How to Import Existing Private Key into certutil Key Database for SSL/TLS Configuration


2 views

When working with NSS (Network Security Services) and certutil, a common pain point emerges when you've generated keys externally (using OpenSSL) but need to use them with applications that rely on the NSS certificate database (like Apache with mod_nss). The certutil tool doesn't provide a direct command to import existing private keys.

The NSS database typically contains three files:

  • cert8.db (certificate database)
  • key3.db (private key database)
  • secmod.db (security module database)

The most reliable method is to create a PKCS#12 file containing both certificate and private key, then import it:

# Convert to PKCS12 format
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name "MyServerCert" -certfile ca-bundle.crt

# Import into NSS database
pk12util -i server.p12 -d /path/to/nssdb -W pkcs12_password

For cases where you only have the private key in PEM format:

# First convert key to DER format
openssl rsa -in server.key -outform DER -out server.key.der

# Then use certutil to import (experimental)
certutil -K -d /path/to/nssdb -f pwdfile.txt -h tokenname \
-r -i server.key.der -t ",,"

Check if the key was successfully imported:

certutil -K -d /path/to/nssdb

Look for your key entry in the output, which should show both the certificate and its corresponding private key.

  • Ensure the certificate and key actually match (verify with openssl x509 -noout -modulus)
  • Check database permissions - the process accessing the database needs write permissions
  • For Apache/mod_nss: verify NSSNickname matches the name used during import

When dealing with high-traffic servers, consider:

  • Using hardware security modules (HSMs) for better performance
  • Keeping the NSS database on fast storage
  • Regularly optimizing the database with certutil --optimize

When working with NSS (Network Security Services) and certutil, developers often face challenges when trying to use existing private keys with their certificates. The error "Cannot find private key for certificate" typically occurs because certutil doesn't provide a direct command to import existing private keys into its key database.

Before proceeding, ensure you have:

  • Your private key file (typically .key or .pem format)
  • The corresponding certificate file
  • certutil installed (part of NSS tools)
  • pk12util installed (for PKCS#12 conversion)

1. Convert Key and Certificate to PKCS#12 Format

First, we need to bundle your existing key and certificate into a PKCS#12 file:

openssl pkcs12 -export -out bundle.p12 -inkey yourkey.key \
-in yourcert.crt -certfile CACert.crt

You'll be prompted to set an export password - remember this as you'll need it later.

2. Import the PKCS#12 File into NSS Database

Now use pk12util to import into your NSS database:

pk12util -i bundle.p12 -d sql:/path/to/your/nss/db

When prompted, enter the export password you set earlier.

3. Verify the Import

Check that both certificate and key were properly imported:

certutil -K -d sql:/path/to/your/nss/db
certutil -L -d sql:/path/to/your/nss/db

If you prefer using only NSS tools without OpenSSL:

# Create a new NSS database if you don't have one
certutil -N -d sql:/path/to/your/nss/db

# Convert key to DER format
openssl rsa -in yourkey.key -outform DER -out yourkey.der

# Import key using modutil (requires knowing key type)
modutil -dbdir sql:/path/to/your/nss/db -add key -libfile /usr/lib/nss/libsoftokn3.so \
-type "RSA" -mechanism RSA-PKCS,RSA-X509 -pubkey yourcert.der -privkey yourkey.der
  • Password errors: Ensure you're using the correct PKCS#12 export password
  • Permission problems: The NSS database directory must be writable
  • Key mismatch: Verify your private key matches the certificate
  • Database location: Some applications expect the database in specific locations

When working with private keys:

  • Always set proper permissions on key files (600)
  • Remove temporary key files after import
  • Consider using hardware security modules (HSMs) for production environments
  • Never store unprotected private keys in version control

For a complete working example with NSS and Apache:

# Create NSS database
mkdir /etc/httpd/nss
certutil -N -d sql:/etc/httpd/nss

# Convert and import
openssl pkcs12 -export -out bundle.p12 -inkey server.key \
-in server.crt -certfile ca-bundle.crt

pk12util -i bundle.p12 -d sql:/etc/httpd/nss

# Configure Apache to use NSS
LoadModule nss_module modules/mod_nss.so

<VirtualHost *:443>
    NSSEngine on
    NSSCertificateDatabase /etc/httpd/nss
    # Other SSL directives...
</VirtualHost>