Private Keys and Netscape Server Products.
If you've read my PKCS#12 FAQ you'll know that you can export a key and
certificate from Netscape Communicator and use my PKCS#12 program to decrypt
the private key.
A similar question that is asked quite often is how to extract the private
key from Netscape Server products (SSL Servers and Certificate Server).
I've recently been sent some test databases to play with and they look
rather similar to Netscape Navigator 3.0 databases. With a bit of trickery
they can be accessed and the private key extracted.
It is also possible to also do things the other way round. Check out
the import section for details.
You will need a copy of Netscape Navigator 3.0 and Netscape Communicator
4.0. You'll also need some kind of certificate (either your own or one
generated by SSLeay/OpenSSL for example) and my PKCS#12 program.
Anyway here goes...
Despite its convoluted nature several people have reported that this technique
Delete the key.db and cert5.db files from the 3.0 directory.
Start and exit 3.0 to create a default key and certificate database.
Overwrite the key.db file with the server key database file.
Start 3.0 and set the password. It must be the same as the password
you used with the database before. If you get it wrong the database will
be unusable but you wont notice until the next step.
Change the password. If you get an error then you may have mistyped the
password in the previous step.
Delete the cert7.db and key3.db files from a 4.0 user directory.
Copy the key.db and cert5.db files from the 3.0 directory
into the 4.0 user directory.
Start 4.0 and change the password. There should be no errors. Exit 4.0
just to be sure.
You now need to install a certificate corresponding to the private key.
You may be able to use the server certificate or create a dummy certificate
with SSLeay if you have a certificate request for the server private key.
You install the certificate by sending it to the browser as MIME type application/x-x509-user-cert.
Under Windows for example you can add a new MIME type with a appropriate
extension and just point the browser at the file.
If all is well the certificate is accepted and it will appear under Security->Yours.
Export the certificate to a file.
Use my PKCS#12 utility to extract the private key: e.g. pkcs12 -nocerts
-in cert.p12 -out key.pem
Delete the cert7.db key3.db, cert5.db and key.db files
from the 3.0 and 4.0 directories.
Importation of Keys.
A natural question is: can I use an OpenSSL/SSLeay generated private key
with Netscape servers too?
SSLeay and OpenSSL can handle the older server format using the inform
NET and outform NET options, the older format was changed because
it was horribly insecure. Netscape servers do come with a tool to convert
the older format to the new called rkey11.
So this should work:
rsa -in key.pem -outform NET -out net.der
rkey11 net.der key.db