This article describes the steps:
- To convert an NSS cert database to a PKCS12 format using the NSS Security Tool which can be downloaded from here.
- To convert the PKCS12 certificate into a readable .txt format using the OpenSSL tool which can be downloaded from here.
- To import the PKCS12 certificate into the Java Keystore/Truststore using keytool.
A customer would like to configure the CA APM for Web Servers to discover and monitor the iPlanet/Netscape Enterprise Server over HTTPS protocol. As the iPlanet server uses the Network Security Services (NSS) certificate database, one of the first steps is to covert these certificates into a format supported by the Java keytool, before it can be imported to the Java Keystore/TrustStore.
CA APM for Web Server
iPlanet/Netscape Enterprise Server with HTTPs enabled
Steps to convert an NSS cert database to a PKCS12 format
1. This is an example of the NSS cert database which will be used to explain the conversation:
2. Run the following command to list the certificates contained in the cert database. In this case, “apache-01.ca.com – CA” is the certificate I would like to extract and convert into a PKCS12 format.
3. Run the following command to export “apache-01.ca.com – CA” cert into PKCS12 format from the NSS cert database:
-d : the input cert directory
-o : the output/export file
-n : the certificate name
If your NSS certificate database name has a prefix, for example, abc-cert8.db and abc-key3.db, then you need to specify it in the command with the -P option.
pk12util -P abc -d C:\ 00517582\certdb -o C:\00517582\output.p12 -n "apache-01.ca.com - CA"
Steps to convert the PKCS12 certificate into a readable .txt format
4. Run this command to convert the PKCS12 certificate into a readable .txt format if you want to have a look at its content:
Please note that this is an optional step. The content of the pkcs12out.txt should look similar to this:
Steps to import the PKCS12 certificate into the KeyStore/Truststore:
5. Run this command to import the PKCS12 certificate into the Keystore/Truststore:
6. If you wish to see the content of the keystore/truststore .jks file, you can run this command:
It should look similar to this:
For detailed steps on how to configure the TrustStore properties for the CA APM for Web Servers, please refer to these sections in the APM User Guide:
For windows, see Step 4: Configuring the AgentConfig.properties file on Windows.
For UNIX, see Step 3: Configuring the AgentConfig.properties file on UNIX.