Exporting Private Key from iPlanet Web Server

In quite a few occassions, we would have to sniff SSL Traffic between the browser and a iPlanet Web Server. To sniff SSL using ClearWatch Tool, we require the Private Key file in PEM format.

IPlanet stores keys internally. Hence we need to go thru a few steps to achieve the above…

Step 1 :
Firstly, the Key will have to be exported to a PKCS#12 file.

To export to a PKCS#12 file, Use the pk12util command that ships with iplanet. This file is generally available under Servers\bin\https\admin\bin folder

Syntax :
pk12util -o exportfile -n certname [-d certdir] [-P dbprefix]

Example :
pk12util -o c:\temp\pkey.txt -n Server-Cert -d c:\iplanet\servers\alias -P dbprefix

In the above dbprefix is nothing but the prefix for the Key file available under Servers\alias folder. If the key file is xyz-key3.db, then dbprefix is ‘xyz’

Step 2 :
Once you have a pkcs12 file containing a private key, you can convert it to a PEM file by using the freely available OpenSSL tool,

Syntax :
openssl pkcs12 -in server.p12 -out server.pem -nocerts -passin pass:yourpassword -passout pass:dummy

where “server.p12” is the original PKCS#12 file you are converting and “yourpassword” is the password that is associated with the PKCS#12 file.

Step 3 :
Now, we can remove the Password Protection on the Key by running the following command.

openssl rsa -in server.pem -out server.key -passin pass:dummy

3 thoughts on “Exporting Private Key from iPlanet Web Server

  1. Very helpful, one thing that I have noticed was that the -P includes the trailing dash. So if the key file is xyz-key3.db, then the dbprefix is ‘xyz-‘ not ‘xyz’.

    Leaving out the trailing dash gave me the error: pk12util: find user certs from nickname failed: PR_LOAD_LIBRARY_ERROR: Failure to load dynamic library

    also note that I had to sudo these commands to get them to work.

    Thanks though!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s