Bug 846302 - export ssl certificate from nss db in pem format needs to be documented
export ssl certificate from nss db in pem format needs to be documented
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: Messaging_Installation_and_Configuration_Guide (Show other bugs)
Unspecified Unspecified
high Severity medium
: 2.3
: ---
Assigned To: Joshua Wulf
Petr Matousek
Depends On:
Blocks: 825078 850517
  Show dependency treegraph
Reported: 2012-08-07 07:47 EDT by Petr Matousek
Modified: 2014-10-19 19:01 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-13 19:59:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-08-07 07:47:17 EDT
Description of problem:

According to Bug 825078, qpid-tools were updated to support ssl encryption. 
There is a new option "--ssl-certificate" in the management tools used to provide the client SSL certificate in PEM format in order to establish the secure connection to the broker.

Documentation were not updated accordingly, so the customer may be confused how to obtain such certificate.

Chapters "11.3. Encryption using SSL: Enabling SSL in Clients" and "Chapter 13. Management Tools" may be good places where to put this info.

Version-Release number of selected component (if applicable):
Messaging User Guide, Edition 2
Revision 2-17

How reproducible:

Steps to Reproduce:
Actual results:
No documentation update regarding the pem certificate export from nss db.

Expected results:
Export of ssl certificate from nss db in pem format is documented.

Additional info:
pk12util -o cert.p12 -n <cert_name> -d <ca_db> -w <password_file>
openssl pkcs12 -in cert.p12 -out cert.pem -nodes -clcerts -passin pass:<password> /dev/null
Comment 6 Joshua Wulf 2013-02-07 07:17:17 EST
I've added a reusable topic about exporting the certificate:


This will be used by multiple books, so it will kept up-to-date.

I've also added (through reuse) the OpenSSL Certificate Reference from the MCIG as an appendix. 


If there is not time to review it sufficiently I can remove it, or it may be able to be reviewed/QA'd through Grid.
Comment 7 Petr Matousek 2013-02-07 11:36:10 EST
Hi Joshua, 

Certificates in PEM format are used in MRG/M only with the python client, thus I believe that the paragraph 8.2.3 shall be moved below to the python section of the following paragraph - "8.2.4. Enable SSL on the Clients"

Moreover, I noticed that the new Appendix B in the MICG describes the export of client ssl certificate from nss db sufficiently. So I believe that this paragraph (8.2.3) is redundant and shall be removed at all.

But I still strongly recommend to refer to the information in python section of paragraph 8.2.4:

When SSL is enabled on the broker and the client's authentication is required, 
the clients require a client certificate to establish a secure connection. 
Please see "Exporting a Certificate from NSS into PEM Format" section in Apendix B for details.
Comment 10 Petr Matousek 2013-02-11 04:54:31 EST
Hi Joshua, sorry, I probably didn't make myself clear. Following changes are requested:

8.2.4. Export an SSL Certificate for Clients

^^ This paragraph is redundant and shall be removed at all (sufficient info is provided in the "Exporting a Certificate from NSS into PEM Format" section of Appendix B)

8.2.3. Enable SSL on the Clients

a.] Remove the link to the just removed paragraph 8.2.4.
b.] If possible, it would be better to point directly to "Exporting a Certificate from NSS into PEM Format" section of Appendix B.

Python clients
  See Also:
-    * Section 8.2.4, “Export an SSL Certificate for Clients”
-    * Appendix B, OpenSSL Certificate Reference 
+    * Exporting a Certificate from NSS into PEM Format, Appendix B
Comment 12 Joshua Wulf 2013-02-11 11:58:17 EST
At the moment I can't point to a sub-section in the appendix. To make the information more accessible to readers I've included it as a separate entry in the chapter. Also, if we pull that appendix out due to lack of time to complete QE on it in 2.3, we need the "Export an SSL Certificate for Clients" information in the book.

I've made the Python client section link to the export a certificate topic and the appendix.


(I am having trouble with brew at the moment, so please check it out this URL)
Comment 13 Petr Matousek 2013-02-13 07:38:20 EST
I am fine with pointing at the whole Appendix, but I still believe that it is not necessary to hold the redundant information in the document. In other words: if  Appendix B takes part of the MCIG the paragraph 8.2.3 is redundant.

Leaving this bugzilla ON_QA until it is decided whether the Appendix B will be part of the MICG or not.
Comment 17 Petr Matousek 2013-02-18 10:56:16 EST
Hi Joshua, as the bug 910009 (new Appendix B) was already reviewed and hopefully will be verified soon, I suggest to remove the content tracked by this bug (paragraph: 8.2.3. Export an SSL Certificate for Clients), because the content will be redundant. Then close this bug as a duplicate for 910009.

If you decide to leave the paragraph in the documentation due to any reason, please do the following changes to be more in compliance with the openssl doc:

- The following example commands can be used to export a certificate from the broker's NSS database: 
+ The following example commands can be used to export a client certificate and the private key from the broker's NSS database:  

- pk12util -o cert.p12 -n <cert_name> -d <ca_db> -w <password_file>
+ pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
- openssl pkcs12 -in cert.p12 -out cert.pem -nodes -clcerts -passin pass:<password> /dev/null
+ openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
Comment 19 Petr Matousek 2013-02-19 03:54:53 EST
Hi Joshua, changes are OK, but you didn't notice that the "/dev/null" string shall be removed. I should that mention explicitly:

- openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw> /dev/null
+ openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
Comment 21 Petr Matousek 2013-02-19 05:31:59 EST
Content approved.

Version used for verification:
Messaging Installation and Configuration Guide (Revision 1.0.0-51)

Comment 22 Cheryn Tan 2013-03-13 19:59:37 EDT
Docs published on https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_MRG/

Note You need to log in before you can comment on or make changes to this bug.