Bug 197239 - Instructions demonstrating how to import a preexisting key and certificate
Instructions demonstrating how to import a preexisting key and certificate
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: wiki (Show other bugs)
7.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-29 11:40 EDT by David Bogen
Modified: 2015-12-07 11:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:34:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Bogen 2006-06-29 11:40:41 EDT
Description of problem:

There is no information available about how to import a certificate and key that
you already have and that are not necessarily self-signed.

Please include this text in the wiki as it took a non-trivial amount of time to
discover this procedure and I'm sure that others will waste equal amounts of
time on this problem if it is not documented.

Version-Release number of selected component (if applicable):

1.0.2

Additional info:

The following steps can be performed to import a preexisting RSA key and
certificate that may or may not be self-signed.

openssl pkcs12 -export -inkey PRIVATE-KEY -in CERTIFICATE -out /tmp/crt.p12
-nodes -name 'ldap-cert'

cd /opt/fedora-ds/shared/bin

./pk12util -i /tmp/crt.p12 -d /opt/fedora-ds/alias/ -P slapd-INSTANCE-

You should now be able to see and manage the certificate you imported via the
GUI's Manage Certificates option.
Comment 1 Rich Megginson 2006-06-29 11:46:33 EDT
How about the CA cert chain?  Does the -in CERTIFICATE have to contain the
server cert + the CA cert chain?  Does that get exported to the .p12 file?
Comment 2 Rob Crittenden 2006-06-29 11:56:10 EDT
This is already documented in a not-so-obvious place at
http://directory.fedora.redhat.com/wiki/Mod_nss#Can_I_use_my_existing_mod_ssl_certificates_with_mod_nss.3F

It would be good to add a link to this somewhere, or perhaps duplicate it to be
DS-specific.

The CA chain is typically stored in a separate .pem file, at least in Apache, so
would need to be imported using certutil.
Comment 3 David Bogen 2006-06-29 12:26:25 EDT
The CERTIFICATE file did not need to contain the CA cert chain.  I'm using a
certificate issued by GeoTrust, and the certificate Just Worked once I figured
out the magical incantation necessary to import it into the certificate
database.  I've since tried to import the GeoTrust root CA, but it never appears
in the Manage Certificates GUI, so I'm guessing that it must mirror the Equifax
cert. already included in FDS.

As for this being already documented, yes and no.  While mod_nss is documented,
it isn't entirely clear how to translate that information into something one can
use with FDS if one isn't intimately familiar with mod_nss and FDS.
Comment 4 Rob Crittenden 2006-06-29 13:43:01 EDT
Yes, I agree. I think what we should do is make a "migrating certificates from
OpenSSL to NSS" page and link both FDS and mod_nss there.
Comment 6 Rich Megginson 2011-06-23 11:04:35 EDT
This is documented on the Howto:SSL page

http://directory.fedoraproject.org/wiki/Howto:SSL#Importing_an_Existing_Key.2FCert
Comment 7 Amita Sharma 2011-06-24 04:23:33 EDT
Yes Checked on link given in Comment#6, hence marking VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.