Mod nss

From VVCWiki
Jump to navigationJump to search

Configuring mod_nss on RHEL

  • generate private key (default is not long enough)
openssl genrsa -out server.key 2048
  • generate certificate request
openssl req -new -key server.key -out server.csr 

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Virginia
Locality Name (eg, city) [Newbury]:Chantilly
Organization Name (eg, company) [My Company Ltd]:videoNEXT Network Solutions, Inc.
Organizational Unit Name (eg, section) []:Demo Server
Common Name (eg, your name or your server's hostname) []
Email Address []
  • send server.csr to Certificate Authority
  • after certificate is received, convert private key, certificate and CA into pkcs12 file

caname and name are database labels for CA and server certificates, in our case videoNEXT and demo-10

openssl pkcs12 -export -chain -inkey server.key -caname videoNEXT -name demo-10 -in demo-10.crt -CAfile videoNEXT.crt -out demo-10.p12 
  • import pkcs12 into apache NSS database:
pk12util -i demo-10.p12 -d /etc/httpd/alias
  • mark CA certificate as a trusted CA
certutil -M -n videoNEXT -t CT,CT,CT -d /etc/httpd/alias
  • modify /etc/httpd/conf.d/nss.conf to use new certificate's label
NSSNickname demo-10
  • restart apache
service httpd restart