How to use eDirectory SSL certificates for Apache2 on SLES OES

  • 7014029
  • 31-Oct-2013
  • 31-Oct-2013

Environment

Novell Open Enterprise Server 2 SP3 (OES 2 SP3 )
Novell Open Enterprise Server 11 (OES 11) 
Novell Open Enterprise Server 11 SP1 (OES 11.1) 

Situation

Apache2 on SLES OES using SSL CertificateIP
Apache2 on SLES OES using SSL CertificateDNS
How to use eDirectory SSL certificates for Apache2 on SLES OES

Resolution

Before beginning, please backup the following files to a separate directory for safe keeping, then remove them from the /etc/ssl/servercerts directory:

/etc/ssl/servercerts/servercert.pem
/etc/ssl/servercerts/serverkey.pem


1.  Export the SSL CertificateIP or SSL CertificateDNS Trusted Root certificate (including the private key) to a .pfx file and copy it to the SLES OES box.

To do this, login to iManager | eDirectory Administration | Modify Object | Browse to the SSL CertificateIP - SERVERNAME (or SSL CertificateDNS - SERVERNAME), which is located in the same container as the SLES OES box.  Seleck Ok | Select the Drop down menu and choose "Trusted Root Certificate" (with Internet Explorer select the Certificates tab | Trusted Root Certificate link) | Export | Answer "Yes" to "Do you want to export the private key with the certificate?" | Enter a password to protect the Private key (you will use this password later) and Next | Click the link to "Save the exported certificate to a file". | After downloading the PFX file, select Close.  (Note: For this example, I renamed the PFX file from SSL CertificateIP - FS1.pfx to FS1.pfx for ease of use.) The file was then copied to the /etc/ssl/servercerts directory on the SLES OES box.

2.  Command to extract the Certificate and remove password:
openssl pkcs12 -in '/directory/name of PFX file' -clcerts -nodes -nokeys -out /etc/ssl/servercerts/servercert.pem 
<enter password used in step 1 when prompted> 

Example:
# openssl pkcs12 -in /etc/ssl/servercerts/FS1.pfx -clcerts -nodes -nokeys -out /etc/ssl/servercerts/servercert.pem
Enter Import Password:
<enter password used in Step 1 and press enter>
MAC verified OK

This will create a servercert.pem file in the /etc/ssl/servercerts directory.

3.  Commands to extract the private key and remove password: 
openssl pkcs12 -in  '/directory/name of PFX file' -clcerts -out '/directory/file.pem' -nodes <enter password used in step 1 when prompted>
This will create a file.pem file.

Example:
# openssl pkcs12 -in /etc/ssl/servercerts/FS1.pfx -clcerts -out /etc/ssl/servercerts/file.pem -nodes
Enter Import Password: <enter password used in Step 1 and press enter>
MAC verified OK

4.  Execute the following command:
openssl rsa -in /etc/ssl/servercerts/file.pem -out /etc/ssl/servercerts/serverkey.pem
This will create a serverkey.pem file

Example:
# openssl rsa -in /etc/ssl/servercerts/file.pem -out /etc/ssl/servercerts/serverkey.pem
writing RSA key


5.  Verify the /etc/apache2/vhosts.d/vhost-ssl.conf has the following settings:

Locate the SSLCertificateFile setting and verify it points to the /etc/ssl/servercerts/servercert.pem file
Locate the SSLCertificateKeyFile setting and verify it points to the /etc/ssl/servercerts/serverkey.pem
Note: these are default settings and should already be set.  If the vhost-ssl.conf file does not point to these directories, make the changes and save the file.

6.  Restart Apache2 by entering:
rcapache2 restart

Example:

# rcapache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate)                     done
Starting httpd2 (worker)                                                                        done


7.  Using the .pfx file exported in Step 1 above, import the .pfx file into your browser so that the browser trusts the issued certificate..

Additional Information

Formerly known as TID# 10097841
Note: If you want to convert a .der file to a .pem file, execute the following command:
openssl x509 -in RootCert.der -inform DER -outform PEM -out rootcert.pem 

Example: 
# openssl x509 -in /etc/ssl/RootCert.der -inform DER -outform PEM -out /etc/ssl/rootcert.pem 

To configure 3rd party certificates with Apache2 for OES see TID 7009962