How to convert a Network Security Services (NSS) Cert Database and Import into Keystore or Truststore

Document ID : KB000047348
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction/Summary: 

 This article describes the steps:

-        To convert an NSS cert database to a PKCS12 format using the NSS Security Tool which can be downloaded from here.

-        To convert the PKCS12 certificate into a readable .txt format using the OpenSSL tool which can be downloaded from here.

-        To import the PKCS12 certificate into the Java Keystore/Truststore using keytool.

 

Background:  

A customer would like to configure the CA APM for Web Servers to discover and monitor the iPlanet/Netscape Enterprise Server over HTTPS protocol. As the iPlanet server uses the Network Security Services (NSS) certificate database, one of the first steps is to covert these certificates into a format supported by the Java keytool, before it can be imported to the Java Keystore/TrustStore.

 

Environment:  

CA APM for Web Server

iPlanet/Netscape Enterprise Server with HTTPs enabled

 

Instructions:  

Steps to convert an NSS cert database to a PKCS12 format

1.      This is an example of the NSS cert database which will be used to explain the conversation:

NSS.png

 

2.  Run the following command to list the certificates contained in the cert database. In this case, “apache-01.ca.com – CA” is the certificate I would like to extract and convert into a PKCS12 format.

 NSS1.png

 

3. Run the following command to export “apache-01.ca.com – CA” cert into PKCS12 format from the NSS cert database:

 NSS2.png

                -d : the input cert directory

               -o : the output/export file

               -n : the certificate name

 

Note:

If your NSS certificate database name has a prefix, for example, abc-cert8.db and abc-key3.db, then you need to specify it in the command with the -P option.

For example:

pk12util -P abc -d C:\ 00517582\certdb -o C:\00517582\output.p12  -n "apache-01.ca.com - CA"

 

 Steps to convert the PKCS12 certificate into a readable .txt format

 

4. Run this command to convert the PKCS12 certificate into a readable .txt format if you want to have a look at its content:

 NSS3.png

 Please note that this is an optional step. The content of the pkcs12out.txt should look similar to this:

 NSS4.png

  

Steps to import the PKCS12 certificate into the KeyStore/Truststore:

5.      Run this command to import the PKCS12 certificate into the Keystore/Truststore:

  NSS4.png

 

6.      If you wish to see the content of the keystore/truststore .jks file, you can run this command:

  NSS5.png

  It should look similar to this:

  NSS6.png

 

 

Additional Information:

 For detailed steps on how to configure the TrustStore properties for the CA APM for Web Servers, please refer to these sections in the APM User Guide:

For windows, see Step 4: Configuring the AgentConfig.properties file on Windows.

For UNIX, see Step 3: Configuring the AgentConfig.properties file on UNIX.