Sharing iPlanet Certificates
Original author: Beth Mercer - 20080702
Overview
Handling of certificates is managed differently on the legacy systems, E boxes, than that of the IDMP-x cluster. This document focuses only on certificate management for the legacy E Box system.
Apache and iPlanet share the certificate file requested by, and installed under, iPlanet. The crt and key file names/locations are indicated in the httpd.conf file:
- SSLCertificateFile: /usr/local/Apache/ssl-certs/<E Box>.crt
- SSLCertificateKeyFile: /usr/local/Apache/ssl-certs/<E Box>_private.key
Extracting CRT and Key Components from the E Box iPlanet Certificate
What follows is an example of the process for extracting the crt and key components from the iPlanet certificate. The appropriate response to all password prompts is the token value stored in the following file on the legacy E boxes:
<E Box>:~iplanet/.ssl.pass
In the example below, the output file name (./junk) in the commands is arbitrary. Also be aware that the pk12util command below is wrapped with <backslash-newline> on first line. The following options are used:
- '-d /e01/iplanet/servers/alias/' references the location of cert/key database files.
- '-P slapd-<E box>-' references the prefix associated with a particular directory.
- '-n server-cert' references the nickname of a particular certificate in the cert/key database.
iplanet@eklutna> /e01/iplanet/servers/shared/bin/pk12util -o ./junk \ -d /e01/iplanet/servers/alias/ -n server-cert -P slapd-<E box>- Enter Password or Pin for "NSS Certificate DB": *XXYYZZ* Enter password for PKCS12 file: *XXYYZZ* Re-enter password: *XXYYZZ* pk12util: PKCS12 EXPORT SUCCESSFUL
In additional option may be used:
- '[-w p12filepwfile | -W p12filepw]' allows a direct reference to the password file rather than entering it via prompts.
In the above example: (see also: pkcs12 - PKCS#12 file utility - OpenSSL)
Certificate Nicknames
Each nickname referenced by the -n option corresponds to a particular cert. The nickname, server-cert, is the default nickname proposed by iPlanet. That nickname is what we associated with the server name based certs. In other words, the eklutna, elias, egegik and edgar certs are all associated with the server-cert nickname. More recently, certs requested under iPlanet are given more explicit nicknames like dirtiest.
To obtain a list of nicknames from a specific key database:
iplanet@eklutna> /e01/iplanet/servers/shared/bin/certutil -K -d /e01/iplanet/servers/alias -P slapd-eklutna- Enter Password or Pin for "NSS Certificate DB": <0> <1> server-cert iplanet@eklutna> ls -al ./junk -rw------- 1 iplanet iplanet 2772 Oct 27 16:01 ./junk iplanet@eklutna> /usr/local/bin/openssl pkcs12 -clcerts -nokeys -in ./junk -out ./eklutna.crt Enter Import Password: *XXYYZZ* MAC verified OK iplanet@eklutna> ls -lrt ./eklutna.crt -rw-r--r-- 1 iplanet iplanet 1245 Oct 27 16:02 ./eklutna.crt iplanet@eklutna> /usr/local/bin/openssl pkcs12 -nocerts -in ./junk -out ./eklutna_private.pem Enter Import Password: *XXYYZZ* MAC verified OK Enter PEM pass phrase: *XXYYZZ* Verifying - Enter PEM pass phrase: *XXYYZZ* iplanet@eklutna> ls -lrt ./eklutna_private.pem -rw-r--r-- 1 iplanet iplanet 1105 Oct 27 16:05 ./eklutna_private.pem
To create key without a pass phrase. {{ iplanet@eklutna> /usr/local/bin/openssl rsa -in ./eklutna_private.pem -out ./eklutna_private.key Enter pass phrase for eklutna_private.key: <CR> (null response) writing RSA key
iplanet@eklutna> ls -lrt ./eklutna_private.key -rw-r--r-- 1 iplanet iplanet 887 Oct 27 16:06 ./eklutna_private.key }}}
Now tell 'root' user to move files from "~iplanet" to "/usr/local/Apache/ssl-certs/".
HTTPD Configuration
Originally the httpd.conf located at /usr/local/Apache/httpd.conf, included references shown below that corresponded to the certificate file locations listed above:
/usr/local/Apache/httpd.conf:
SSLCertificateFile /usr/local/Apache/ssl-certs/eklutna.crt SSLCertificateKeyFile /usr/local/Apache/ssl-certs/eklutna_private.key
The file no longer contains these references. The excerpts contains the current httpd.conf directives. Only those options used (i.e., not all included in the original template) are copied here.
}}}
########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20080702 sxelm : Added verbiage describing elements of the first pk12util example
20080702 sxclm : Fully qualified commands: pk12util and openssl. Wrapped pk12util command line example with <backslash+newline>. If typing as one line, remove extraneous <backslash+whitespace>.
20061027 sxelm : Extracting Apache .crt and .key Files from iPlanet Certificate