Private Keys and Netscape Server Products.


If you've read my PKCS#12 FAQ you'll know that you can export a key and certificate from Netscape Communicator and use my PKCS#12 program to decrypt the private key.

A similar question that is asked quite often is how to extract the private key from Netscape Server products (SSL Servers and Certificate Server).

I've recently been sent some test databases to play with and they look rather similar to Netscape Navigator 3.0 databases. With a bit of trickery they can be accessed and the private key extracted.

It is also possible to also do things the other way round. Check out the import section for details.

Extraction Details.

You will need a copy of Netscape Navigator 3.0 and Netscape Communicator 4.0. You'll also need some kind of certificate (either your own or one generated by SSLeay/OpenSSL for example) and my PKCS#12 program.

Anyway here goes...

  1. Delete the key.db and cert5.db files from the 3.0 directory.
  2. Start and exit 3.0 to create a default key and certificate database.
  3. Overwrite the key.db file with the server key database file.
  4. Start 3.0 and set the password. It must be the same as the password you used with the database before. If you get it wrong the database will be unusable but you wont notice until the next step.
  5. Change the password. If you get an error then you may have mistyped the password in the previous step.
  6. Exit 3.0
  7. Delete the cert7.db and key3.db files from a 4.0 user directory.
  8. Copy the key.db and cert5.db files from the 3.0 directory into the 4.0 user directory.
  9. Start 4.0 and change the password. There should be no errors. Exit 4.0 just to be sure.
  10. You now need to install a certificate corresponding to the private key. You may be able to use the server certificate or create a dummy certificate with SSLeay if you have a certificate request for the server private key. You install the certificate by sending it to the browser as MIME type application/x-x509-user-cert. Under Windows for example you can add a new MIME type with a appropriate extension and just point the browser at the file.
  11. If all is well the certificate is accepted and it will appear under Security->Yours.
  12. Export the certificate to a file.
  13. Use my PKCS#12 utility to extract the private key: e.g. pkcs12 -nocerts -in cert.p12 -out key.pem
  14. Delete the cert7.db key3.db, cert5.db and key.db files from the 3.0 and 4.0 directories.
Despite its convoluted nature several people have reported that this technique works.

Importation of Keys.

A natural question is: can I use an OpenSSL/SSLeay generated private key with Netscape servers too?

SSLeay and OpenSSL can handle the older server format using the inform NET and outform NET options, the older format was changed because it was horribly insecure. Netscape servers do come with a tool to convert the older format to the new called rkey11.

So this should work:

rsa -in key.pem -outform NET -out net.der
rkey11 net.der key.db