此内容没有您所选择的语言版本。

14.5. Importing a certificate into an NSS Database


Ensure that your web service is taken offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS database by other processes (such as a browser). Doing so may corrupt the NSS database or result in improper usage of these certificates.
Note that which set of instructions you follow will depend on the usage for the certificate in question.
  • For any subsystem's auditSigningCert, please follow the steps below for validating an object Signing certificate.
  • For the CA subsystem's caSigningCert, please follow the steps above for importing and validating an intermediate certificate chain, but do so only with the caSigningCert.
  • For the CA subsystem's ocspSigningCert, please follow the steps below for validating an OCSP certificate.
  • For user's client or S/MIME certificate, follow the Client Certificate steps.
For more information about the certutil and PKICertImport options used below, see Section 14.1, “About certutil and PKICertImport.

Importing a Client Certificate Into the NSS Database

To import a client certificate into the NSS database:
  1. Change into the NSS database directory. For example:
    # cd /path/to/nssdb/
  2. Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
  3. Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
  4. Validate and import the client certificate:
    # PKICertImport -d . -n "client name" -t ",," -a -i client.crt -u C
    The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

Importing an Object Signing Certificate

To import an object signing certificate:
  1. Change into the NSS database directory. For example:
    # cd /path/to/nssdb/
  2. Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
  3. Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
  4. Validate and import the object signing certificate:
    # PKICertImport -d . -n "certificate name" -t ",,P" -a -i objectsigning.crt -u J
    The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

Importing an OCSP Responder

To import an OCSP responder:
  1. Change into the NSS database directory. For example:
    # cd /path/to/nssdb/
  2. Import and trust the root certificate, if it is not already imported and trusted. For details, see Section 14.2, “Importing a Root Certificate”.
  3. Import and validate the intermediate certificates, if not already imported and validated. For details, see Section 14.3, “Importing an Intermediate Certificate Chain”.
  4. Validate and import the OCSP responder certificate:
    # PKICertImport -d . -n "certificate name" -t ",," -a -i ocsp.crt -u O
    The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.