Fedora directory users - Sep 2005 - Importing private key into certificate store

Hello,

I would like to use an external application to handle my certificate request
(I''m using self-signed certificates - essentially my CA application
would
generate the request and then sign it, instead of using any of the FDS
components to generate the request).  This process works fine, except that
there doesn''t appear to be an easy way to get the private key for the
certificate into the certificate store.  Obviously, if you use the certificate
wizard or certutil to generate the request, the key ends up in the store.  But
if you don''t, is there a way to import a key, so that importing a
certificate
will work?  Currently it balks about importing a signed certificate because the
private key is missing.  I tried combining key and certificate into one file
(PEM format) but that didn''t help.

Kevin

-- 
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13  http://www.iu13.org

You need to get your CA to export your key/cert data in pkcs12 (.p12) 
format, then use the FDS pk12util to import both the key and cert.

Kevin M. Myer wrote:
>Hello,
>
>I would like to use an external application to handle my certificate request
>(I''m using self-signed certificates - essentially my CA application
would
>generate the request and then sign it, instead of using any of the FDS
>components to generate the request).  This process works fine, except that
>there doesn''t appear to be an easy way to get the private key for
the
>certificate into the certificate store.  Obviously, if you use the
certificate
>wizard or certutil to generate the request, the key ends up in the store. 
But
>if you don''t, is there a way to import a key, so that importing a
certificate
>will work?  Currently it balks about importing a signed certificate because
the
>private key is missing.  I tried combining key and certificate into one file
>(PEM format) but that didn''t help.
>
>Kevin
>
>  
>

Or since you have 2 PEM files, you can use openssl to convert it into 
PKCS#12 file:

% openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12 -name 
\"Server-Cert\" -passout pass:foo

You can then import that into your database with something like:

% pk12util -i cert.p12 -d <server-root>/alias -P slapd-YOURHOST- -W foo

Replace <server-root> with the path to your DS install, probably 
/opt/fedora-ds. Check the alias directory to see what the value of 
YOURHOST should be. Note that the trailing dash is important.

rob

Rich Megginson wrote:
> You need to get your CA to export your key/cert data in pkcs12 (.p12) 
> format, then use the FDS pk12util to import both the key and cert.
> 
> Kevin M. Myer wrote:
> 
>> Hello,
>>
>> I would like to use an external application to handle my certificate 
>> request
>> (I''m using self-signed certificates - essentially my CA
application would
>> generate the request and then sign it, instead of using any of the FDS
>> components to generate the request).  This process works fine, except 
>> that
>> there doesn''t appear to be an easy way to get the private key
for the
>> certificate into the certificate store.  Obviously, if you use the 
>> certificate
>> wizard or certutil to generate the request, the key ends up in the 
>> store.  But
>> if you don''t, is there a way to import a key, so that
importing a
>> certificate
>> will work?  Currently it balks about importing a signed certificate 
>> because the
>> private key is missing.  I tried combining key and certificate into 
>> one file
>> (PEM format) but that didn''t help.
>>
>> Kevin
>>
>>  
>>
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Quoting Rich Megginson <rmeggins@redhat.com>:
> You need to get your CA to export your key/cert data in pkcs12 (.p12) 
> format, then use the FDS pk12util to import both the key and cert.
As luck usually has it, I pretty much came to that same conclusion 
shortly after
I pressed send :)

http://developers.sun.com/prodtech/appserver/reference/techart/keymgmt.html

For the sake of archving:

As Rich noted, the certificate and key must be in PKCS12 format.

My CA is openssl - in order to have a successful import, you must export the
certificate to PKCS12 format with a nickname (my initial CA wrapper did not do
that, which resulted in a failed import).  The following command would combine
a PEM certifiate and key and create a PKCS12 certificate and key:
> openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname> 
> -out directory.p12
And then import it:
> pk12util -d <nss_config_dir> -i directory.p12 [-h "NSS
Certificate DB"]
 From what I can gather, there are at least three certificate stores:

For the first two below, nss_config_dir is /opt/fedora-ds/alias.

Directory Server:
/opt/fedora-ds/alias/slapd-hostname-[cert|key][8|3].db

Admin Server:
/opt/fedora-ds/alias/admin-server-hostname-[cert|key][8|3].db

For the above two, to import, I created symbolic links for cert8.db and 
key3.db
to their respective counterparts for slapd and admin-server (i.e. link 
cert8.db
-> slapd-hostname-cert8.db and key3.db -> slapd-hostname-key3.db, import,
then
remove links and relink to admin-server-hostname databases).

There''s also a store in /opt/fedora-ds/admin-server/config - not sure 
if that is
for the Admin Console, but I''ve skipped it for the moment.

Kevin

-- 
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13  http://www.iu13.org