help!
cutting a VERY long and painful story short, I have a bit of a
poisened challice now!
I have been provided with a SSL cert as a .pem file (and the password)
- and need to somehow convert it to a pkcs12 cert for use on a Java
Web Server v7 (cert8.db and key3.db)
help! can anyone suggest how this can be acheived? Or suggest a more
suitable usenet group?
cheers
ian
|
|
0
|
|
|
|
Reply
|
 iandiddamsorg (57)
|
3/7/2012 3:37:07 PM |
|
sorry... I've now worked out its not pkcs12 format I need, but DB
format.
whatever... I need to convert a .pem file into cert8.db and key3.db
files!
thanks
ian
|
|
|
0
|
|
|
|
Reply
|
iandiddamsorg (57)
|
3/7/2012 4:12:27 PM
|
|
On 2012-03-07 16:12:27 +0000, ian diddams said:
> sorry... I've now worked out its not pkcs12 format I need, but DB
> format.
>
> whatever... I need to convert a .pem file into cert8.db and key3.db
> files!
Have you got a program called certutil around?
--
Chris
|
|
|
0
|
|
|
|
Reply
|
 Chris
|
3/7/2012 5:12:07 PM
|
|
ian diddams <iandiddamsorg@googlemail.com> wrote:
> sorry... I've now worked out its not pkcs12 format I need, but DB
> format.
Which java webserver is this? .pem is pretty much a universal format...
does the documentation not describe importing such?
cert8.db/key3.db sounds like something from Mozilla... would
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html apply
to you?
--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
|
|
|
0
|
|
|
|
Reply
|
 hume.spamfilter (184)
|
3/7/2012 5:24:34 PM
|
|
if you're refering to what I think you are, you might be able to do
something like....
# /usr/sfw/bin/certutil -N -d .
# /usr/sfw/bin/certutil -A -n defaultCert -i source.pem -t CT -d .
# chmod 0644 *.db
|
|
|
0
|
|
|
|
Reply
|
 nelson.bensley (3)
|
3/7/2012 10:22:50 PM
|
|
Hello Ian,
> convert ssl cert from .pem to pkcs12
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
See also: http://wiki.cacert.org/wiki/Authenticode
Cheers,
Thomas
|
|
|
0
|
|
|
|
Reply
|
 thomas130 (3)
|
3/8/2012 7:10:19 AM
|
|
ian diddams <iandiddamsorg@googlemail.com> wrote:
> help!
>
> cutting a VERY long and painful story short, I have a bit of a
> poisened challice now!
>
>
> I have been provided with a SSL cert as a .pem file (and the password)
> - and need to somehow convert it to a pkcs12 cert for use on a Java
> Web Server v7 (cert8.db and key3.db)
>
> help! can anyone suggest how this can be acheived? Or suggest a more
> suitable usenet group?
>
> cheers
>
> ian
if this is for iplanet certs, drop munge from my email address and contact
me.
|
|
|
0
|
|
|
|
Reply
|
 presence (537)
|
3/8/2012 8:28:26 PM
|
|
I've probably confused everybody on usenet by my own lack of full
understanding so i'll attempt to explain again.
I have a .pem file for a wildcard ssl cert.
I need to turn that into cert8.db and key3.db (and I now suspect a
secmod.db?) for use on a Sun Java System Web Server
v. 7.0U4 B12/02/2008
AIUI the JWS is iPlanet :-)
I have found a resource that explained
openssl pkcs12 -export -in certs.pem -out file.p12 -name "MY
Certificate"
pk12util -i file.p12 -d <ws-installation-root>/<instance-name>/config
that creates a cert8.db, key3.db and secmod.db file.
However, when i swap these into the current JWS config directory
(archiving the previous ones!) whilst the JWS instance/configuration
does accept the password on restart it then errors with
ADMIN3603: Error while starting the server:
config: CORE1259:unable to find certificate Server-Cert
failure: server initialization failed
I can only think that what I actually put for
-name "MY Certificate"
which was -name "*.<domain name>" (ie the actual wildcard domain to
be covered by the cert) must be confusing things?
any help more than gratefully accepted!
cheers
ian
|
|
|
0
|
|
|
|
Reply
|
iandiddamsorg (57)
|
3/9/2012 9:47:33 AM
|
|
On Mar 7, 5:12=A0pm, Chris Ridd <chrisr...@mac.com> wrote:
> Have you got a program called certutil around?
I've checked chris and yes, I do.
cheers
Ian
|
|
|
0
|
|
|
|
Reply
|
iandiddamsorg (57)
|
3/9/2012 10:50:27 AM
|
|
On Mar 7, 5:24=A0pm, hume.spamfil...@bofh.ca wrote:
>
> cert8.db/key3.db sounds like something from Mozilla... would http://www.m=
ozilla.org/projects/security/pki/nss/tools/certutil.htmlapply
> to you?
Unfortunately that link is broken it appears, but thanks anyway :-)
cheers
ian
|
|
|
0
|
|
|
|
Reply
|
iandiddamsorg (57)
|
3/9/2012 10:52:35 AM
|
|
On Mar 7, 10:22=A0pm, nelson <nelson.bens...@gmail.com> wrote:
> if you're refering to what I think you are, you might be able to do
> something like....
>
> # /usr/sfw/bin/certutil -N -d .
> # /usr/sfw/bin/certutil -A -n defaultCert -i source.pem -t CT -d .
> # chmod 0644 *.db
Thanks - tried that but I get the same error as described below in my
post of March 9.
cheers
ian
|
|
|
0
|
|
|
|
Reply
|
iandiddamsorg (57)
|
3/9/2012 11:07:27 AM
|
|
ian diddams <iandiddamsorg@googlemail.com> writes:
>I've probably confused everybody on usenet by my own lack of full
>understanding so i'll attempt to explain again.
>I have a .pem file for a wildcard ssl cert.
>I need to turn that into cert8.db and key3.db (and I now suspect a
>secmod.db?) for use on a Sun Java System Web Server
>v. 7.0U4 B12/02/2008
You don't directly convert anything into a .db file. That is short for
database, and you use utilities provided by the software you want to
use to import the data you want into the database. Instead of it
looking for flat files (ie. Apache), it looks instead for the data
inside the database. (ie. iPlanet, Java anything, Mozilla/Firefox).
In your case, you have a .pem file (and presumably a .key file that
goes along with it, because a cert is always associated with a key pair
and without having the two of them together, it is useless).
People have posted remnants of what you need to use. Although I
seem to remember Java coming with certutil already. But it is also
available from the Mozilla NSS project. The doc link below includes
a direct link to it.
But the webserver/appserver itself should have an interface to import
this data into the database? Seems a lot simpler to do it that way.
You might be able to find certutil within the webserver directories
somewhere, or else inside the java installation areas, or download
it from the NSS project.
Here's a link to the docs on how to do a couple things with the CLI
certutil tool for your webserver stuff..
http://docs.oracle.com/cd/E19159-01/819-3671/ablrg/index.html
|
|
|
0
|
|
|
|
Reply
|
Doug
|
3/9/2012 2:56:16 PM
|
|
On Mar 9, 2:56=A0pm, Doug McIntyre <mer...@geeks.org> wrote:
> In your case, you have a .pem file (and presumably a .key file that
> goes along with it, because a cert is always associated with a key pair
> and without having the two of them together, it is useless).
well, that's a really good question!
This is what the person that sent me the pem file says
I have created a .pem to include the private key and entire trust
chain as below; keyfile *.<domain> certificate intermediate
certificate (DigiCert CA-3) root certificate (DigiCertCA
so it seems that the keyfile is embedded within the .pem.
Whatever - I only have the one file - the .pem.
> But the webserver/appserver itself should have an interface to import
> this data into the database? Seems a lot simpler to do it that way.
Id' agree. In principle.
The webserver does have a facility it would appear to import the
cert... but I can't find anything that explains where to "put"
this .pem file so that the interface provided "sees" it - there's not
an option to browse etc for example.
> You might be able to find certutil within the webserver directories
> somewhere, or else inside the java installation areas, or download
> it from the NSS project.
I've used the certutil commands (see above) - but the cert8, key3 and
secmod files it produces don't "work" whenh i start the webserver with
them in place.
> Here's a link to the docs on how to do a couple things with the CLI
> certutil tool for your webserver stuff..
> http://docs.oracle.com/cd/E19159-01/819-3671/ablrg/index.html
cheers for your help Doug :-)
Ian
|
|
|
0
|
|
|
|
Reply
|
iandiddamsorg (57)
|
3/9/2012 4:20:52 PM
|
|
Den 09.03.2012 10:47, skrev ian diddams:
[...]
> openssl pkcs12 -export -in certs.pem -out file.p12 -name "MY
> Certificate"
> pk12util -i file.p12 -d <ws-installation-root>/<instance-name>/config
>
> that creates a cert8.db, key3.db and secmod.db file.
>
> However, when i swap these into the current JWS config directory
> (archiving the previous ones!) whilst the JWS instance/configuration
> does accept the password on restart it then errors with
>
> ADMIN3603: Error while starting the server:
> config: CORE1259:unable to find certificate Server-Cert
> failure: server initialization failed
>
> I can only think that what I actually put for
>
> -name "MY Certificate"
>
> which was -name "*.<domain name>" (ie the actual wildcard domain to
> be covered by the cert) must be confusing things?
It appears as if your JWS is looking for a certificate with the alias or
friendlyname "Server-Cert".
Why don't you try
openssl pkcs12 -export -in certs.pem -out file.p12 -name "Server-Cert"
and see how that works out?
|
|
|
0
|
|
|
|
Reply
|
 torsten.kirschner2 (9)
|
4/9/2012 11:27:08 PM
|
|
|
13 Replies
705 Views
(page loaded in 0.034 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25709 articles. 
78 followers. 