Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
14.5. Importing a certificate into an NSS Database
Ensure that your web service is taken offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS database by other processes (such as a browser). Doing so may corrupt the NSS database or result in improper usage of these certificates.
Note that which set of instructions you follow will depend on the usage for the certificate in question.
- For any subsystem's
auditSigningCert, please follow the steps below for validating an object Signing certificate. - For the CA subsystem's
caSigningCert, please follow the steps above for importing and validating an intermediate certificate chain, but do so only with the caSigningCert. - For the CA subsystem's
ocspSigningCert, please follow the steps below for validating an OCSP certificate. - For user's client or S/MIME certificate, follow the Client Certificate steps.
For more information about the
certutil and PKICertImport options used below, see Section 14.1, “About certutil and PKICertImport”.
Importing a Client Certificate Into the NSS Database
To import a client certificate into the NSS database:
- Change into the NSS database directory. For example:
cd /path/to/nssdb/
# cd /path/to/nssdb/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
- Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
- Validate and import the client certificate:
PKICertImport -d . -n "client name" -t ",," -a -i client.crt -u C
# PKICertImport -d . -n "client name" -t ",," -a -i client.crt -u CCopy to Clipboard Copied! Toggle word wrap Toggle overflow The validation succeeds when no error message is printed and the return code is 0. To check the return code, executeecho $?immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.
Importing an Object Signing Certificate
To import an object signing certificate:
- Change into the NSS database directory. For example:
cd /path/to/nssdb/
# cd /path/to/nssdb/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
- Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
- Validate and import the object signing certificate:
PKICertImport -d . -n "certificate name" -t ",,P" -a -i objectsigning.crt -u J
# PKICertImport -d . -n "certificate name" -t ",,P" -a -i objectsigning.crt -u JCopy to Clipboard Copied! Toggle word wrap Toggle overflow The validation succeeds when no error message is printed and the return code is 0. To check the return code, executeecho $?immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.
Importing an OCSP Responder
To import an OCSP responder:
- Change into the NSS database directory. For example:
cd /path/to/nssdb/
# cd /path/to/nssdb/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
- Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
- Validate and import the OCSP responder certificate:
PKICertImport -d . -n "certificate name" -t ",," -a -i ocsp.crt -u O
# PKICertImport -d . -n "certificate name" -t ",," -a -i ocsp.crt -u OCopy to Clipboard Copied! Toggle word wrap Toggle overflow The validation succeeds when no error message is printed and the return code is 0. To check the return code, executeecho $?immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}