Pivotal Knowledge Base

Follow

Converting SSL certificates from iPlanet Web Server to PEM format for Apache HTTP Server (2010521)

Converting SSL certificates from iPlanet Web Server to PEM format for Apache HTTP Server (2010521)

Purpose

This article provides information on reusing certificates from iPlanet database files to help you to migrate your secure website from:
  • iPlanet to Apache HTTP Server
  • VMware vFabric Enterprise Ready Server (ERS)
  • vFabric Web Server

Resolution

This article provides information on reusing certificates from iPlanet database files to help you to migrate your secure website from:
  • iPlanet to Apache HTTP Server
  • VMware vFabric Enterprise Ready Server (ERS)
  • vFabric Web Server
 
You need tools from your existing iPlanet installation. To convert the .database files for the key and certificate to PKCS12 format:
  1. Set the LD_LIBRARY_PATH to <iplanet directory>/bin/https/lib.
  2. Ensure certutil and pk12util are in your PATH.
  3. Backup the database files to a temporary directory.
  4. Create symlinks from the original database files to the files key3.database and cert7.database with the commands below. In the examples, your site is example.com
    • $ ln -s https-secure.example.com-secure-key3.database key3.db
    • $ ln -s https-secure.example.com-secure-cert7.database cert7.db

      Notes: By default, these links are in the same directory as the original files.

  5. In the same directory, use the certutil command to determine the certificate name with the command:

    $ certutil -K -d.
  6. When prompted for the certificate password, enter the password.
  7. Look for the following in the output:

    <0> Cert-Name

    In this example, the certificate name is Cert-Name.

  8. Use pk12util to convert the database files:

    $ pk12util -d . -o keycert.pkcs12 -n Cert-Name
You will be prompted for:
  • the password for the key3.database file.
  • a password to be created for the new PKCS12-format keycert.pkcs12 file that will contain both key and certificate.
 
To convert PKCS12 format to PEM format, you need OpenSSL. Your operating system likely supplies the openssl command. If it does not provide the command, vFabric ERS and vFabric Web Server both supply the tool. For more information, see Running the binaries packed with vFabric ERS or vFabric Web Server fails with the error: No such file or directory (KB 2010199)
  1. Convert the format with the openssl command:

    $ openssl pkcs12 -in keycert.pkcs12 -out keycert.pem


    Note: The first password for which you are prompted is the password you specified when creating the keycert.pkcs12 file. The second is the PEM password you may want to create for the private key in the keycert.pem file.

  2. The keycert.pem file contains both the private key and the certificate. You must split these into individual files, server-cert.pem and server-key.pem.
  3. Open the keycert.pem file with a plain text editor and:

    • Copy the certificate (everything from BEGIN CERTIFICATE to END CERTIFICATE) and paste it into the server-cert.pem file.
    • Copy the private key (everything from BEGIN RSA PRIVATE KEY to END RSA PRIVATE KEY) and paste it into the server-key.pem file.

  4. In your SSL configuration, specify the server-cert.pem and server-key.pem files with the SSLCertificateFile and SSLCertificateKeyFile directives, respectively.
     

Confidential or Internal Solution information

Rewrite of this blog: http://nagarun.wordpress.com/2008/12/17/transfer-ssl-certs-from-iplanet-to-apacheiisfirewallloadbalancers-ciscojuniper/ (which refers to http://www.hp.com/products1/unix/webservers/apache/techtips/Migration-iPlanet-to-HPApache.pdf, which I can't read)
... with some clarification. I don't actually have iPlanet to test this, but the customer from case 11123416112  seemed to use it successfully.

See Also

©VMware 2013

Comments

Powered by Zendesk