Mod nss

Configuring mod_nss on RHEL

• generate private key (default is not long enough)

openssl genrsa -out server.key 2048

• generate certificate request

openssl req -new -key server.key -out server.csr 

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Virginia
Locality Name (eg, city) [Newbury]:Chantilly
Organization Name (eg, company) [My Company Ltd]:videoNEXT Network Solutions, Inc.
Organizational Unit Name (eg, section) []:Demo Server
Common Name (eg, your name or your server's hostname) []:demo-10.videonext.com
Email Address []:root@videonext.net

• send server.csr to Certificate Authority

• after certificate is received, convert private key, certificate and CA into pkcs12 file

caname and name are database labels for CA and server certificates, in our case videoNEXT and demo-10

openssl pkcs12 -export -chain -inkey server.key -caname videoNEXT -name demo-10 -in demo-10.crt -CAfile videoNEXT.crt -out demo-10.p12 

• import pkcs12 into apache NSS database:

pk12util -i demo-10.p12 -d /etc/httpd/alias

• mark CA certificate as a trusted CA

certutil -M -n videoNEXT -t CT,CT,CT -d /etc/httpd/alias

• modify /etc/httpd/conf.d/nss.conf to use new certificate's label

NSSNickname demo-10

• restart apache

service httpd restart