SSL: be prepared

Before you could start with SSL changes on application level of configuration, you have to prepare certificate and its database.
First the certificate should be converted from PEM to PKCS#12 format.

# openssl pkcs12 -export -in cert.pem -inkey key.rsa -out cert.pkcs12 -name Server-Cert

cert.pem - certificate taken from Certificate Authority (CA), either local or public (Thawte, Verisign, other)
key.rsa - private key used to sign the Certificate Signing Request (CSR)
cert.pkcs12 - pkcs#12 output file
Server-Cert - you could use any other, but in the most cases it's a default certificate name (alias) used within SSL configuration, ex.
# configutil -o encryption.rsa.nssslpersonalityssl

Messaging Server

Initialize certificate database:

# msgcert generate-certDB
Choose the Certificate Database password:
Confirm the Certificate Database password:

It lead to creation of database files: cert8.db, key3.db, secmod.db and sslpassword.conf - plain text file, used to store software token (password provided during the generation process).
Initialization has created the self-signed certificate, with Server-Cert alias name.
Before we start the import, we have to remove it unless different cert name will be used.

# msgcert remove-cert Server-Cert
Enter the certificate database password:
book [/opt/sun/comms/messaging64/config]# msgcert list-certs
Enter the certificate database password:
Alias Valid from Expires on Self-signed? Issued by Issued to
----- ---------- ---------- ------------ --------- ---------
0 certificates found

Now, let's eat some certificates.

# msgcert import-cert /root/SSL/cert.pkcs12
Enter the PKCS#12 file password:
Enter the certificate database password:


If there's a need of rollback to self-signed certificate or renew the expired one, use the similar commads:

# msgcert add-selfsign-cert -S "CN=mail.wisnios.com" Server-Cert

# msgcert renew-selfsign-cert Server-Cert


· Internal error: NSS error (SEC_PKCS12DecoderUpdate) in importCert:
security library: improperly formatted DER-encoded message. (-8183)
Failed to import the certificate

The certificate file has not been converted from PEM to PKCS#12
(use openssl pkcs12 -export)

· A certificate with the same alias already exists in the database.
Failed to import the certificate

The previously created (self-signed) certificate has not been removed
(use msgcert remove-cert)

Web Server

We could use the same converted file to feed the web server database.

# /opt/SUNWwbsvr7/bin/pk12util -i /root/SSL/cert.pkcs12 -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Enter password for PKCS12 file:

# certutil -L -d .
Server-Cert u,u,u

The triple 'u' means that certificate could be used for authentication (SSL, email) and object signing.

The self-signed cert could be generated with wadm administration command:

wadm> create-selfsigned-cert --config=mail.wisnios.com --server-name=mail.wisnios.com \
--nickname=Server-Cert --token=internal
CLI201 Command 'create-selfsigned-cert' ran successfully

Application Server (Glassfish)

The same trick with appsvr.

# pk12util -i /root/SSL/cert.pkcs12 -d .

# certutil -L -n Server-Cert -d .

To change the default instance ssl configuration, follow those steps:


HTTP Service:
http-listener-2: (switch to right panel)

[right panel]
Certificate NickName: Server-Cert (replace the default s1as entry)

Good luck.

No comments: