197239 – Instructions demonstrating how to import a preexisting key and certificate

Bug 197239 - Instructions demonstrating how to import a preexisting key and certificate

Summary: Instructions demonstrating how to import a preexisting key and certificate

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	wiki
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-06-29 15:40 UTC by David Bogen
Modified:	2015-12-07 16:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-07 16:34:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description David Bogen 2006-06-29 15:40:41 UTC

Description of problem:

There is no information available about how to import a certificate and key that
you already have and that are not necessarily self-signed.

Please include this text in the wiki as it took a non-trivial amount of time to
discover this procedure and I'm sure that others will waste equal amounts of
time on this problem if it is not documented.

Version-Release number of selected component (if applicable):

1.0.2

Additional info:

The following steps can be performed to import a preexisting RSA key and
certificate that may or may not be self-signed.

openssl pkcs12 -export -inkey PRIVATE-KEY -in CERTIFICATE -out /tmp/crt.p12
-nodes -name 'ldap-cert'

cd /opt/fedora-ds/shared/bin

./pk12util -i /tmp/crt.p12 -d /opt/fedora-ds/alias/ -P slapd-INSTANCE-

You should now be able to see and manage the certificate you imported via the
GUI's Manage Certificates option.

Comment 1 Rich Megginson 2006-06-29 15:46:33 UTC

How about the CA cert chain?  Does the -in CERTIFICATE have to contain the
server cert + the CA cert chain?  Does that get exported to the .p12 file?

Comment 2 Rob Crittenden 2006-06-29 15:56:10 UTC

This is already documented in a not-so-obvious place at
http://directory.fedora.redhat.com/wiki/Mod_nss#Can_I_use_my_existing_mod_ssl_certificates_with_mod_nss.3F

It would be good to add a link to this somewhere, or perhaps duplicate it to be
DS-specific.

The CA chain is typically stored in a separate .pem file, at least in Apache, so
would need to be imported using certutil.

Comment 3 David Bogen 2006-06-29 16:26:25 UTC

The CERTIFICATE file did not need to contain the CA cert chain.  I'm using a
certificate issued by GeoTrust, and the certificate Just Worked once I figured
out the magical incantation necessary to import it into the certificate
database.  I've since tried to import the GeoTrust root CA, but it never appears
in the Manage Certificates GUI, so I'm guessing that it must mirror the Equifax
cert. already included in FDS.

As for this being already documented, yes and no.  While mod_nss is documented,
it isn't entirely clear how to translate that information into something one can
use with FDS if one isn't intimately familiar with mod_nss and FDS.

Comment 4 Rob Crittenden 2006-06-29 17:43:01 UTC

Yes, I agree. I think what we should do is make a "migrating certificates from
OpenSSL to NSS" page and link both FDS and mod_nss there.

Comment 6 Rich Megginson 2011-06-23 15:04:35 UTC

This is documented on the Howto:SSL page

http://directory.fedoraproject.org/wiki/Howto:SSL#Importing_an_Existing_Key.2FCert

Comment 7 Amita Sharma 2011-06-24 08:23:33 UTC

Yes Checked on link given in Comment#6, hence marking VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.