{{tag>Brouillon}}
= PKI Java pk12 pk12util certutil libnss3-tools NSS
Voir :
* https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_reference.html
* https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-135/Integration-d-un-algorithme-cryptographique-symetrique-dans-OpenSSL-et-NSS
* https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md
* https://access.redhat.com/documentation/fr-fr/red_hat_certificate_system/9/html/administration_guide_common_criteria_edition/managing_certificate_key_crypto_token
Voir aussi :
* PKICertImport
NSS
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSL v2 and v3,
TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and
other security standards. For detailed information on standards supported, see
http://www.mozilla.org/projects/security/pki/nss/overview.html.
https://curl.haxx.se/docs/sslcerts.html
If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.so, which enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install p11-kit-nss-trust which makes NSS use the system wide CA certificate store. NSS also has a new database format.
Starting with version 7.19.7, libcurl automatically adds the 'sql:' prefix to the certdb directory (either the hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR environment variable). To check which certdb format your distribution provides, examine the default certdb location: /etc/pki/nssdb; the new certdb format can be identified by the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are cert8.db, key3.db, secmod.db.
Test CA
openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
Install NSS
sudo apt-get update
# Obsolète
#sudo apt-get install -y p11-kit libnss3
#sudo apt-get install p11-kit-modules
#Install de certutil
sudo apt-get install libnss3-tools
Conversion des certs au format p12
openssl pkcs12 -export -inkey your_private_key.key -in result.pem -name my_name -out final_result.p12
openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.cer -certfile your_chain.pem -out final_result.p12
Création de la NSS DB
mkdir -p ~/.pki/nssdb
chmod 700 ~/.pki/nssdb
certutil -N -d $HOME/.pki/nssdb --empty-password
Import du certificat p12 dans la NSS DB
pk12util -i server.p12 -d $HOME/.pki/nssdb -n Test
Vérif lister les certificats
certutil -L -d sql:$HOME/.pki/nssdb
certutil -L -d sql:. -a -n "Amazon" | openssl x509 -text -noout
import each as trusted proxy
# list of hosts to get certificates from
hosts="ip-of-squid-proxy1:443 ip-of-squid-proxy2:443"
for host in ${hosts}; do
openssl s_client -connect ${host} -prexit /dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > "${host}.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t P,P,P -n "${host}" -i ${host}.crt
rm ${host}.crt
done
source : https://gist.github.com/seanorama/b453524b8f24dcb625a901bc4d503a86
Autre - Importer un crt
certutil -A -n "Test" -t ",," -i plop.fr.crt -d .
# CA
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n GoAgent -i ~/programs/goagent/local/CA.crt
NSS DB PATH - pour curl
export SSL_DIR=$HOME/.pki/nssdb
Compil curl
./configure --with-ssl --without-nss
Aide
certutil -H
pk12util -H
keytool
echo "### remove old keystore"
rm -f solrtest.keystore
echo "### create keystore and keys"
keytool -keystore solrtest.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=localhost, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=ip:127.0.0.1" -validity 999999
--------------
Voir :
* https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl-archive.html
* https://www.ibm.com/support/knowledgecenter/en/SS5MD2_7.4.0.1/com.ibm.itcamt.doc/rt/User_Guide/Web1/wrtappliance_https_keys_iplanet.html
apt-get install libnss3-tools
By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add "-P https-instance-hostname-" parameter for the prefix.
certutil -L -d certdir
#pkcs12util -o exportedcertfilename -d . -n Server-Cert
#pkcs12util -i exportedcertfilename -d . -h "Sun Metaslot"
pk12util -o exportcert -n Server-Cert_xx -d .
pk12util
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_pk12util
Import keys and certificates from a PKCS#12 file into a security
database.
https://wts.uwo.ca/pki/resources/pk12util.html
pk12util -d . -i /tmp/dropz.its.uwo.ca.p12
#pk12util -d . -P slapd- -i /tmp/auth.uwotest.ca.p12
== Exemple certutil
Exemple
mkdir $HOME/.pki/
certutil -N -d sql:$HOME/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -L
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,C" -n "CA Root" -i /etc/pki/ca-trust/source/anchors/RootCA.crt
env SSL_DIR=$HOME/.pki/nssdb curl https://nok.acme.fr
== Autres
mkdir -p $HOME/.pki/nssdb && chmod -R 0700 $HOME/.pki && certutil -d sql:$HOME/.pki/nssdb -N --empty-password