带有Apache公共证书问题的mod_nss

Question

I have replaced mod_ssl with mod_nss for FIPS cryptography and it works great with Apache but now we have wildcard certificate which i want to import into NSS database but i don't know how do i import certificate private key ?

I am using following command

certutil -A -d /etc/httpd/alias/ -n "GlobalSign" -t "CT,," -a -i wildcard_domain.crt

How do i import private key? or is there something i am missing?

[root@web01 ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
GlobalSign-Intermediate                                      CT,,
GlobalSign                                                   CTu,u,u
alpha            

                                        u,pu,u

Answer 1

solution:

Convert crt file in PEM format

create pem file from original certificate.

openssl x509 -inform PEM -in ./ssl.crt/example.com.GlobalSign-2010.crt > /root/example.com.GlobalSign-2010.pem
openssl x509 -inform PEM -in ./ssl.crt/intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem

Concatenate PEM certificate in single file, Root crt and Chain crt.

cat /root/example.com.GlobalSign-2010.pem /root/intermediate.GlobalSign.crt.pem > /root/example.com-GlogalSign-2010.pem

Export PEM cert and private key in PKCS12 format

openssl pkcs12 -export -in example.com-GlogalSign-2010.pem -inkey ./ssl.key/example.com.GlobalSign.key -out /root/example.com-Globalsign.p12 -name Example-GlobalSign

Import PKCS12 (.p12) certificate in NSS DB

pk12util -i /root/example.com-Globalsign.p12 -d /etc/httpd/alias

You can verify your certificate using following command

certutil -L -d /etc/httpd/alias -n Example-GlobalSign

Notes: put Example-GlobalSign nickname in nss.conf config file and Voila!!