Guest

Cisco CSS 11000 Series Content Services Switches

Extract and Import the Netscape/I-Planet Key and Certificate to the SCA

Document ID: 20686

Updated: Jan 30, 2006

   Print

Introduction

This document describes the process of converting the Netscape/I-Planet db files to pkcs12 format. Once converted, these Netscape/I-Planet DB files can be imported to the Cisco Secure Content Accelerator (SCA).

Prerequisites

Requirements

The import requires either an HTTP, HTTPS, FTP, or TFTP server to import the pkcs12 file to the SCA.

Components Used

Netscape Communicator 4.77 was used in this example, however, most recent versions should work as well.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Main Task

Task

In this section, you are presented with the information to configure the features described in this document.

Step-by-Step Instructions

Complete these steps:

  1. Transfer the certificate\key from Netscape 3.6/I-Planet 4.1 to temp directory.

    The keys and certificates are stored on the server in a database format. They are stored in the $SERVER_ROOT/alias directory. This is an example of the key and certificate files:

    /usr/local/netscape/alias/https-secure.example.com-secure-key3.db 
    /usr/local/netscape/alias/https-secure.example.com-secure-cert7.db 

    Copy these two files to a temp directory on the system running Netscape Communicator that will be used for conversion. Rename the files to key3.db and cert7.db. In this example, https-secure. example.com-secure-key3.db becomes key3.db, and https-secure. example.com-secure-cert7.db becomes cert7.db

  2. Back up the existing db files on Netscape.

    On the system running Netscape Communicator, change directory (cd) to the Users directory. The path should be C:\Program Files\Netscape\Users, but may be different depending on how Netscape was installed on your PC. Select one of the user directories (if more than one exists) that will be used to convert the db files. Cd to that directory. Rename cert7.db and key3.db to cert7.bak and key3.bak respectively. Copy the two db files that were copied to the temp directory to the user directory selected above.

  3. Export the certificate.

    Launch Netscape Communicator. Make sure to select the appropriate profile that corresponds to the user directory used for the conversion if more than one profile exists. Select the Security Icon from the tool bar menu. Your Certificates window should appear. Select Certificates -> Yours from the menu. The certificate being exported should appear in the window. Click Export to export the certificate. Enter the password for the private key. Enter a password to encrypt the pkcs12 file being exported. Name the pkcs12 file export.p12, and save it to the temp directory. Close Netscape Communicator.

  4. Restore the original db files.

    Cd back to the User directory where the original db files where renamed to .bak. Rename cert7.bak to cert7.db and key3.bak to key3.db.

  5. Import the pkcs12 file to the CSS using FTP.

    Telnet to the SCA device or connect using the console. The import cannot be done from the Web GUI. From the command line, issue the configure ssl command. Make sure the FTP server is running on the host where the export.p12 resides (anonymous FTP,HTTP,HTTPS, and TFTP can be used as well.) In this example, export.p12 is on 10.10.10.2 in c:\temp.

    import pkcs12 der ftp://username:password@10.10.10.2/temp/export.p12

    You will be prompted for the password from export.p12 that was created when it was exported from the db format. The key and certificate(s) have now been imported into the SCA and can be assigned to SSL secure servers. The certificates are named der_c1, der_c2, and so on. The key is named der_k1.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 30, 2006
Document ID: 20686