Red Hat Bugzilla – Bug 197239
Instructions demonstrating how to import a preexisting key and certificate
Last modified: 2015-12-07 11:34:20 EST
Description of problem:
There is no information available about how to import a certificate and key that
you already have and that are not necessarily self-signed.
Please include this text in the wiki as it took a non-trivial amount of time to
discover this procedure and I'm sure that others will waste equal amounts of
time on this problem if it is not documented.
Version-Release number of selected component (if applicable):
The following steps can be performed to import a preexisting RSA key and
certificate that may or may not be self-signed.
openssl pkcs12 -export -inkey PRIVATE-KEY -in CERTIFICATE -out /tmp/crt.p12
-nodes -name 'ldap-cert'
./pk12util -i /tmp/crt.p12 -d /opt/fedora-ds/alias/ -P slapd-INSTANCE-
You should now be able to see and manage the certificate you imported via the
GUI's Manage Certificates option.
How about the CA cert chain? Does the -in CERTIFICATE have to contain the
server cert + the CA cert chain? Does that get exported to the .p12 file?
This is already documented in a not-so-obvious place at
It would be good to add a link to this somewhere, or perhaps duplicate it to be
The CA chain is typically stored in a separate .pem file, at least in Apache, so
would need to be imported using certutil.
The CERTIFICATE file did not need to contain the CA cert chain. I'm using a
certificate issued by GeoTrust, and the certificate Just Worked once I figured
out the magical incantation necessary to import it into the certificate
database. I've since tried to import the GeoTrust root CA, but it never appears
in the Manage Certificates GUI, so I'm guessing that it must mirror the Equifax
cert. already included in FDS.
As for this being already documented, yes and no. While mod_nss is documented,
it isn't entirely clear how to translate that information into something one can
use with FDS if one isn't intimately familiar with mod_nss and FDS.
Yes, I agree. I think what we should do is make a "migrating certificates from
OpenSSL to NSS" page and link both FDS and mod_nss there.
This is documented on the Howto:SSL page
Yes Checked on link given in Comment#6, hence marking VERIFIED.