Importing an existing certificate into H-Sphere To import a
certificate which was installed on another computer you will need to
have both the private key and the certificate. Most systems will
not directly provide this information; for example both Microsoft IIS
and the ikeyman facility for IBM will export the key and certificate in
an encrypted PKCS12 format. The open source program openssl
can be used to read these files.
As an example, we will take you through the procedure to read the
certificate from IIS. Basic familiarity with IIS administration
procedures is assumed here. The procedure for other key managers
should be similar (of course the interface will be completely different)
- Open the IIS Administrator, and display the properties for the
Web site. Select the Directory Security tab and then
click the View Certificate button:
-
In the certificate properties, click on the Copy
to File button to start the export wizard.
-
Accept the defaults on the first three dialogs of
the wizard. Make sure that the private key IS NOT CHECKED TO
BE DELETED after the export.
-
The last three dialogs ask for a password to protect
the exported certificate and the name of the file to export the
certificate (and key) to. The file will be created with a "pfx"
extension, you should not specify an extension.
-
To view the key and certificate, you will need to
install an open-source tool available from Source Forge. This
tool is available for both Microsoft Windows and Linux. The
Web site for the tool is
http://www.openssl.org. Download the compiled program from
Source Forge at:
http://gnuwin32.sourceforge.net/packages/openssl.htm
This is a command-line tool only. Make sure
that the program is in the path of executable commands (edit your
startup script in Linux, or modify the environment through My
Computer properties in Windows).
-
Once the program is installed use the following
command (the file name is a place holder where we put our exported
certificate):
openssl pkcs12 -nodes -in
cert.pfx -out cert.txt The format of the
exported certificate from Microsoft (and most other certificate
managers) is pkcs12. The -in and -out parameters define the
source and output files (the output file will be plain text).
The -nodes option tells the program NOT to encrypt the private key
(so you can get to it). When the program runs, you will be
prompted for the password that you entered in step 4 above.
- Log in to H-Sphere, launch the SSL manager by clicking
on the control panel icon, and then edit the SSL properties for the
site:
- Copy the Private Key and the Certificate to the
second and third fields in the window (install completely new
certificate key and file pair). Include the lines ---BEGIN
RSA PRIVATE KEY --- through --- END RSA PRIVATE KEY ---
with the key, and --- BEGIN CERTIFICATE --- through --- END
CERTIFICATE --- with the certificate. Do not edit the text
as you place it in the fields, leave the line breaks exactly as
they are. Ignore any other text in the file The
complete text of the key and certificate examples below have
been shortened to save space (and protect this certificate):
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC1N2CrEEcF1jubxRVTVLyZfVBp+IgdE0zEi1UTk1TB+IVHP6ls
kpCYVvaaGvdmbRlTVQ9FNNCvkdxKW1+qCkxek0qRwLbS1TKivtaZ/9fGmG0OHzZz
...
RyWjt3v1tVYWRh4FgQJBALP0AWWQsX1P82OnQpl8ZLn3Zohr8aFWu8dEG/aj8LMK
ytD9OxDFc0mF54zcP9ksNOQrP4KgQyhbyVG1Xjh14eE=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDPf+NMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
...
21K63ByyBFbNliCERCa22OujdLFaVaDKOvc8l3EQTAod2j++hFeQLD2uAJRk6xEH
VyQTuzFxoRXyHANQebIBHk3oGfSYEaKIbev9ZatTSi6T
-----END CERTIFICATE-----
-
Back up the private key and certificate in a
safe place and protect them. If you have the
certificate code (basically a request number) and
password from the original request, you should save that
information with the key and certificate. You will
need the certificate code and the password to renew the
certificate when it expires.
This completes the procedure to move an existing
certificate into H-sphere. |