Gerrard Geldenhuis wrote:
Hi David,
I created a new certificate datase with certutil, and I can view the
private key fingerprints with certutil -d . -K but I can’t actually
extract the private key from the certutil database. I can create a
certificate sign request using certutil again. I thus have the private
key but it is “hidden” from me.
Use pk12util to create a pkcs12 file - then use openssl pkcs12 to
extract the private key. pk12util -H and man pkcs12 for more info.
Regards
*From:* 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
*David Boreham
*Sent:* 12 November 2010 16:04
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Decrypting SSL for 389-ds
On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote:
I am trying to decrypt SSL traffic capture with tcpdump in wireshark.
A quick google turned up a page that said the NSS utils does not allow
you to expose your private key. Is there different way or howto that
anyone can share to help decrypt SSL encrypted traffic for 389?
I think you're confused about the private key : you had to have had
the private key in order to configure it in the server.
So find the file, and feed that to Wireshark. Note that WS can not
currently decrypt certain ciphers (and it won't simply tell you that
it can't -- instead you waste days of your time before the penny
drops). Hopefully your client is not negotiating one of those.
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users