Gerrard Geldenhuis wrote: > > Hi David, > > I created a new certificate datase with certutil, and I can view the > private key fingerprints with certutil -d . -K but I can?t actually > extract the private key from the certutil database. I can create a > certificate sign request using certutil again. I thus have the private > key but it is ?hidden? from me. > Use pk12util to create a pkcs12 file - then use openssl pkcs12 to extract the private key. pk12util -H and man pkcs12 for more info. > > Regards > > *From:* 389-users-bounces at lists.fedoraproject.org > [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of > *David Boreham > *Sent:* 12 November 2010 16:04 > *To:* General discussion list for the 389 Directory server project. > *Subject:* Re: Decrypting SSL for 389-ds > > On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote: > > I am trying to decrypt SSL traffic capture with tcpdump in wireshark. > A quick google turned up a page that said the NSS utils does not allow > you to expose your private key. Is there different way or howto that > anyone can share to help decrypt SSL encrypted traffic for 389? > > > I think you're confused about the private key : you had to have had > the private key in order to configure it in the server. > So find the file, and feed that to Wireshark. Note that WS can not > currently decrypt certain ciphers (and it won't simply tell you that > it can't -- instead you waste days of your time before the penny > drops). Hopefully your client is not negotiating one of those. > > > > ________________________________________________________________________ > In order to protect our email recipients, Betfair Group use SkyScan from > MessageLabs to scan all Incoming and Outgoing mail for viruses. > > ________________________________________________________________________ > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users
