PKCS #12 is a standard format for storing certificate information, including private keys. The directory server can use a PKCS #12 file as a certificate keystore if it includes the private key for the certificate.
Because PKCS #12 is a common format for storing certificate information, you might already have a certificate in this format, or the certificate authority (CA) that you use might create certificates in this form. In some cases, it might also be possible to convert an existing certificate into PKCS #12 format. For example, if you already have a certificate in a Network Security Services (NSS) certificate database, then the NSS pk12util tool can import it. The following example uses the pk12util tool to export a certificate named server-cert contained in the database ../../alias/slapd-config-key3.db to a PKCS #12 file, /tmp/server-cert.p12:
$ ./pk12util -n server-cert -o /tmp/server-cert.p12 \ -d ../../alias -P "slapd-config-"
To create a new certificate in PKCS #12 format, use the procedure described in Using the JKS Key Manager Provider for obtaining a certificate in a JKS keystore. The only difference in the process is that you should use -storetype PKCS12 instead of -storetype JKS when you invoke the keytool commands. For example, to create a self-signed certificate in a PKCS #12 file, use the following commands:
$ keytool -genkey -alias server-cert -keyalg rsa \ -dname "CN=server.example.com,O=example.com,C=US" \ -keystore config/keystore.p12 -keypass password \ -storetype PKCS12 -storepass password
Note - The preceding command uses syntax for the keytool provided with Java 1.5. If your installation uses Java 1.6, substitute -genkeypair for the -genkey option.
$ keytool -selfcert -alias server-cert -validity 1825 \ -keystore config/keystore.p12 -keypass password \ -storetype PKCS12 -storepass password
As with JKS, the directory server provides a template key manager provider for use with PKCS #12 certificate files that uses the same set of configuration attributes as the configuration entry for the JKS key manager provider. The only differences are that the value of the key-store-type attribute must be PKCS12, and the key-store-file attribute should refer to the location of the PKCS #12 file rather than a JKS keystore. The following example uses dsconfig to configure the PKCS #12 keystore manager provider:
$ dsconfig -D "cn=directory manager" -w password -X -n\ set-key-manager-provider-prop --provider-name "PKCS12" --advanced
For a complete list of configurable properties, see “File-Based Key Manager Provider Configuration” in the Sun OpenDS Standard Edition 2.0 Configuration Reference.