SSL Certificates stored on Mozilla's NSS

Our main FreeIPA Web UI running at account.gnome.org makes use of a Moz-NSS database located at /etc/httpd/alias for handling SSL certificates. Here they come some maintenance commands using certutil and modutil.

On the account.gnome.org machine

List certificates on the database

sudo certutil -d /etc/httpd/alias -L

Setup a CA Certificate

sudo certutil -d /etc/openldap/certs -A -n "StartSSL CA" -t ',,' -a -i /path/to/sub.class2.server.sha2.ca.pem

where sub.class2.server.sha2.ca.pem can be found at https://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem.

Creates the .p12 file and imports it on the DB

sudo openssl pkcs12 -inkey gnome_certificate.key -in gnome_certificate.crt -export -out gnome_certificate.p12 -nodes -name 'HTTPD-Server-Certificate'

sudo pk12util -i gnome_certificate.p12 -d /etc/httpd/alias

where gnome_certificate.key and gnome_certificate.crt are the names of the certificates you previously created at StartSSL.com.

You will be prompted to enter two passwords, the NSS Database one (which is available under the /etc/httpd/alias/pwdfile.txt file) and the gnome_certificate.p12 one you previously configured when originally creating the p12 file.

Infrastructure/SOP/SSLCertificatesOnNSS (last edited 2020-11-04 13:57:48 by AndreaVeri)