Migrating JKS Keystore Entries to NSS datbase in Sun Java System Web Server 7.0 or 6.x

Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 or 6.x

Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 using Administration CLI

I installed Sun Java System Web Server 7.0 in <server-installation>directory and started Administration server.
$ ./admin-server/bin/startserv
Now I used wadm to run Administration CLIs
$ ./bin/ wadm --user=admin
Please enter admin-user-password> typed-admin-password-here
wadm>
I have a config named "test"
wadm> list-configs
test
If the keystore is in file /tmp/ my-jks-key-store.jks, keystore password is storepass, key password is keypass, and NSS DB password is nsspass, I run migrate-jks-keycert CLI
wadm> migrate-jks-keycert --config=test --keystore=/tmp/my-jks-key-store.jks
Please enter keystore-password> storepass
Please enter key-password> keypass
Please enter certdb-password> nsspass
CLI201 Command "migrate-jks-keycert" ran successful.

I confirmed that migration worked by listing the certificates using list-certs CLI
wadm> list-certs --config=test
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN
wadm>


After all the changes are done, run deploy-config CLI.

From server instance's config directory run certutil to confirm that the certificates are present in NSS DB.
$.${server-install-dir}/bin/certutil -L -d ${server-instance-dir}/config
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN u,u,u

Migrating JKS Keystore Entries to NSS Datbase in Sun One Web Server 6.x

We have to manually migrate jks keystore to NSS Database here is what we have to do
From the server instance config directory, initialize NSS DB if required
$${server-install-dir}/bin/certutil -N -d ${server-instance-dir}/config
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long, and should contain at least one non-alphabetic character.

Enter new password: nsspass
Re-enter password: nsspass

Use keytool from JDK greater than version 6, it has importkeystore option which converts JKS keystore to PKCS12 format.
$/share/builds/components/jdk/1.6.0_01/SunOS/bin/keytool -importkeystore -srckeystore server-keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore server-keystore.pkcs12
Enter destination keystore password: storepass
Re-enter new password: storepass
Enter source keystore password: storepass
Entry for alias s1as successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Now import them into NSS database
$${server-install-dir}/bin/pk12util -i server-keystore.pkcs12 -d ${server-instance-dir}/config
Enter Password or Pin for "NSS Certificate DB": nsspass
Enter password for PKCS12 file: storepass
pk12util: PKCS12 IMPORT SUCCESSFUL

Verify if the certificate was imported
$${server-install-dir}/bin/certutil -L -d .
CN=Server,OU=JWS,O=SUN,ST=Some-State,C=AU                    u,u,u

Then we may have to set trust flags using the following command
$${server-install-dir}/bin/certutil -M -t "CTu,CTu,CTu" ....

For migrating Apache server(OpenSSL) certificate, we can use openssl utility to export it to a PKCS#12 file
$ openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-server-crt-file> -inkey <openssl-server-key-file> -nodes -name <alias>
And import it into SJS Web Server NSS database using pk12util utility
$ ${server-install-dir}/bin/pk12util -i <exported-pkcs12-file> -d ${server-instance-dir}/config

For more readability, the commands I used are shown in brown and the output is shown in green.
Sun Java System Web Server 7.0 Technology Preview 3 is released and is FREE download it from here.


Comments:

How about migrating Apache certs?

Posted by guest on November 28, 2006 at 04:01 PM IST #

Yes it is possible to do so. Export the OpenSSL certificate using the openssl utility to a PKCS#12 file: $openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-crt-file> -inkey <key-file> -nodes -name <alias> And then import it nto NSS DB using pk12util $ ${server-install-dir}/bin/pk12util -i <output-pkcs-file> -d ${server-instance-dir}/config

Posted by Meena on December 01, 2006 at 03:58 AM IST #

Check out these two blogs by Nelson Migrating Apache Certificates to SJS Web Server 7.0
Migrating htpasswd-style user authentication from Apache to SJS Web Server 7.0

Posted by guest on December 02, 2006 at 05:55 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Meena Vyas

Search

Categories
Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today
Feeds