X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • September 28, 2006

Migrating JKS Keystore Entries to NSS datbase in Sun Java System Web Server 7.0 or 6.x

Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 or 6.x

Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 using Administration CLI

I installed Sun Java System Web Server
7.0 in <server-installation>directory
and started Administration server.
$ ./admin-server/bin/startserv

Now I used wadm to run
Administration CLIs
$ ./bin/ wadm --user=admin
Please enter
admin-user-password>
typed-admin-password-here
wadm>

I have a config named "test"
wadm> list-configs
test

If the keystore is in file /tmp/ my-jks-key-store.jks,
keystore password is storepass,
key password is keypass,
and NSS DB password is nsspass, I
run
migrate-jks-keycert CLI
wadm> migrate-jks-keycert
--config=test --keystore=
/tmp/my-jks-key-store.jks
Please
enter keystore-password> storepass

Please
enter key-password>
keypass
Please
enter certdb-password> nsspass

CLI201 Command
"migrate-jks-keycert" ran successful.


I confirmed that migration worked by listing the
certificates using list-certs
CLI
wadm> list-certs --config=test
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN

wadm>


After all the changes are done, run deploy-config
CLI.

From server instance's config directory run certutil to
confirm that the certificates are present in NSS DB.
$.${server-install-dir}/bin/certutil
-L -d ${server-instance-dir}/config

CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN
u,u,u

Migrating JKS Keystore Entries to NSS Datbase in Sun One Web Server 6.x

We have to manually migrate jks keystore to NSS Database here is what we have to do

From the server instance config directory, initialize NSS DB if required
$${server-install-dir}/bin/certutil
-N -d ${server-instance-dir}/config

Enter a password which will be used
to encrypt your keys.

The password should be at least 8
characters long, and should contain at least one non-alphabetic
character.


Enter new password: nsspass
Re-enter password: nsspass


Use keytool from JDK greater than version 6, it has importkeystore option which converts
JKS keystore to PKCS12 format.
$/share/builds/components/jdk/1.6.0_01/SunOS/bin/keytool -importkeystore -srckeystore
server-keystore.jks -srcstoretype JKS
-deststoretype PKCS12 -destkeystore server-keystore.pkcs12

Enter destination keystore password:
storepass
Re-enter new password: storepass
Enter source keystore password: storepass
Entry for alias s1as successfully
imported.

Import command completed: 1 entries
successfully imported, 0 entries failed or cancelled



Now import them into NSS database
$${server-install-dir}/bin/pk12util -i
server-keystore.pkcs12 -d ${server-instance-dir}/config

Enter Password or Pin for "NSS
Certificate
DB":
nsspass
Enter password
for PKCS12 file:
storepass
pk12util: PKCS12 IMPORT SUCCESSFUL


Verify if the certificate was imported
$${server-install-dir}/bin/certutil
-L -d .

CN=Server,OU=JWS,O=SUN,ST=Some-State,C=AU                   
u,u,u



Then we may have to set trust flags using the following command

$${server-install-dir}/bin/certutil -M -t "CTu,CTu,CTu"
....



For migrating Apache server(OpenSSL) certificate, we can use openssl utility to export it to a PKCS#12 file

$ openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-server-crt-file> -inkey <openssl-server-key-file> -nodes -name <alias>

And import it into SJS Web Server NSS database using pk12util utility

$ ${server-install-dir}/bin/pk12util -i <exported-pkcs12-file> -d ${server-instance-dir}/config


For more readability, the commands I used are shown in brown and the output is shown
in green.

Sun Java System Web Server 7.0 Technology Preview 3 is released and is
FREE download it from here.


Join the discussion

Comments ( 3 )
  • guest Tuesday, November 28, 2006
    How about migrating Apache certs?
  • Meena Thursday, November 30, 2006
    Yes it is possible to do so. Export the OpenSSL certificate using the openssl utility to a PKCS#12 file:
    $openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-crt-file> -inkey <key-file> -nodes -name <alias>
    And then import it nto NSS DB using pk12util
    $ ${server-install-dir}/bin/pk12util -i <output-pkcs-file> -d ${server-instance-dir}/config
  • guest Saturday, December 2, 2006
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.