Mod nss: Difference between revisions
From VVCWiki
Jump to navigationJump to search
(Created page with "=== Configuring mod_nss on RHEL === <ol> <li>Create empty password</li> echo -e "\n" > /tmp/empty.txt <li>Import CA certificate from videoNEXT.crt file: </li> certutil -A -n...") |
No edit summary |
||
Line 1: | Line 1: | ||
=== Configuring mod_nss on RHEL === | === Configuring mod_nss on RHEL === | ||
< | *generate private key (default is not long enough) | ||
openssl genrsa -out server.key 2048 | |||
certutil - | *generate certificate request | ||
<pre> | |||
openssl req -new -key server.key -out server.csr | |||
Country Name (2 letter code) [GB]:US | |||
State or Province Name (full name) [Berkshire]:Virginia | |||
Locality Name (eg, city) [Newbury]:Chantilly | |||
Organization Name (eg, company) [My Company Ltd]:videoNEXT Network Solutions, Inc. | |||
Organizational Unit Name (eg, section) []:Demo Server | |||
Common Name (eg, your name or your server's hostname) []:demo-10.videonext.com | |||
Email Address []:root@videonext.net | |||
</pre> | |||
*send server.csr to Certificate Authority | |||
*after certificate is received, convert private key, certificate and CA into pkcs12 file | |||
caname and name are database labels for CA and server certificates, in our case videoNEXT and demo-10 | |||
openssl pkcs12 -export -chain -inkey server.key -caname videoNEXT -name demo-10 -in demo-10.crt -CAfile videoNEXT.crt -out demo-10.p12 | |||
*import pkcs12 into apache NSS database: | |||
pk12util -i demo-10.p12 -d /etc/httpd/alias | |||
*mark CA certificate as a trusted CA | |||
certutil -M -n videoNEXT -t CT,CT,CT -d /etc/httpd/alias | |||
*modify /etc/httpd/conf.d/nss.conf to use new certificate's label | |||
NSSNickname demo-10 | |||
*restart apache | |||
service httpd restart |
Latest revision as of 20:44, 11 October 2012
Configuring mod_nss on RHEL
- generate private key (default is not long enough)
openssl genrsa -out server.key 2048
- generate certificate request
openssl req -new -key server.key -out server.csr Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Virginia Locality Name (eg, city) [Newbury]:Chantilly Organization Name (eg, company) [My Company Ltd]:videoNEXT Network Solutions, Inc. Organizational Unit Name (eg, section) []:Demo Server Common Name (eg, your name or your server's hostname) []:demo-10.videonext.com Email Address []:root@videonext.net
- send server.csr to Certificate Authority
- after certificate is received, convert private key, certificate and CA into pkcs12 file
caname and name are database labels for CA and server certificates, in our case videoNEXT and demo-10
openssl pkcs12 -export -chain -inkey server.key -caname videoNEXT -name demo-10 -in demo-10.crt -CAfile videoNEXT.crt -out demo-10.p12
- import pkcs12 into apache NSS database:
pk12util -i demo-10.p12 -d /etc/httpd/alias
- mark CA certificate as a trusted CA
certutil -M -n videoNEXT -t CT,CT,CT -d /etc/httpd/alias
- modify /etc/httpd/conf.d/nss.conf to use new certificate's label
NSSNickname demo-10
- restart apache
service httpd restart