Quoting Rich Megginson <rmeggins at redhat.com>: > You need to get your CA to export your key/cert data in pkcs12 (.p12) > format, then use the FDS pk12util to import both the key and cert. As luck usually has it, I pretty much came to that same conclusion shortly after I pressed send :) http://developers.sun.com/prodtech/appserver/reference/techart/keymgmt.html For the sake of archving: As Rich noted, the certificate and key must be in PKCS12 format. My CA is openssl - in order to have a successful import, you must export the certificate to PKCS12 format with a nickname (my initial CA wrapper did not do that, which resulted in a failed import). The following command would combine a PEM certifiate and key and create a PKCS12 certificate and key: > openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname> > -out directory.p12 And then import it: > pk12util -d <nss_config_dir> -i directory.p12 [-h "NSS Certificate DB"] From what I can gather, there are at least three certificate stores: For the first two below, nss_config_dir is /opt/fedora-ds/alias. Directory Server: /opt/fedora-ds/alias/slapd-hostname-[cert|key][8|3].db Admin Server: /opt/fedora-ds/alias/admin-server-hostname-[cert|key][8|3].db For the above two, to import, I created symbolic links for cert8.db and key3.db to their respective counterparts for slapd and admin-server (i.e. link cert8.db -> slapd-hostname-cert8.db and key3.db -> slapd-hostname-key3.db, import, then remove links and relink to admin-server-hostname databases). There's also a store in /opt/fedora-ds/admin-server/config - not sure if that is for the Admin Console, but I've skipped it for the moment. Kevin -- Kevin M. Myer Senior Systems Administrator Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
