FreeIPA is touted as a platform for centralized authentication/identity management, and it fills this role very well. One thing that it does not do well allows you to add a commercially signed certificate after the FreeIPA installation is complete. You have to either start with a commercially signed cert, or live with the self-signed cert forever. No switching sides!
Convert crt file in PEM format
Create pem file from original certificate
openssl x509 -inform PEM -in ./example.com.crt > /root/example.com.pem openssl x509 -inform PEM -in ./intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem
Concatenate PEM certificate in single file, Root crt and Chain crt
cat /root/example.com.pem /root/intermediate.GlobalSign.crt.pem > /root/example.com-GlogalSign.pem
Export PEM cert and private key in PKCS12 format
openssl pkcs12 -export -in example.com-GlogalSign.pem -inkey ./example.com.key -out /root/example.com-Globalsign.p12 -name Example-GlobalSign
Import PKCS12 (.p12) certificate in NSS DB
pk12util -i /root/example.com-Globalsign.p12 -d /etc/httpd/alias
The password for NSS DB you can found here: /etc/httpd/alias/pwdfile.txt
You can verify your certificate using following command
certutil -L -d /etc/httpd/alias -n Example-GlobalSign
put Example-GlobalSign nickname in nss.conf config file
NSSNickname Example-GlobalSign
Restart HTTPD
service httpd restart
Leave a Reply