Background
Note, this example demonstrates how to get an Apache server, that uses mod_nss, working. The example assumes that all commands will be executed from within the NSS Database directory (/etc/httpd/alias).
NSS Database
The mod_nss RPM includes an empty NSS Database. If for some reason the NSS database does not exist, it can be created as follows:
# mkdir /etc/httpd/alias
# certutil -N -d .Look for pre-existing cert
# certutil -L -d . -n "Server-Cert"If there is an existing server cert, remove it and the key.
# certutil -F -d -n "Server-Cert"
# certutil -D -d -n "Server-Cert"Create certificate signing request (CSR)
# certutil -d . -R -o corbin.llnl.gov.csr -s "CN=corbin.llnl.gov, O=GS,L=Livermore,ST=California,C=US" -8 "zdiv-yum.llnl.gov"Submit CSR to CA
Send the corbin.llnl.gov.csr file to pkiadmin@llnl.gov, along with your name, employee ID, organization, and the purpose of the certificate (identify web server, etc.). Specify that you want a SAN (Subject Alternate Name) added to the certificate, even if you are only providing one name. The AD PKI team will respond with a signed certicificate, which you will install on your system.Install signed certificate
# certutil -A -d .-n "Server-Cert" -t ",," -i corbin.llnl.gov.crt- CA Certs
Download a copy of all the .crt and .crl files from adpki.llnl.gov and put them in /etc/pki/ca-trust/source/anchors. Then update update-ca-trust.
# update-ca-trust