Walter Lee

How to copy over a SSL server cert from web 6.1 SPx to new web 7.0x

Friday Jun 27, 2008

When you migrate from web 6.1x to web 7.0x, the migration tool will help migrate your SSL server cert. too.


Just in case this SSL migration failed and you need to do something quick to get it working again in the new web 7.0x.


Then you can try below:


 e.g. in my env, I tested below ok ,

apple:/export/home/iws7.0u2/https-newconfig2/config> ls -lrt
total 332
-rw-------   1 root     other       2887 May 28 15:34 server.policy
-rw-------   1 root     other      32768 May 28 15:34 secmod.db
-rw-------   1 root     other       1442 May 28 15:34 obj.conf
-rw-------   1 root     other       9153 May 28 15:34 mime.types
-rw-------   1 root     other        150 May 28 15:34 magnus.conf
-rw-------   1 root     other        466 May 28 15:34 login.conf
-rw-------   1 root     other        160 May 28 15:34 keyfile
-rw-------   1 root     other      32768 May 28 15:34 key3.db
-rw-------   1 root     other        400 May 28 15:34 default.acl
-rw-------   1 root     other      14732 May 28 15:34 default-web.xml
-rw-------   1 root     other       1527 May 28 15:34 certmap.conf
-rw-------   1 root     other      65536 May 28 15:34 cert8.db
-rw-------   1 root     other       2111 May 28 15:34 server.xml

before I copied the 6.1SPx cert/key DBs over , I like to save a copy of orig. cert/key DB first and then stop web 7 first,
then copy over.

  527  cp key3.db key3.db.org
  528  cp cert8.db cert8.db.org

then stop the web 7 server,

then copy over the

apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-cert8.db /export/home/iws7.0u2/https-newconfig2/config/cert8.db
apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-key3.db /export/home/iws7.0u2/https-newconfig2/config/key3.db

then check if copy over ok,

apple:/export/home/iws7.0u2/https-newconfig2/config> cksum key3.db key3.db.org
2044823871      32768   key3.db
1868267322      32768   key3.db.org
apple:/export/home/iws7.0u2/https-newconfig2/config> cksum cert8.db cert8.db.org
1966527964      65536   cert8.db
1043770452      65536   cert8.db.org


then restart admin server of web 7.0x, and pretty much follow any Admin GUI suggestions to make the change .

e.g. go to admin GUI- you will see the warning that config has changed,

e.g. Instance Configuration Modified  - then click the upper right hand side to
Deploy config and pull changes from server (so it will update config-store and instance too with new changes, i.e.
the cert and key DB files here)
then follow any from Admin GUI warnings and do other needed, e.g.

then Instance(s) Require Restart
apple.asia.sun.com: ADMIN3594: Configuration changes require a server restart.

then the change in key and cert db will be populated into config store.

then you will be asked to "Set Configuration Token Passwords
 " (if you have not yet done so)
before you can view the newly copied over SSL certs inside the   

then you will see the new SSL cert imported in ok.

then  you can go to enable SSL in the listen socket,
e.g. Admin GUI -

"
General
Name: http-listener-1
SSL: Enabled (to turn on SSL with newly copied over 6.1SPx SSL cert)
Certificate:    
RSA Certificates: (then choose .e.g. Server-Cert)

    then deploy config and deploy config change , then can restart it ok with SSL

e.g. https://apple.asia.sun.com:7028/ will work SSL now.



 The other way is to do it at certificate level with pk12util import and export
, see Sun internal doc. ID74681 at sunsolve site,


Sun[TM] ONE Web Server: How to Use Certutil and pk12util to list and export certs


by Gregory Bedigian


Hope this helps cu to migrate SSL cert.


You can also use above as a way to backup and later restore SSL cert. in case of disk failure, file corruption, etc.



[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:57PM Jun 27, 2008 by Wing-Yip Walter Lee in Sun
Tags: