On Setting up Mod_NSS

Mod_NSS is an alternative to apache’s default mod_ssl. Now why would you want to use it? Well at this point mod_nss is the only FIPS compliant encryption module for use with apache on Red Hat systems. So if you are in an environment where you are required to use FIPS encryption standards, or you just want bragging rights for the marketing people, you will need to implement mod_nss.

Fortunately, it is not all that difficult, I am not going to go over all the steps needed to implement it, I am rather going to point you to the right resources to get the job done. Red Hat has an excellent article in their knowledge base that covers most of the work.

If you are using a certificate that is signed by a public CA than you will need to import that information into the NSS database, usually they will ship you their cert along with your signed cert (sometimes called an intermediate certficate). You will need to import this using the following command (this is for Go Daddy but you can use this with any CA just change the nickname:

sudo certutil -A -d /etc/httpd/alias/ -n "Go Daddy" -t "CT,," -a -i gd_bundle.crt

Here is a break down of the flags in that command (taken from this page):

• -A Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this option will initialize one by default.
• -d Specify the database directory containing the certificate and key database files
• -n Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate.
• -t Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.
• -a Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC #1113. For certificate requests, ASCII output defaults to standard output unless redirected.
• -i Specify a specific certificate, or a certificate-request file.

Now if you are anything like me you probably don’t have your certificates that are signed by the public CA hanging around in pkcs12 format (which is required to import the cert and key into the NSS database). So to use openssl to export your certificate and key into a pkcs12 formatted file you use the following command:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.p12 -name Server-Cert -passout pass:foo

I think those command line flags are pretty self explanatory so I will move on.
You will now need to import the resultant file into the NSS database, here is the command to do that:

sudo pk12util pk12util -i server.p12 -d /etc/httpd/alias -W foo

Here again is a breakdown of the flags (taken from this page):

• -i Import a certificate and private key from from the p12file into the database.
• -d Specify the database directory into which to import to or export from certificates and keys.
• -W Specify the pkcs 12 file’s password

To verify that the certificate is in fact in the database you can run the following command:

sudo certutil -L -d /etc/httpd/alias


And finally to verify that your certificate is indeed valid and everything is installed as it should be you can run the following command:

sudo certutil -V -u V -d /etc/httpd/alias -n "Nick Name"


If the certificate appears in the database and is valid, that should just about cover you. Start up apache, check the error logs, make an SSL encrypted connection to the server, and viola, you are running a FIPS compliant SSL encrypted web server.

This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.