Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
convert a ssl cert in .pem format to pkcs12
1,377 views
Skip to first unread message
ian diddams
Mar 7, 2012, 10:37:07 AM3/7/12
to
help!
cutting a VERY long and painful story short, I have a bit of a
poisened challice now!
I have been provided with a SSL cert as a .pem file (and the password)
- and need to somehow convert it to a pkcs12 cert for use on a Java
Web Server v7 (cert8.db and key3.db)
help! can anyone suggest how this can be acheived? Or suggest a more
suitable usenet group?
cheers
ian
cutting a VERY long and painful story short, I have a bit of a
poisened challice now!
I have been provided with a SSL cert as a .pem file (and the password)
- and need to somehow convert it to a pkcs12 cert for use on a Java
Web Server v7 (cert8.db and key3.db)
help! can anyone suggest how this can be acheived? Or suggest a more
suitable usenet group?
cheers
ian
ian diddams
Mar 7, 2012, 11:12:27 AM3/7/12
to
sorry... I've now worked out its not pkcs12 format I need, but DB
format.
whatever... I need to convert a .pem file into cert8.db and key3.db
files!
thanks
ian
format.
whatever... I need to convert a .pem file into cert8.db and key3.db
files!
thanks
ian
Chris Ridd
Mar 7, 2012, 12:12:07 PM3/7/12
to
--
Chris
hume.sp...@bofh.ca
Mar 7, 2012, 12:24:34 PM3/7/12
to
ian diddams <iandid...@googlemail.com> wrote:
> sorry... I've now worked out its not pkcs12 format I need, but DB
> format.
Which java webserver is this? .pem is pretty much a universal format...
> sorry... I've now worked out its not pkcs12 format I need, but DB
> format.
does the documentation not describe importing such?
cert8.db/key3.db sounds like something from Mozilla... would
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html apply
to you?
--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
nelson
Mar 7, 2012, 5:22:50 PM3/7/12
to
if you're refering to what I think you are, you might be able to do
something like....
# /usr/sfw/bin/certutil -N -d .
# /usr/sfw/bin/certutil -A -n defaultCert -i source.pem -t CT -d .
# chmod 0644 *.db
something like....
# /usr/sfw/bin/certutil -N -d .
# /usr/sfw/bin/certutil -A -n defaultCert -i source.pem -t CT -d .
# chmod 0644 *.db
Thomas Glanzmann
Mar 8, 2012, 2:10:19 AM3/8/12
to
Hello Ian,
> convert ssl cert from .pem to pkcs12
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
See also: http://wiki.cacert.org/wiki/Authenticode
Cheers,
Thomas
> convert ssl cert from .pem to pkcs12
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
See also: http://wiki.cacert.org/wiki/Authenticode
Cheers,
Thomas
Cydrome Leader
Mar 8, 2012, 3:28:26 PM3/8/12
to
me.
ian diddams
Mar 9, 2012, 4:47:33 AM3/9/12
to
I've probably confused everybody on usenet by my own lack of full
understanding so i'll attempt to explain again.
I have a .pem file for a wildcard ssl cert.
I need to turn that into cert8.db and key3.db (and I now suspect a
secmod.db?) for use on a Sun Java System Web Server
v. 7.0U4 B12/02/2008
AIUI the JWS is iPlanet :-)
I have found a resource that explained
openssl pkcs12 -export -in certs.pem -out file.p12 -name "MY
Certificate"
pk12util -i file.p12 -d <ws-installation-root>/<instance-name>/config
that creates a cert8.db, key3.db and secmod.db file.
However, when i swap these into the current JWS config directory
(archiving the previous ones!) whilst the JWS instance/configuration
does accept the password on restart it then errors with
ADMIN3603: Error while starting the server:
config: CORE1259:unable to find certificate Server-Cert
failure: server initialization failed
I can only think that what I actually put for
-name "MY Certificate"
which was -name "*.<domain name>" (ie the actual wildcard domain to
be covered by the cert) must be confusing things?
any help more than gratefully accepted!
cheers
ian
understanding so i'll attempt to explain again.
I have a .pem file for a wildcard ssl cert.
I need to turn that into cert8.db and key3.db (and I now suspect a
secmod.db?) for use on a Sun Java System Web Server
v. 7.0U4 B12/02/2008
AIUI the JWS is iPlanet :-)
I have found a resource that explained
openssl pkcs12 -export -in certs.pem -out file.p12 -name "MY
Certificate"
pk12util -i file.p12 -d <ws-installation-root>/<instance-name>/config
that creates a cert8.db, key3.db and secmod.db file.
However, when i swap these into the current JWS config directory
(archiving the previous ones!) whilst the JWS instance/configuration
does accept the password on restart it then errors with
ADMIN3603: Error while starting the server:
config: CORE1259:unable to find certificate Server-Cert
failure: server initialization failed
I can only think that what I actually put for
-name "MY Certificate"
which was -name "*.<domain name>" (ie the actual wildcard domain to
be covered by the cert) must be confusing things?
any help more than gratefully accepted!
cheers
ian
ian diddams
Mar 9, 2012, 5:52:35 AM3/9/12
to
On Mar 7, 5:24 pm, hume.spamfil...@bofh.ca wrote:
>
> cert8.db/key3.db sounds like something from Mozilla... would http://www.mozilla.org/projects/security/pki/nss/tools/certutil.htmlapply
> to you?
Unfortunately that link is broken it appears, but thanks anyway :-)
>
> cert8.db/key3.db sounds like something from Mozilla... would http://www.mozilla.org/projects/security/pki/nss/tools/certutil.htmlapply
> to you?
cheers
ian
ian diddams
Mar 9, 2012, 6:07:27 AM3/9/12
to
post of March 9.
cheers
ian
ian diddams
Mar 9, 2012, 5:50:27 AM3/9/12
to
On Mar 7, 5:12 pm, Chris Ridd <chrisr...@mac.com> wrote:
> Have you got a program called certutil around?
I've checked chris and yes, I do.
> Have you got a program called certutil around?
cheers
Ian
Doug McIntyre
Mar 9, 2012, 9:56:16 AM3/9/12
to
ian diddams <iandid...@googlemail.com> writes:
>I've probably confused everybody on usenet by my own lack of full
>understanding so i'll attempt to explain again.
>I have a .pem file for a wildcard ssl cert.
>I need to turn that into cert8.db and key3.db (and I now suspect a
>secmod.db?) for use on a Sun Java System Web Server
>v. 7.0U4 B12/02/2008
You don't directly convert anything into a .db file. That is short for
>I've probably confused everybody on usenet by my own lack of full
>understanding so i'll attempt to explain again.
>I have a .pem file for a wildcard ssl cert.
>I need to turn that into cert8.db and key3.db (and I now suspect a
>secmod.db?) for use on a Sun Java System Web Server
>v. 7.0U4 B12/02/2008
database, and you use utilities provided by the software you want to
use to import the data you want into the database. Instead of it
looking for flat files (ie. Apache), it looks instead for the data
inside the database. (ie. iPlanet, Java anything, Mozilla/Firefox).
In your case, you have a .pem file (and presumably a .key file that
goes along with it, because a cert is always associated with a key pair
and without having the two of them together, it is useless).
People have posted remnants of what you need to use. Although I
seem to remember Java coming with certutil already. But it is also
available from the Mozilla NSS project. The doc link below includes
a direct link to it.
But the webserver/appserver itself should have an interface to import
this data into the database? Seems a lot simpler to do it that way.
You might be able to find certutil within the webserver directories
somewhere, or else inside the java installation areas, or download
it from the NSS project.
Here's a link to the docs on how to do a couple things with the CLI
certutil tool for your webserver stuff..
http://docs.oracle.com/cd/E19159-01/819-3671/ablrg/index.html
ian diddams
Mar 9, 2012, 11:20:52 AM3/9/12
to
On Mar 9, 2:56 pm, Doug McIntyre <mer...@geeks.org> wrote:
> In your case, you have a .pem file (and presumably a .key file that
> goes along with it, because a cert is always associated with a key pair
> and without having the two of them together, it is useless).
well, that's a really good question!
> In your case, you have a .pem file (and presumably a .key file that
> goes along with it, because a cert is always associated with a key pair
> and without having the two of them together, it is useless).
This is what the person that sent me the pem file says
I have created a .pem to include the private key and entire trust
chain as below; keyfile *.<domain> certificate intermediate
certificate (DigiCert CA-3) root certificate (DigiCertCA
so it seems that the keyfile is embedded within the .pem.
Whatever - I only have the one file - the .pem.
> But the webserver/appserver itself should have an interface to import
> this data into the database? Seems a lot simpler to do it that way.
The webserver does have a facility it would appear to import the
cert... but I can't find anything that explains where to "put"
this .pem file so that the interface provided "sees" it - there's not
an option to browse etc for example.
> You might be able to find certutil within the webserver directories
> somewhere, or else inside the java installation areas, or download
> it from the NSS project.
secmod files it produces don't "work" whenh i start the webserver with
them in place.
> Here's a link to the docs on how to do a couple things with the CLI
> certutil tool for your webserver stuff..
> http://docs.oracle.com/cd/E19159-01/819-3671/ablrg/index.html
Ian
Torsten Kirschner
Apr 9, 2012, 7:27:08 PM4/9/12
to
Den 09.03.2012 10:47, skrev ian diddams:
[...]
friendlyname "Server-Cert".
Why don't you try
openssl pkcs12 -export -in certs.pem -out file.p12 -name "Server-Cert"
and see how that works out?
[...]
> openssl pkcs12 -export -in certs.pem -out file.p12 -name "MY
> Certificate"
> pk12util -i file.p12 -d <ws-installation-root>/<instance-name>/config
>
> that creates a cert8.db, key3.db and secmod.db file.
>
> However, when i swap these into the current JWS config directory
> (archiving the previous ones!) whilst the JWS instance/configuration
> does accept the password on restart it then errors with
>
> ADMIN3603: Error while starting the server:
> config: CORE1259:unable to find certificate Server-Cert
> failure: server initialization failed
>
> I can only think that what I actually put for
>
> -name "MY Certificate"
>
> which was -name "*.<domain name>" (ie the actual wildcard domain to
> be covered by the cert) must be confusing things?
It appears as if your JWS is looking for a certificate with the alias or
> Certificate"
> pk12util -i file.p12 -d <ws-installation-root>/<instance-name>/config
>
> that creates a cert8.db, key3.db and secmod.db file.
>
> However, when i swap these into the current JWS config directory
> (archiving the previous ones!) whilst the JWS instance/configuration
> does accept the password on restart it then errors with
>
> ADMIN3603: Error while starting the server:
> config: CORE1259:unable to find certificate Server-Cert
> failure: server initialization failed
>
> I can only think that what I actually put for
>
> -name "MY Certificate"
>
> which was -name "*.<domain name>" (ie the actual wildcard domain to
> be covered by the cert) must be confusing things?
friendlyname "Server-Cert".
Why don't you try
openssl pkcs12 -export -in certs.pem -out file.p12 -name "Server-Cert"
and see how that works out?
0 new messages