Description of problem: There is no information available about how to import a certificate and key that you already have and that are not necessarily self-signed. Please include this text in the wiki as it took a non-trivial amount of time to discover this procedure and I'm sure that others will waste equal amounts of time on this problem if it is not documented. Version-Release number of selected component (if applicable): 1.0.2 Additional info: The following steps can be performed to import a preexisting RSA key and certificate that may or may not be self-signed. openssl pkcs12 -export -inkey PRIVATE-KEY -in CERTIFICATE -out /tmp/crt.p12 -nodes -name 'ldap-cert' cd /opt/fedora-ds/shared/bin ./pk12util -i /tmp/crt.p12 -d /opt/fedora-ds/alias/ -P slapd-INSTANCE- You should now be able to see and manage the certificate you imported via the GUI's Manage Certificates option.
How about the CA cert chain? Does the -in CERTIFICATE have to contain the server cert + the CA cert chain? Does that get exported to the .p12 file?
This is already documented in a not-so-obvious place at http://directory.fedora.redhat.com/wiki/Mod_nss#Can_I_use_my_existing_mod_ssl_certificates_with_mod_nss.3F It would be good to add a link to this somewhere, or perhaps duplicate it to be DS-specific. The CA chain is typically stored in a separate .pem file, at least in Apache, so would need to be imported using certutil.
The CERTIFICATE file did not need to contain the CA cert chain. I'm using a certificate issued by GeoTrust, and the certificate Just Worked once I figured out the magical incantation necessary to import it into the certificate database. I've since tried to import the GeoTrust root CA, but it never appears in the Manage Certificates GUI, so I'm guessing that it must mirror the Equifax cert. already included in FDS. As for this being already documented, yes and no. While mod_nss is documented, it isn't entirely clear how to translate that information into something one can use with FDS if one isn't intimately familiar with mod_nss and FDS.
Yes, I agree. I think what we should do is make a "migrating certificates from OpenSSL to NSS" page and link both FDS and mod_nss there.
This is documented on the Howto:SSL page http://directory.fedoraproject.org/wiki/Howto:SSL#Importing_an_Existing_Key.2FCert
Yes Checked on link given in Comment#6, hence marking VERIFIED.