Certificates that have been exported by Apache cannot be directly imported into OTD. Apache exports consist of 2 files, a .pem and a .key, and if you try to load the .pem file you will get the error ‘OTD-64112’
First you convert them to PKCS12 format
otd_user@otd-zone:~$ openssl pkcs12 -export -in wildcard.load.melnet.net.pem -inkey wildcard.load.melnet.net.key -out wildcard.p12
Then you import them into Oracle Traffic Director. The first time I tried this I had problems, as the new certificates were not visible in the GUI despite it noticing that files cert8.db/key3.db had changed and prompting for a reload. cert8.db/key3.db are the older Berkeley format databases, and OTD uses the newer SQLite format files cert9.db/key4.db. You can control this by setting the environment variable NSS_DEFAULT_DB_TYPE or by putting the prefix sql: on the directory path to the certificate directory specified by -d
otd_user@otd-zone:/u01/OTDInstance/net-sso-home/config$ export NSS_DEFAULT_DB_TYPE="sql" <otd_user@otd-zone:/u01/OTDInstance/net-sso-home/config$ pk12util -i /export/home/otd_user/wildcard.p12 -d . Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
Use certutil to verify it has loaded successfully
otd_user@otd-zone:/u01/OTDInstance/net-sso-home/config$ certutil -K -d.certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Then login to the OTD management user interface, select to pull and deploy the changes.
rsa 7fe2205c3cc98df1df0a907c9ed81900048bf434 cert-*.load.melnet.net
Useful related knowledge
certutil utility reference: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil
How To Import Pre-existing SSL Server Certificate and Key Files Into Oracle Traffic Director (Doc ID 1495668.1)