Migrating Apache Certificates to SJS Web Server 7.0

Migrating Certificates and Server Keys

It is possible to migrate a certificate and server key from Apache to SJS Web Server 7.0. Since Apache uses OpenSSL for security, and SJS Web Server uses NSS, the certificates cannot be imported directly into SJS Web Server. The following steps will allow you to do the migration.

Export the OpenSSL certificate using the openssl utility to a PKCS#12 file:

openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-crt-file> -inkey <key-file> -nodes -name <alias>

Example:

$ openssl pkcs12 -export -out server.pk12 -in server.crt -inkey server.key -nodes -name "ALIAS"
  Enter Export Password:
  Verifying - Enter Export Password:
$ ls server.pk12 
  server.pk12

You will provide a password for the exported file. You will use this password to import this file into the SJS Web Server certificate database.

Now that the certificate and key are in a file in PKCS#12 format, import it into SJS Web Server certificate database using the pk12util utility, located in the ${server-install-dir}/bin directory. We will import the certificates into an existing certificate database in a deployed instance of the target configuration.

$ ${server-install-dir}/bin/pk12util -i <exported-pkcs12-file> -d ${server-instance-dir}/config

For example

$ /d2/nelson/webserver7/bin/pk12util -i /d2/nelson/apache-ssl/conf/ssl.crt/server.pk12 -d /d2/nelson/webserver7/https-blogsite-example.com/config
  Enter password for PKCS12 file: 
  pk12util: PKCS12 IMPORT SUCCESSFUL

We need to pull the changes to the certificate database into the Administration Server's configuration store. We can do this using the Administration GUI and the Administration CLI. For example:

wadm> pull-config --config=blogsite-example.com myserver.com
CLI201 Command 'pull-config' ran successfully

Now we can see the imported certificate installed in SJS Web Server. The certificate nickname "ALIAS" is the alias we provided when exporting the certificate.

wadm> list-certs --config=blogsite-example.com --verbose
nickname
--------
ALIAS


The certificate can now be used to create an SSL enabled listener. For example, using the Administration CLI

wadm> set-ssl-prop --config=blogsite-example.com --http-listener=http-listener-1 server-cert-nickname=ALIAS enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm> deploy-config blogsite-example.com
CLI201 Command 'deploy-config' ran successfully

You might need to restart the server in order to restart the listener in secure more.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

nsegura

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today