Context Navigation

← Previous Version
View Latest Version
Next Version →

Version 1 (modified by lttoth@…, 10 years ago) (diff)
--

Sharing iPlanet Certificates

Original author: Beth Mercer - 20080702

Overview

Handling of certificates is managed different on the legacy systems, E boxes, than that of the IDMP-x cluster. The discussion is divided into two groups, Apache and iPlanet share the certificate file requested by, and installed under, iPlanet. The crt and key file names/locations are indicated in the httpd.conf file:

SSLCertificateFile: /usr/local/Apache/ssl-certs/<E Box>.crt
SSLCertificateKeyFile: /usr/local/Apache/ssl-certs/<E Box>_private.key

Extracting CRT and Key Components from the iPlanet Certificate

What follows is an example of the process for extracting the crt and key components from the iPlanet certificate. The appropriate response to all password prompts is the token value stored in the following file on the legacy E boxes:

<E Box>:~iplanet/.ssl.pass

The entire listing of passwords used by the user, iplanet on the E Box servers is:IDMP-'xx' servers The IDMP-x cluster servers have set up access based on functionality in a different way. On those machines Note: the output file name (./junk) in the commands below is arbitrary. Note: the 'pk12util' command below is wrapped with <backslash-newline> on first line.

iplanet@eklutna> /e01/iplanet/servers/shared/bin/pk12util -o ./junk \

-d /e01/iplanet/servers/alias/ -n server-cert -P slapd-eklutna-

Enter Password or Pin for "NSS Certificate DB": *XXYYZZ* Enter password for PKCS12 file: *XXYYZZ* Re-enter password: *XXYYZZ* pk12util: PKCS12 EXPORT SUCCESSFUL

++++++++++++++++++++++++++++++= In the above example: (see also: pkcs12 --help)

'-d /e01/iplanet/servers/alias/' references the location of cert/key database files. '-P slapd-eklutna-' references the prefix associated with a particular directory. '-n server-cert' references the nickname of a particular certificate in the cert/key database.

Each nickname corresponds to a particular cert. The nickname server-cert is the default nickname proposed by iPlanet. That nickname is what we associated with the server name based certs (e.g. the eklutna, elias, egegik and edgar certs are all associated with the server-cert nickname). More recently, certs requested under iPlanet are given more explicit nicknames like 'edirtest'.

To obtain a list of nicknames from a specific key database:

iplanet@eklutna> /e01/iplanet/servers/shared/bin/certutil -K -d /e01/iplanet/servers/alias -P slapd-eklutna- Enter Password or Pin for "NSS Certificate DB": <0> <1> server-cert ++++++++++++++++++++++++++++++=

iplanet@eklutna> ls -al ./junk -rw------- 1 iplanet iplanet 2772 Oct 27 16:01 ./junk

iplanet@eklutna> /usr/local/bin/openssl pkcs12 -clcerts -nokeys -in ./junk -out ./eklutna.crt Enter Import Password: *XXYYZZ* MAC verified OK

iplanet@eklutna> ls -lrt ./eklutna.crt -rw-r--r-- 1 iplanet iplanet 1245 Oct 27 16:02 ./eklutna.crt

iplanet@eklutna> /usr/local/bin/openssl pkcs12 -nocerts -in ./junk -out ./eklutna_private.pem Enter Import Password: *XXYYZZ* MAC verified OK Enter PEM pass phrase: *XXYYZZ* Verifying - Enter PEM pass phrase: *XXYYZZ*

iplanet@eklutna> ls -lrt ./eklutna_private.pem -rw-r--r-- 1 iplanet iplanet 1105 Oct 27 16:05 ./eklutna_private.pem

Create key without a pass phrase.

iplanet@eklutna> /usr/local/bin/openssl rsa -in ./eklutna_private.pem -out ./eklutna_private.key Enter pass phrase for eklutna_private.key: <CR> (null response) writing RSA key

iplanet@eklutna> ls -lrt ./eklutna_private.key -rw-r--r-- 1 iplanet iplanet 887 Oct 27 16:06 ./eklutna_private.key

Now tell 'root' user to move files from "~iplanet" to "/usr/local/Apache/ssl-certs/".

Sample httpd.conf file usage:

SSLCertificateFile /usr/local/Apache/ssl-certs/eklutna.crt SSLCertificateKeyFile /usr/local/Apache/ssl-certs/eklutna_private.key

########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20080702 sxelm : Added verbiage describing elements of the first pk12util example
20080702 sxclm : Fully qualified commands: pk12util and openssl. Wrapped pk12util command line example with <backslash+newline>. If typing as one line, remove extraneous <backslash+whitespace>.
20061027 sxelm : Extracting Apache .crt and .key Files from iPlanet Certificate

Download in other formats:

Plain Text