SSL Certificates stored on Mozilla's NSS

Our main FreeIPA Web UI running at makes use of a Moz-NSS database located at /etc/httpd/alias for handling SSL certificates. Here they come some maintenance commands using certutil and modutil.

On the machine

List certificates on the database

sudo certutil -d /etc/httpd/alias -L

Setup a CA Certificate

sudo certutil -d /etc/openldap/certs -A -n "StartSSL CA" -t ',,' -a -i /path/to/

where can be found at

Creates the .p12 file and imports it on the DB

sudo openssl pkcs12 -inkey gnome_certificate.key -in gnome_certificate.crt -export -out gnome_certificate.p12 -nodes -name 'HTTPD-Server-Certificate'

sudo pk12util -i gnome_certificate.p12 -d /etc/httpd/alias

where gnome_certificate.key and gnome_certificate.crt are the names of the certificates you previously created at

You will be prompted to enter two passwords, the NSS Database one (which is available under the /etc/httpd/alias/pwdfile.txt file) and the gnome_certificate.p12 one you previously configured when originally creating the p12 file.

Infrastructure/SOP/SSLCertificatesOnNSS (last edited 2020-11-04 13:57:48 by AndreaVeri)