SSL Certificates stored on Mozilla's NSS
Our main FreeIPA Web UI running at account.gnome.org makes use of a Moz-NSS database located at /etc/httpd/alias for handling SSL certificates. Here they come some maintenance commands using certutil and modutil.
On the account.gnome.org machine
List certificates on the database
sudo certutil -d /etc/httpd/alias -L
Setup a CA Certificate
sudo certutil -d /etc/openldap/certs -A -n "StartSSL CA" -t ',,' -a -i /path/to/sub.class2.server.sha2.ca.pem
where sub.class2.server.sha2.ca.pem can be found at https://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem.
Creates the .p12 file and imports it on the DB
sudo openssl pkcs12 -inkey gnome_certificate.key -in gnome_certificate.crt -export -out gnome_certificate.p12 -nodes -name 'HTTPD-Server-Certificate' sudo pk12util -i gnome_certificate.p12 -d /etc/httpd/alias
where gnome_certificate.key and gnome_certificate.crt are the names of the certificates you previously created at StartSSL.com.
You will be prompted to enter two passwords, the NSS Database one (which is available under the /etc/httpd/alias/pwdfile.txt file) and the gnome_certificate.p12 one you previously configured when originally creating the p12 file.