Replacing an expired apache2 certificate when using mod_nss
This document (7022944) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
Situation
Original certificate in mod_nss database has expired. New certificate has been issued but has not been set up with mod_nss for apache2.
Resolution
1. Back up the original mod_nss.d directory
hostname:~ # cd /etc/apache2
hostname:/etc/apache2 # mv mod_nss.d mod_nss.d-$(date +%y%m%d)
2. Create new mod_nss.d directory
hostname:/etc/apache2 # mkdir mod_nss.d
3. Generate new NSS certificate store in mod_nss.d directory. Do not create a password
hostname:/etc/apache2 # certutil -N -d mod_nss.d
4. Change ownership recursively for that directory to wwwrun user and www group.
hostname:/etc/apache2 # chown -R wwwrun:www mod_nss.d
5. Convert the certificate and key into PKCS12 format
hostname:/etc/apache2 # openssl pkcs12 -export -in /path/to/certificate -inkey /path/to/key -out server.p12 -n "server-cert" -passout pass:<password to encrypt key>
6.
a) Import the PKCS12 certificate
hostname:/etc/apache2 # pk12util -i server.p12 -d mod_nss.d
b) Import the CA chain
hostname:/etc/apache2 # certutil -A -n "ca-chain" -t "CT,," -d mod_nss.d -a -i /path/to/ca-chain
7. Verify the certificate and CA are imported
hostname:/etc/apache2 # certutil -L -d mod_nss.d
8. Verify the NSSNickName in the existing /etc/apache2/vhosts.d/vhost-nss.conf reflects the Server certificate name in the database. This parameter is case-sensitive. Update as required.
9. Restart apache2 service
hostname:/etc/apache2 # rcapache2 restart
hostname:~ # cd /etc/apache2
hostname:/etc/apache2 # mv mod_nss.d mod_nss.d-$(date +%y%m%d)
2. Create new mod_nss.d directory
hostname:/etc/apache2 # mkdir mod_nss.d
3. Generate new NSS certificate store in mod_nss.d directory. Do not create a password
hostname:/etc/apache2 # certutil -N -d mod_nss.d
4. Change ownership recursively for that directory to wwwrun user and www group.
hostname:/etc/apache2 # chown -R wwwrun:www mod_nss.d
5. Convert the certificate and key into PKCS12 format
hostname:/etc/apache2 # openssl pkcs12 -export -in /path/to/certificate -inkey /path/to/key -out server.p12 -n "server-cert" -passout pass:<password to encrypt key>
6.
a) Import the PKCS12 certificate
hostname:/etc/apache2 # pk12util -i server.p12 -d mod_nss.d
b) Import the CA chain
hostname:/etc/apache2 # certutil -A -n "ca-chain" -t "CT,," -d mod_nss.d -a -i /path/to/ca-chain
7. Verify the certificate and CA are imported
hostname:/etc/apache2 # certutil -L -d mod_nss.d
8. Verify the NSSNickName in the existing /etc/apache2/vhosts.d/vhost-nss.conf reflects the Server certificate name in the database. This parameter is case-sensitive. Update as required.
9. Restart apache2 service
hostname:/etc/apache2 # rcapache2 restart
Additional Information
See complete mod_nss documentation in /usr/share/doc/packages/apache2-mod_nss/mod_nss.html for details and more information.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7022944
- Creation Date: 10-May-2018
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
