Import a server certificate into the ica token

Import the server certificate into the openCryptoki ica token.

1. Import the server certificate into our token called testcert using option -A (add):

   # certutil -A -d /etc/httpd/nss -n testcert -t u,u,u -i /etc/httpd/nss/tmpcert.der 
         -h myicatoken
   Notice: Trust flag u is set automatically if the private key is present.

2. Display the contents of the token:

   
   # certutil -K -d /etc/httpd/nss -h myicatoken
   certutil: Checking token "myicatoken" in slot "Linux"
   Enter Password or Pin for "myicatoken": 25345867
   < 0> rsa      49fe255b05e746c08b4a11d7ac5e5c9f68d8fe5a   myicatoken:testcert
   < 1> rsa      f11fa89f1d630d188b7da752c1c004f48b774235   myicatoken:testca 
   

   The password that you enter above was set in Step 7 of topic Configuring the openCryptoki ica token.
3. Create a file password.txt in /etc/httpd/nss which contains the passwords for the database and token. This file should look the following:

   
   internal:19283746
   myicatoken:25345867
   

4. Set reasonable permissions for the database and password file:

   
   # chmod 640 /etc/httpd/nss/*.db
   # chown root:apache /etc/httpd/nss/*.db
   # chmod 640 /etc/httpd/nss/password.txt
   # chown root:apache /etc/httpd/nss/password.txt