I've added a reusable topic about exporting the certificate:

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Export_an_SSL_Certificate_for_Clients

This will be used by multiple books, so it will kept up-to-date.

I've also added (through reuse) the OpenSSL Certificate Reference from the MCIG as an appendix. 

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#appe-OpenSSL_Certificate_Reference

If there is not time to review it sufficiently I can remove it, or it may be able to be reviewed/QA'd through Grid.

Hi Joshua, 

Certificates in PEM format are used in MRG/M only with the python client, thus I believe that the paragraph 8.2.3 shall be moved below to the python section of the following paragraph - "8.2.4. Enable SSL on the Clients"

Moreover, I noticed that the new Appendix B in the MICG describes the export of client ssl certificate from nss db sufficiently. So I believe that this paragraph (8.2.3) is redundant and shall be removed at all.

But I still strongly recommend to refer to the information in python section of paragraph 8.2.4:
ie.: 

When SSL is enabled on the broker and the client's authentication is required, 
the clients require a client certificate to establish a secure connection. 
Please see "Exporting a Certificate from NSS into PEM Format" section in Apendix B for details.

Note added, paragraph moved, and references added.

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Enable_SSL_on_the_Clients.html

Hi Joshua, sorry, I probably didn't make myself clear. Following changes are requested:

8.2.4. Export an SSL Certificate for Clients

^^ This paragraph is redundant and shall be removed at all (sufficient info is provided in the "Exporting a Certificate from NSS into PEM Format" section of Appendix B)

8.2.3. Enable SSL on the Clients

a.] Remove the link to the just removed paragraph 8.2.4.
b.] If possible, it would be better to point directly to "Exporting a Certificate from NSS into PEM Format" section of Appendix B.

Python clients
  See Also:
-    * Section 8.2.4, “Export an SSL Certificate for Clients”
-    * Appendix B, OpenSSL Certificate Reference 
+    * Exporting a Certificate from NSS into PEM Format, Appendix B

At the moment I can't point to a sub-section in the appendix. To make the information more accessible to readers I've included it as a separate entry in the chapter. Also, if we pull that appendix out due to lack of time to complete QE on it in 2.3, we need the "Export an SSL Certificate for Clients" information in the book.

I've made the Python client section link to the export a certificate topic and the appendix.

http://deathstar1.usersys.redhat.com/MCIG/index.html#Enable_SSL_in_Python_Clients

(I am having trouble with brew at the moment, so please check it out this URL)

I am fine with pointing at the whole Appendix, but I still believe that it is not necessary to hold the redundant information in the document. In other words: if  Appendix B takes part of the MCIG the paragraph 8.2.3 is redundant.

Leaving this bugzilla ON_QA until it is decided whether the Appendix B will be part of the MICG or not.

Hi Joshua, as the bug 910009 (new Appendix B) was already reviewed and hopefully will be verified soon, I suggest to remove the content tracked by this bug (paragraph: 8.2.3. Export an SSL Certificate for Clients), because the content will be redundant. Then close this bug as a duplicate for 910009.

If you decide to leave the paragraph in the documentation due to any reason, please do the following changes to be more in compliance with the openssl doc:

- The following example commands can be used to export a certificate from the broker's NSS database: 
+ The following example commands can be used to export a client certificate and the private key from the broker's NSS database:  

- pk12util -o cert.p12 -n <cert_name> -d <ca_db> -w <password_file>
+ pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
- openssl pkcs12 -in cert.p12 -out cert.pem -nodes -clcerts -passin pass:<password> /dev/null
+ openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>

Thanks for the feedback, I've kept it in place and made the modifications suggested:

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Export_an_SSL_Certificate_for_Clients.html

Hi Joshua, changes are OK, but you didn't notice that the "/dev/null" string shall be removed. I should that mention explicitly:

- openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw> /dev/null
+ openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Export_an_SSL_Certificate_for_Clients.html

Content approved.

Version used for verification:
Messaging Installation and Configuration Guide (Revision 1.0.0-51)

-> VERIFIED

Docs published on https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_MRG/