Prerequisites: You need the NSS tools from mozilla.org and openssl.
1. Copy the cert7.db and key3.db from the AppServer config directory to some directory on ferrari or wherever you have the NSS tools.
2. Find the certname in the server.xml file by looking for the cert-nickname attribute. This is the cert you want to export.
3. Export the key and cert to PKCS12 format
pk12util -d . -o <output filename> -n <cert name from list in #2 above>
It'll ask you for passwords to the .db and then ask you to input a new one. I just keep the same one or leave it blank. This is assuming you're running this in the same directory as the .db files.
4. Now convert PKCS12 file to PEM format (which is what apache wants) using openssl:
openssl pkcs12 -in <filename from #3 above> -out <name of pem file>
It'll ask you for the password you entered in #3 and then ask you to enter a new one for the output.
The pem file created has both the key and cert in it so you have to
split it out into two files. Just grab the part that is inside of the
BEGIN and END lines for the cert and key and put them into separate
.pem files. Note for cert files please grab the Second Certificate in
that PEM file.
6. Now you have to decrypt the RSA key file so that apache doesn't prompt you for a password on startup. Use this command:
openssl rsa -in <key pem file you created in #5> -out <output key pem file you are going to use in apache>
6. Now point the apache httpd.conf to the cert and key file and you should be all set.
7. Restart Apache.