you have to separately add it by using the p attribute which will specify that he's a trusted peer (=server, by opposition to the 'u' attribute for client certificate), so at least: "p,,,".

In this way you cert7.db file should be complete.

It's very difficult to unterstand why, for such a critical feature, LDAP clients still use a certificate database in this old and non-open format, without providing any utility to create simply such database.

If you want to learn more about trust attributes:

http://docs.sun.com/source/816-6732-10/authctn.html

Or about the cert7.db format:

http://www.mozilla.org/projects/security/pki/nss/db_formats.html

First answer by ID3221806674. Last edit by Super panda. Contributor trust: 1 [recommend contributor]. Question popularity: 1 [recommend question]