[389-users] Decrypting SSL for 389-ds
Rich Megginson
rmeggins at redhat.com
Fri Nov 12 16:28:02 UTC 2010
Gerrard Geldenhuis wrote:
>
> Hi David,
>
> I created a new certificate datase with certutil, and I can view the
> private key fingerprints with certutil -d . -K but I can’t actually
> extract the private key from the certutil database. I can create a
> certificate sign request using certutil again. I thus have the private
> key but it is “hidden” from me.
>
Use pk12util to create a pkcs12 file - then use openssl pkcs12 to
extract the private key. pk12util -H and man pkcs12 for more info.
>
> Regards
>
> *From:* 389-users-bounces at lists.fedoraproject.org
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *David Boreham
> *Sent:* 12 November 2010 16:04
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Decrypting SSL for 389-ds
>
> On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote:
>
> I am trying to decrypt SSL traffic capture with tcpdump in wireshark.
> A quick google turned up a page that said the NSS utils does not allow
> you to expose your private key. Is there different way or howto that
> anyone can share to help decrypt SSL encrypted traffic for 389?
>
>
> I think you're confused about the private key : you had to have had
> the private key in order to configure it in the server.
> So find the file, and feed that to Wireshark. Note that WS can not
> currently decrypt certain ciphers (and it won't simply tell you that
> it can't -- instead you waste days of your time before the penny
> drops). Hopefully your client is not negotiating one of those.
>
>
>
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> ________________________________________________________________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list