Before you could start with SSL changes on application level of configuration, you have to prepare certificate and its database.
First the certificate should be converted from PEM to PKCS#12 format.
# openssl pkcs12 -export -in cert.pem -inkey key.rsa -out cert.pkcs12 -name Server-Cert
cert.pem - certificate taken from Certificate Authority (CA), either local or public (Thawte, Verisign, other)
key.rsa - private key used to sign the Certificate Signing Request (CSR)
cert.pkcs12 - pkcs#12 output file
Server-Cert - you could use any other, but in the most cases it's a default certificate name (alias) used within SSL configuration, ex.
# configutil -o encryption.rsa.nssslpersonalityssl
Server-Cert
Messaging ServerInitialize certificate database:
# msgcert generate-certDB
Choose the Certificate Database password:
Confirm the Certificate Database password:
It lead to creation of database files: cert8.db, key3.db, secmod.db and sslpassword.conf - plain text file, used to store software token (password provided during the generation process).
Initialization has created the self-signed certificate, with Server-Cert alias name.
Before we start the import, we have to remove it unless different cert name will be used.
# msgcert remove-cert Server-Cert
Enter the certificate database password:
book [/opt/sun/comms/messaging64/config]# msgcert list-certs
Enter the certificate database password:
Alias Valid from Expires on Self-signed? Issued by Issued to
----- ---------- ---------- ------------ --------- ---------
0 certificates found
Now, let's eat some certificates.
# msgcert import-cert /root/SSL/cert.pkcs12
Enter the PKCS#12 file password:
Enter the certificate database password:
Voile!
If there's a need of rollback to self-signed certificate or renew the expired one, use the similar commads:
# msgcert add-selfsign-cert -S "CN=mail.wisnios.com" Server-Cert
# msgcert renew-selfsign-cert Server-Cert
Errors:
· Internal error: NSS error (SEC_PKCS12DecoderUpdate) in importCert:
security library: improperly formatted DER-encoded message. (-8183)
Failed to import the certificate
The certificate file has not been converted from PEM to PKCS#12
(use openssl pkcs12 -export)
· A certificate with the same alias already exists in the database.
Failed to import the certificate
The previously created (self-signed) certificate has not been removed
(use msgcert remove-cert)
Web ServerWe could use the same converted file to feed the web server database.
[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# /opt/SUNWwbsvr7/bin/pk12util -i /root/SSL/cert.pkcs12 -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# certutil -L -d .
Server-Cert u,u,u
The triple 'u' means that certificate could be used for authentication (SSL, email) and object signing.
The self-signed cert could be generated with
wadm administration command:
wadm> create-selfsigned-cert --config=mail.wisnios.com --server-name=mail.wisnios.com \
--nickname=Server-Cert --token=internal
CLI201 Command 'create-selfsigned-cert' ran successfully
Application Server (Glassfish)The same trick with appsvr.
[/opt/SUNWappserver/domains/domain1/config]
# pk12util -i /root/SSL/cert.pkcs12 -d .
[/opt/SUNWappserver/domains/domain1/config]
# certutil -L -n Server-Cert -d .
To change the default instance ssl configuration, follow those steps:
[https://appserver:4848]
Configurations:
default-config:
HTTP Service:
http-listener-2: (switch to right panel)
[right panel]
SSL:
Certificate NickName: Server-Cert (replace the default s1as entry)
Good luck.