wiki:APACHE_sharing_iplanet_cert
Last modified 6 years ago Last modified on 12/03/14 15:13:50

Sharing iPlanet Certificates

Original author: Beth Mercer - 20080702

Overview

Handling of certificates is managed differently on the legacy systems, E boxes, than that of the IDMP-x cluster. This document focuses only on certificate management for the legacy E Box system.

Apache and iPlanet share the certificate file requested by, and installed under, iPlanet. The crt and key file names/locations are indicated in the httpd.conf file:

  • SSLCertificateFile: /usr/local/Apache/ssl-certs/<E Box>.crt
  • SSLCertificateKeyFile: /usr/local/Apache/ssl-certs/<E Box>_private.key

Extracting CRT and Key Components from the E Box iPlanet Certificate

What follows is an example of the process for extracting the crt and key components from the iPlanet certificate. The appropriate response to all password prompts is the token value stored in the following file on the legacy E boxes:

<E Box>:~iplanet/.ssl.pass

In the example below, the output file name (./junk) in the commands is arbitrary. Also be aware that the pk12util command below is wrapped with <backslash-newline> on first line. The following options are used:

  • '-d /e01/iplanet/servers/alias/' references the location of cert/key database files.
  • '-P slapd-<E box>-' references the prefix associated with a particular directory.
  • '-n server-cert' references the nickname of a particular certificate in the cert/key database.
iplanet@eklutna> /e01/iplanet/servers/shared/bin/pk12util -o ./junk \
                 -d /e01/iplanet/servers/alias/ -n server-cert -P slapd-<E box>-

Enter Password or Pin for "NSS Certificate DB":  *XXYYZZ*
Enter password for PKCS12 file:  *XXYYZZ*
Re-enter password:  *XXYYZZ*
pk12util: PKCS12 EXPORT SUCCESSFUL

In additional option may be used:

  • '[-w p12filepwfile | -W p12filepw]' allows a direct reference to the password file rather than entering it via prompts.

In the above example: (see also: pkcs12 - PKCS#12 file utility - OpenSSL)

Certificate Nicknames

Each nickname referenced by the -n option corresponds to a particular cert. The nickname, server-cert, is the default nickname proposed by iPlanet. That nickname is what we associated with the server name based certs. In other words, the eklutna, elias, egegik and edgar certs are all associated with the server-cert nickname. More recently, certs requested under iPlanet are given more explicit nicknames like dirtiest.

To obtain a list of nicknames from a specific key database:

iplanet@eklutna> /e01/iplanet/servers/shared/bin/certutil -K -d /e01/iplanet/servers/alias -P slapd-eklutna-    
Enter Password or Pin for "NSS Certificate DB":
<0> 
<1> server-cert

iplanet@eklutna> ls -al ./junk
-rw-------   1 iplanet  iplanet     2772 Oct 27 16:01 ./junk
iplanet@eklutna> /usr/local/bin/openssl pkcs12 -clcerts -nokeys -in ./junk -out ./eklutna.crt
Enter Import Password:  *XXYYZZ*
MAC verified OK

iplanet@eklutna> ls -lrt ./eklutna.crt
-rw-r--r--   1 iplanet  iplanet     1245 Oct 27 16:02 ./eklutna.crt
iplanet@eklutna> /usr/local/bin/openssl pkcs12 -nocerts -in ./junk -out ./eklutna_private.pem
Enter Import Password:  *XXYYZZ*
MAC verified OK
Enter PEM pass phrase:  *XXYYZZ*
Verifying - Enter PEM pass phrase:  *XXYYZZ*

iplanet@eklutna> ls -lrt ./eklutna_private.pem
-rw-r--r--   1 iplanet  iplanet     1105 Oct 27 16:05 ./eklutna_private.pem

To create key without a pass phrase. {{ iplanet@eklutna> /usr/local/bin/openssl rsa -in ./eklutna_private.pem -out ./eklutna_private.key Enter pass phrase for eklutna_private.key: <CR> (null response) writing RSA key

iplanet@eklutna> ls -lrt ./eklutna_private.key -rw-r--r-- 1 iplanet iplanet 887 Oct 27 16:06 ./eklutna_private.key }}}

Now tell 'root' user to move files from "~iplanet" to "/usr/local/Apache/ssl-certs/".

HTTPD Configuration

Originally the httpd.conf located at /usr/local/Apache/httpd.conf, included references shown below that corresponded to the certificate file locations listed above:

/usr/local/Apache/httpd.conf:

SSLCertificateFile /usr/local/Apache/ssl-certs/eklutna.crt SSLCertificateKeyFile /usr/local/Apache/ssl-certs/eklutna_private.key

The file no longer contains these references. The excerpts contains the current httpd.conf directives. Only those options used (i.e., not all included in the original template) are copied here.

}}} ########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20080702 sxelm : Added verbiage describing elements of the first pk12util example
20080702 sxclm : Fully qualified commands: pk12util and openssl. Wrapped pk12util command line example with <backslash+newline>. If typing as one line, remove extraneous <backslash+whitespace>.
20061027 sxelm : Extracting Apache .crt and .key Files from iPlanet Certificate