| | 1 | = Sharing iPlanet Certificates = |
| | 2 | Original author: Beth Mercer - 20080702 |
| | 3 | |
| | 4 | == Overview == |
| | 5 | Handling of certificates is managed different on the legacy systems, E boxes, than that of the IDMP-''x'' cluster. The discussion is divided into two groups, |
| | 6 | Apache and iPlanet share the certificate file requested by, and installed under, iPlanet. |
| | 7 | The crt and key file names/locations are indicated in the httpd.conf file: |
| | 8 | |
| | 9 | * SSLCertificateFile: /usr/local/Apache/ssl-certs/<''E Box''>.crt |
| | 10 | * SSLCertificateKeyFile: /usr/local/Apache/ssl-certs/<''E Box''>_private.key |
| | 11 | |
| | 12 | == Extracting CRT and Key Components from the iPlanet Certificate == |
| | 13 | What follows is an example of the process for extracting the crt and key components from the |
| | 14 | iPlanet certificate. The appropriate response to all password prompts is the token value |
| | 15 | stored in the following file on the legacy E boxes: |
| | 16 | |
| | 17 | <''E Box''>:~iplanet/.ssl.pass |
| | 18 | |
| | 19 | The entire listing of passwords used by the user, iplanet on the E Box servers is:IDMP-'xx' servers |
| | 20 | The IDMP-x cluster servers have set up access based on functionality in a different way. On those machines |
| | 21 | ''Note:'' the output file name (./junk) in the commands below is arbitrary. |
| | 22 | Note: the 'pk12util' command below is wrapped with <backslash-newline> on first line. |
| | 23 | |
| | 24 | iplanet@eklutna> /e01/iplanet/servers/shared/bin/pk12util -o ./junk \ |
| | 25 | -d /e01/iplanet/servers/alias/ -n server-cert -P slapd-eklutna- |
| | 26 | |
| | 27 | Enter Password or Pin for "NSS Certificate DB": *XXYYZZ* |
| | 28 | Enter password for PKCS12 file: *XXYYZZ* |
| | 29 | Re-enter password: *XXYYZZ* |
| | 30 | pk12util: PKCS12 EXPORT SUCCESSFUL |
| | 31 | |
| | 32 | ++++++++++++++++++++++++++++++= |
| | 33 | In the above example: (see also: pkcs12 --help) |
| | 34 | |
| | 35 | '-d /e01/iplanet/servers/alias/' references the location of cert/key database files. |
| | 36 | '-P slapd-eklutna-' references the prefix associated with a particular directory. |
| | 37 | '-n server-cert' references the nickname of a particular certificate in the cert/key database. |
| | 38 | |
| | 39 | Each nickname corresponds to a particular cert. The nickname server-cert is the default nickname |
| | 40 | proposed by iPlanet. That nickname is what we associated with the server name based certs (e.g. |
| | 41 | the eklutna, elias, egegik and edgar certs are all associated with the server-cert nickname). |
| | 42 | More recently, certs requested under iPlanet are given more explicit nicknames like 'edirtest'. |
| | 43 | |
| | 44 | To obtain a list of nicknames from a specific key database: |
| | 45 | |
| | 46 | iplanet@eklutna> /e01/iplanet/servers/shared/bin/certutil -K -d /e01/iplanet/servers/alias -P slapd-eklutna- |
| | 47 | Enter Password or Pin for "NSS Certificate DB": |
| | 48 | <0> |
| | 49 | <1> server-cert |
| | 50 | ++++++++++++++++++++++++++++++= |
| | 51 | |
| | 52 | iplanet@eklutna> ls -al ./junk |
| | 53 | -rw------- 1 iplanet iplanet 2772 Oct 27 16:01 ./junk |
| | 54 | |
| | 55 | iplanet@eklutna> /usr/local/bin/openssl pkcs12 -clcerts -nokeys -in ./junk -out ./eklutna.crt |
| | 56 | Enter Import Password: *XXYYZZ* |
| | 57 | MAC verified OK |
| | 58 | |
| | 59 | iplanet@eklutna> ls -lrt ./eklutna.crt |
| | 60 | -rw-r--r-- 1 iplanet iplanet 1245 Oct 27 16:02 ./eklutna.crt |
| | 61 | |
| | 62 | iplanet@eklutna> /usr/local/bin/openssl pkcs12 -nocerts -in ./junk -out ./eklutna_private.pem |
| | 63 | Enter Import Password: *XXYYZZ* |
| | 64 | MAC verified OK |
| | 65 | Enter PEM pass phrase: *XXYYZZ* |
| | 66 | Verifying - Enter PEM pass phrase: *XXYYZZ* |
| | 67 | |
| | 68 | iplanet@eklutna> ls -lrt ./eklutna_private.pem |
| | 69 | -rw-r--r-- 1 iplanet iplanet 1105 Oct 27 16:05 ./eklutna_private.pem |
| | 70 | |
| | 71 | |
| | 72 | Create key without a pass phrase. |
| | 73 | |
| | 74 | iplanet@eklutna> /usr/local/bin/openssl rsa -in ./eklutna_private.pem -out ./eklutna_private.key |
| | 75 | Enter pass phrase for eklutna_private.key: <CR> (null response) |
| | 76 | writing RSA key |
| | 77 | |
| | 78 | iplanet@eklutna> ls -lrt ./eklutna_private.key |
| | 79 | -rw-r--r-- 1 iplanet iplanet 887 Oct 27 16:06 ./eklutna_private.key |
| | 80 | |
| | 81 | |
| | 82 | Now tell 'root' user to move files from "~iplanet" to "/usr/local/Apache/ssl-certs/". |
| | 83 | |
| | 84 | Sample httpd.conf file usage: |
| | 85 | |
| | 86 | SSLCertificateFile /usr/local/Apache/ssl-certs/eklutna.crt |
| | 87 | SSLCertificateKeyFile /usr/local/Apache/ssl-certs/eklutna_private.key |
| | 88 | |
| | 89 | ########################################################[[br]] |
| | 90 | LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki[[br]] |
| | 91 | ########################################################[[br]] |
| | 92 | 20080702 sxelm : Added verbiage describing elements of the first pk12util example[[br]] |
| | 93 | 20080702 sxclm : Fully qualified commands: pk12util and openssl. Wrapped pk12util command line example with <backslash+newline>. If typing as one line, remove extraneous <backslash+whitespace>.[[br]] |
| | 94 | 20061027 sxelm : Extracting Apache .crt and .key Files from iPlanet Certificate[[br]] |