The Dogtag web portal doesn't have an option for this, so we'll have to use the command line:
- In your home directory of the Dogtag server, create the password.txt file. On the first line of the file, insert the password for the server's certificate. (It's the password that you set when you ran the pkispawn command.)
- Extract the server key and certificate like so:
sudo pki-server ca-cert-chain-export --pkcs12-file pki-server.p12 --pkcs12-password-file password.txt
Run an ls -l command to verify that the pki-server.p12 file was created.
- The problem with the p12 file is that it contains both the server's private key and its certificate. But to add a certificate to the CA section of your browser's trusted store, you have to have just the certificate without the key. Extract the certificate like so:
openssl pkcs12 -in pki-server.p12 -clcerts -nokeys -out pki-server.crt
- Transfer this new pki-server.crt file to a machine with a graphical desktop. In Firefox, open Preferences/Privacy & Security. Click the View Certificates button at the bottom. Click the Authorities tab and import the new certificate. Select to Trust this CA to identify websites and to Trust this CA to identify email users:
- Close Firefox and then open it again to ensure that the certificate takes effect. Navigate to the Dogtag portal. This time, you shouldn't receive any warning messages about using an untrusted certificate.
- End of lab.