Converting from Netscape Enterprise to Apache

This is a log of the steps I went through to convert from Netscape Enterprise server (doing SSL) to Apache with mod_ssl. Most of this is pretty straight forward, but I include it here so that others can get maximum benefit.

The method covered here is for the case where you have the certificate from your Certificate Authority (CA) and wish to extract the keys from your webserver. If you need extract the certificate that you received from the CA, then these instructions probably won't help you.

Software used:

Navigator 3.04 on RH Linux v 6.2
Communicator 4.72 on RH Linux v 6.2
From Netscape Enterprise Server 3.62 to Apache 1.3.12 on Solaris 2.6.
OpenSSL 0.9.5 on RH 6.2

Since writing this page, I've done a little more looking around. Here is some information that may be useful.

Introducing SSL and Certificates using SSLeay — should be applicable to OpenSSL.
Netscape Certificate Download Specification (For version 3.x and version 4.x browsers).

Installing SSL

First, we need to get the SSL handlers installed. I downloaded OpenSSL and did

$ tar xzf openssl-x.y.z.tar.gz
$ cd openssl-x.y.z
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
$ make
$ make test
$ sudo make install

(In Solaris, make sure /usr/ccs/bin is in the path. Otherwise, you'll get messages about ar missing.)

Installing mod_ssl and Apache

Fairly simple. Get the mod_ssl and Apache source. Extract them both and then cd into the mod_ssl directory.

$ tar xzf mod_ssl-x.y.z-a.b.c.tar.gz
$ tar xzf apache_a.b.c.tar.gz
$ cd mod_ssl-x.y.z-a.b.c
$ ./configure --with-apache=../apache_a.b.c
$ cd ../apache_a.b.c
$ env SSL_BASE=/usr/local ./configure --enable-module=ssl \
                 --enable-module=so \
                 --diaable-module=auth_db --enable-module=include
$ make
$ make certificate
$ sudo make install

Getting the keys from Netscape

These instructions are based on the ones found on Dr. Stephen N. Henson's site. I've expanded on them slightly to make them less of a general overview and more of a step-by-step recipe.

You will need a 3.x version of Netscape's Navigator (which I will refer to here as "Navigator") as well as a 4.x version of Communicator ("Communicator"). I have copied the binary of Navigator 3.04 for Linux from the Mandrake Linux RPM here because it was the only copy I found and I don't want to lose it if I need it later.

Copy the server key and the server cert from your netscape server to your local home directory. In my case, this was /opt/suitespot/alias/secure-key.db and /opt/suitespot/alias/secure-cert.db.
mv ~/.netscape ~/netscape-save
Start Navigator 3.x and immediately exit the program. This creates a new ~/.netscape directory.
cp ~/secure-key.db ~/.netscape/key.db
Start navigator again and select "Options -> Security Preferences ..."
In the window that pops up, select the "Passwords" tab and then hit the "Set Password" button.
Type in the same password that you used for the server in each of the text boxes and the hit "Finish".
Back in the "Security Preferences" window, hit "Change Password". Type the old password one more time and then hit "Next>".
To verify that you've been using the right password, select "Change the Password", "Next>", and then enter a new password.
If you've done everything right so far, you should be back at the old "Security Preferences" window. Click "Ok" to exit the dialog and then quit Navigator.
Start Communicator 4.x. When it comes up, click the lock symbol. A "Security Info" dialog will appear.
Select "Passwords" and then click the "Change Password" or "Set Password" (if you removed the password in the 3.x session) button that appears. Use the dialog to change the password (or set it) and then exit Netscape to make sure it worked.
If you have the PEM format cert (It should contain the line -----BEGIN CERTIFICATE------), then skip down to the mime.type modification step.
If you have the cert in PKCS12 format (which I was able to get because Thawte keeps the old ones on file), then start up Communicator, click on the lock icon to bring up the "Security Info" dialog and select "Yours" and then "Import a Certificate". After you've done that successfully, you should see your key sitting in the select box. You can now skip down to exporting a key.
Since you are on this step, I'm assuming that you don't have the PEM format cert or the PKCS12 format cert. You'll need to get the cert out of the .db file or create a fake one. If you create a fake one, you'll need to tell your CA that you lost your old one and need a new one. To create a fake certificate, generate a certificate signing request for the key from the web-based admin interface in Netscape. My particular server runs at port 8888, so I went to http://example.com:8888/, chose "Keys & Certificates" and then "Request Certificate". I went through the process and then saved the CSR to a file name newreq.pem. Make sure you are requesting a new signature and not a renewal. The only difference is the wrapper lines that read "BEGIN ..." and "END ..."

Using the CA.pl program that comes with OpenSSL (which was in /var/ssl/misc on my machine), create a new CA. This was simply /var/ssl/misc/CA.pl -newca and filling in the requested info. Important: If you simply hit return in response to these questions, Communicator will crash when you click on the lock icon while viewing the server's secured pages.

      
$ /var/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /var/ssl/openssl.cnf
Generating a 1024 bit RSA private key
................................++++++
.................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Louisiana
Locality Name (eg, city) []: New Orleans
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []: web
Common Name (eg, YOUR name) []: example.com
Email Address []: mah@everybody.org

Self-sign the cert:

$ /var/ssl/misc/CA.pl -sign
Using configuration from /var/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Louisiana'
localityName          :PRINTABLE:'New Orleans'
organizationName      :PRINTABLE:'Standard Mortgage Corporation'
commonName            :PRINTABLE:'secure.stanmor.com'
Certificate is to be certified until Jun  9 18:16:23 2001 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Edit your ~/.mime.types file. In this file, add the following lines:
```
type=application/x-x509-user-cert  \
desc="Cert inst"  \
exts="pem" 
```

Start up Communicator again. Go to "File", "Open Page...", "Browse" and then select the newcert.pem file. You should be prompted for the password you last entered to protect the key.db. After entering it, Communicator will return to the page you were viewing before.

Note that while this worked for me, it may not work for you. If it does not work for you, remove the entry in your ~/.mime.types file. You need to get your browser to recognise the file. You may be able to do this by temporarily putting the .pem file in your webserver's htdocs directory and telling it to serve up .pem files as application/x-x509-user-cert files. The following line would be needed in apache's mime.types file:

  application/x-x509-user-cert	pem

Click on the lock icon to bring up the "Security Info page again.

There is a heading "Certificates" and under that "Yours". Click on the "Yours". In the select box, you should see the server's key.

Highlight the key and select "Export". Follow the prompts and once you are done, you will have the key in PKCS12 format.

Put the key and cert in PEM format:

      $ openssl pkcs12 -nocerts -in key.p12 -out key.pem
      $ openssl pkcs12 -nokeys -in key.p12 -out cert.pem

As root, copy this key and cert in to replace the ones that Apache put in place when it did the installation:

      # cp key.pem /usr/local/apache/conf/ssl.key/server.key
      # chmod 400 /usr/local/apache/conf/ssl.key/server.key
      # cp cert.pem /usr/local/apache/conf/ssl.crt/server.crt

Start up Apache:

      # /usr/local/apache/bin/apachectl startssl

$ cp ~/netscape-save ~/.netscape

Yay! You're done!

That wasn't too painful, was it?

Please send me email if you tried this and it worked for you. Better yet, send me email if you tried it and it didn't work.