Nelson's public blog Nelson Segura's Blog

Main | Migrating htpasswd-s... »

Friday Dec 01, 2006

Migrating Apache Certificates to SJS Web Server 7.0

[edit]

Migrating Certificates and Server Keys

It is possible to migrate a certificate and server key from Apache to SJS Web Server 7.0. Since Apache uses OpenSSL for security, and SJS Web Server uses NSS, the certificates cannot be imported directly into SJS Web Server. The following steps will allow you to do the migration.

Export the OpenSSL certificate using the openssl utility to a PKCS#12 file: 

openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-crt-file> -inkey <key-file> -nodes -name <alias>

Example: 

$ openssl pkcs12 -export -out server.pk12 -in server.crt -inkey server.key -nodes -name "ALIAS"
  Enter Export Password:
  Verifying - Enter Export Password:
$ ls server.pk12 
  server.pk12

You will provide a password for the exported file. You will use this password to import this file into the SJS Web Server certificate database.

Now that the certificate and key are in a file in PKCS#12 format, import it into SJS Web Server certificate database using the pk12util utility, located in the ${server-install-dir}/bin directory. We will import the certificates into an existing certificate database in a deployed instance of the target configuration. 

$ ${server-install-dir}/bin/pk12util -i <exported-pkcs12-file> -d ${server-instance-dir}/config

For example 

$ /d2/nelson/webserver7/bin/pk12util -i /d2/nelson/apache-ssl/conf/ssl.crt/server.pk12 -d /d2/nelson/webserver7/https-blogsite-example.com/config
  Enter password for PKCS12 file: 
  pk12util: PKCS12 IMPORT SUCCESSFUL

We need to pull the changes to the certificate database into the Administration Server's configuration store. We can do this using the Administration GUI and the Administration CLI. For example: 

wadm> pull-config --config=blogsite-example.com myserver.com
CLI201 Command 'pull-config' ran successfully

Now we can see the imported certificate installed in SJS Web Server. The certificate nickname "ALIAS" is the alias we provided when exporting the certificate. 

wadm> list-certs --config=blogsite-example.com --verbose
nickname
--------
ALIAS


The certificate can now be used to create an SSL enabled listener. For example, using the Administration CLI 

wadm> set-ssl-prop --config=blogsite-example.com --http-listener=http-listener-1 server-cert-nickname=ALIAS enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm> deploy-config blogsite-example.com
CLI201 Command 'deploy-config' ran successfully

You might need to restart the server in order to restart the listener in secure more.

Posted at 10:56AM Dec 01, 2006 by nsegura in Sun | Comments[2] | Permalink

Comments:

Theme site lince looks nice.

Posted by sohbet on July 29, 2007 at 12:57 AM PDT #

Thank you mach

Posted by chat on July 29, 2007 at 12:59 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

About This Weblog

Author: Nelson Segura-Nunez

Archives

« May 2008
SunMonTueWedThuFriSat
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today

Feeds

Search

Bookmarks

Other Blog Links

Today's Page Hits: 27