Mod nss: Difference between revisions

From VVCWiki
Jump to navigationJump to search
(Created page with "=== Configuring mod_nss on RHEL === <ol> <li>Create empty password</li> echo -e "\n" > /tmp/empty.txt <li>Import CA certificate from videoNEXT.crt file: </li> certutil -A -n...")
 
No edit summary
 
Line 1: Line 1:
=== Configuring mod_nss on RHEL ===
=== Configuring mod_nss on RHEL ===
<ol>
*generate private key (default is not long enough)
<li>Create empty password</li>
 
  echo -e "\n" > /tmp/empty.txt
openssl genrsa -out server.key 2048
<li>Import CA certificate from videoNEXT.crt file: </li>
 
  certutil -A -n videoNEXT -t CT,CT,CT -f /tmp/empty.txt -a -i videoNEXT.crt -d /etc/httpd/alias
*generate certificate request
</ol>
<pre>
openssl req -new -key server.key -out server.csr
 
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Virginia
Locality Name (eg, city) [Newbury]:Chantilly
Organization Name (eg, company) [My Company Ltd]:videoNEXT Network Solutions, Inc.
Organizational Unit Name (eg, section) []:Demo Server
Common Name (eg, your name or your server's hostname) []:demo-10.videonext.com
Email Address []:root@videonext.net
</pre>
 
*send server.csr to Certificate Authority
 
*after certificate is received, convert private key, certificate and CA into pkcs12 file
caname and name are database labels for CA and server certificates, in our case videoNEXT and demo-10
 
  openssl pkcs12 -export -chain -inkey server.key -caname videoNEXT -name demo-10 -in demo-10.crt -CAfile videoNEXT.crt -out demo-10.p12
 
*import pkcs12 into apache NSS database:
 
pk12util -i demo-10.p12 -d /etc/httpd/alias
 
*mark CA certificate as a trusted CA
 
  certutil -M -n videoNEXT -t CT,CT,CT -d /etc/httpd/alias
 
*modify /etc/httpd/conf.d/nss.conf to use new certificate's label
 
NSSNickname demo-10
 
*restart apache
 
service httpd restart

Latest revision as of 20:44, 11 October 2012

Configuring mod_nss on RHEL

  • generate private key (default is not long enough)
openssl genrsa -out server.key 2048
  • generate certificate request
openssl req -new -key server.key -out server.csr 

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Virginia
Locality Name (eg, city) [Newbury]:Chantilly
Organization Name (eg, company) [My Company Ltd]:videoNEXT Network Solutions, Inc.
Organizational Unit Name (eg, section) []:Demo Server
Common Name (eg, your name or your server's hostname) []:demo-10.videonext.com
Email Address []:root@videonext.net
  • send server.csr to Certificate Authority
  • after certificate is received, convert private key, certificate and CA into pkcs12 file

caname and name are database labels for CA and server certificates, in our case videoNEXT and demo-10

openssl pkcs12 -export -chain -inkey server.key -caname videoNEXT -name demo-10 -in demo-10.crt -CAfile videoNEXT.crt -out demo-10.p12 
  • import pkcs12 into apache NSS database:
pk12util -i demo-10.p12 -d /etc/httpd/alias
  • mark CA certificate as a trusted CA
certutil -M -n videoNEXT -t CT,CT,CT -d /etc/httpd/alias
  • modify /etc/httpd/conf.d/nss.conf to use new certificate's label
NSSNickname demo-10
  • restart apache
service httpd restart