[Fedora-directory-users] Importing private key into certificate store
Kevin M. Myer
kevin_myer at iu13.org
Tue Sep 13 16:18:04 UTC 2005
Quoting Rich Megginson <rmeggins at redhat.com>:
> You need to get your CA to export your key/cert data in pkcs12 (.p12)
> format, then use the FDS pk12util to import both the key and cert.
As luck usually has it, I pretty much came to that same conclusion
shortly after
I pressed send :)
http://developers.sun.com/prodtech/appserver/reference/techart/keymgmt.html
For the sake of archving:
As Rich noted, the certificate and key must be in PKCS12 format.
My CA is openssl - in order to have a successful import, you must export the
certificate to PKCS12 format with a nickname (my initial CA wrapper did not do
that, which resulted in a failed import). The following command would combine
a PEM certifiate and key and create a PKCS12 certificate and key:
> openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname>
> -out directory.p12
And then import it:
> pk12util -d <nss_config_dir> -i directory.p12 [-h "NSS Certificate DB"]
From what I can gather, there are at least three certificate stores:
For the first two below, nss_config_dir is /opt/fedora-ds/alias.
Directory Server:
/opt/fedora-ds/alias/slapd-hostname-[cert|key][8|3].db
Admin Server:
/opt/fedora-ds/alias/admin-server-hostname-[cert|key][8|3].db
For the above two, to import, I created symbolic links for cert8.db and
key3.db
to their respective counterparts for slapd and admin-server (i.e. link
cert8.db
-> slapd-hostname-cert8.db and key3.db -> slapd-hostname-key3.db, import, then
remove links and relink to admin-server-hostname databases).
There's also a store in /opt/fedora-ds/admin-server/config - not sure
if that is
for the Admin Console, but I've skipped it for the moment.
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
More information about the Fedora-directory-users
mailing list