Replacing an expired apache2 certificate when using mod_nss

  • 7022944
  • 10-May-2018
  • 19-Nov-2018

Environment

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)

Situation

Original certificate in mod_nss database has expired.  New certificate has been issued but has not been set up with mod_nss for apache2.

Resolution

1. Back up the original mod_nss.d directory

hostname:~ # cd /etc/apache2
hostname:/etc/apache2 # mv mod_nss.d mod_nss.d-$(date +%y%m%d)

2. Create new mod_nss.d directory

hostname:/etc/apache2 # mkdir mod_nss.d

3. Generate new NSS certificate store in mod_nss.d directory.  Do not create a password

hostname:/etc/apache2 # certutil -N -d mod_nss.d

4. Change ownership recursively for that directory to wwwrun user and www group. 

hostname:/etc/apache2 # chown -R wwwrun:www mod_nss.d

5. Convert the certificate and key into PKCS12 format

hostname:/etc/apache2 # openssl pkcs12 -export -in /path/to/certificate -inkey /path/to/key -out server.p12 -n "server-cert" -passout pass:<password to encrypt key>

6.
a) Import the PKCS12 certificate

hostname:/etc/apache2 # pk12util -i server.p12 -d mod_nss.d

b) Import the CA chain

hostname:/etc/apache2 # certutil -A -n "ca-chain" -t "CT,," -d mod_nss.d -a -i /path/to/ca-chain


7.  Verify the certificate and CA are imported

hostname:/etc/apache2 # certutil -L -d mod_nss.d

8. Verify the NSSNickName in the existing /etc/apache2/vhosts.d/vhost-nss.conf reflects the Server certificate name in the database.  This parameter is case-sensitive.  Update as required. 

9. Restart apache2 service

hostname:/etc/apache2 # rcapache2 restart

Additional Information

See complete mod_nss documentation in /usr/share/doc/packages/apache2-mod_nss/mod_nss.html for details and more information.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.