RE: Netscape CA Cert Replacement...

Anonymous Tue, 15 Jun 1999 19:36:36 -0700
Hi All,
        I've come up with some answers:

        The Netscape .db file is not an informix database file as I
initially suspected, I still don't really understand what it is but I found
out how to create one :-) (see the link below for more NS info). 

        You can generate an openSSL certificate for your Netscape products.

        It probably won't do you any good, as the RC2 and RC4 ciphers appear
to be hard coded to 40 bits, and ignore the keys that you use :-( {If anyone
finds a way around this let me know!}

        For anyone who would like to try and replace their Netscape keys
this is what I did for Netscape Proxy Server v3.52:

1) Generate a key pair:
        openssl genrsa -des3 -out new.key 1024

2) Munge this key pair into Netscape format:
        openssl rsa new.key -outform NET -out new_key.der
        rkey11 new_key.der new_key.db
(The rkey11 binary is shipped with various Netscape Server Products look in
the bin directories)

3) For Netscape Proxy 3.52 create an alias in the key & certificate area
        Alias           : Whatever you like
        Key Pair File   : /full/path/to/new_key.db
        Certificate File: <Leave Blank>

4) Create a certificate request:
        a) From the Netscape admin server with the request certificate
option
        b) or From openSSL with
                openssl req -new new.key -out newreq.pem

5) Take the request from a) or b) above and copy it into newreq.pem in the
root directory of your openSSL CA area and sign it:
        CA.sh -sign

6) Copy the certificate that is generated into the Netscape admin tools
Install Certificate section:
        Certificate For: This Server
        Message Text   : The data you copied from the signing in 5)
        Alias          : Whatever you like <From 3) above>
And click on OK.

7) Now its just a matter of selecting that certificate for the server you
require.

I am yet to test this with CAserver your mileage may vary...

Thanks to [EMAIL PROTECTED] (from modssl-users list) and the owner of
http://www.drh-consultancy.demon.co.uk/nskey.html who's semi-unrelated but
very valuable info guided me to this final hack.

All the best,
Anthony Wyatt

> -----Original Message-----
> From: Marcus Röder [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 09, 1999 6:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Netscape CA Cert Replacement...
> 
> 
> 
> Hi,
> 
> so do you know how to extract or compose such .db-files? What's their
> format?
> 
>  Marcus.
> 
> 
> "Wyatt, Anthony" wrote:
> > 
> > Sorry all,
> >   I just read the instructions and I found out how to do it.
> > 
> > Sorry to waste everyones time.
> > 
> > Anthony
> > 
> > > -----Original Message-----
> > > From: Wyatt, Anthony
> > > Sent: Wednesday, June 09, 1999 3:34 PM
> > > To:   '[EMAIL PROTECTED]'
> > > Subject:      Netscape CA Cert Replacement...
> > >
> > > Hi,
> > >     I have an Export Version of Netscapes Certificate 
> server.  What I
> > > would like to do is generate new keys for it from my 
> openSLL CA.  The
> > > Netscape doco explains how to generate a new server key 
> with a packaged
> > > command called sec-key.  It asks where I want to put the 
> key, then asks
> > > for a bunch of random keystrokes from the keyboard, and finally a
> > > password.  The file is creates is:
> > >
> > > -rw-------    1 root  other           32768 Jun    9 
> 10:07 /tmp/test.db
> > >
> > > The next part of the session is to create a certificate 
> signing request
> > > from this .db file.  I can sign this with openSSL, but it 
> is only a rc2-40
> > > certificate.
> > >
> > > Does anyone know how I can create a similar .db file like 
> the one listed
> > > above?
> > >
> > > Any help would be greatly appreciated,
> > > Anthony Wyatt
> > 
> ______________________________________________________________________
> > OpenSSL Project                                 
> http://www.openssl.org
> > User Support Mailing List            
>         [EMAIL PROTECTED]
> > Automated List Manager                           
> [EMAIL PROTECTED]
> 
> -- 
> Marcus Roeder
> System Services & Administration
> --------------------------------------------------------------
> -------------
>       ///  ////////        IS Internet Services GmbH & Co
>      ///  //               Harburger Schlossstr. 6 - 12, 
> D-21079 Hamburg
>     ///  ////////          Tel: +49-40/7 66 29-16 23    Fax: -421
>    ///        //           http://www.is-europe.net
>   ///  ////////            mailto:[EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Netscape CA Cert Replacement...

Reply via email to
