Jeff Falgout wrote: > Brian K. Jones said: > >>Hi, >> >>Anyone have a procedure for self signing a certificate request from FDS >>using >>an existing CA cert with openssl? Also - anyone know why I can't just use >>an >>existing cert/key pair with FDS that was created and self-signed already - >>or >>if I can, how? >> >>brian. > > > > openssl x509 -req -in /path/to/csr \ > -CA /path/to/cacert \ > -CAkey /path/to/cakey -CAcreateserial \ > -out /path/to/signed.crt > > I just use this command to sign the csr generated from the console. I > haven't figured out how to use an existing cert/key - I'd very much like > to see how to do that. > This was just discussed on IRC, may as well document it here as well. First, head into console and initialize your certificate database and assign a password. To do this, log into the console, select your directory instance and under Tasks select Manage Certificates. If you don't already have a certificate database created, it will prompt you for a password. Now, at a unix prompt, change to your server root as a user that can write to the files in alias (probably root). This assumes that the existing cert is in the file ssl-cert.pem and the existing key is in ssl-key.pem and your instance is named "myinstance": # cd /opt/redhat-ds # openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out ssl-cert.p12 -name "Server-Cert" You now have the openssl cert in a pkcs#12 file (cert and key together) Now import it into your DS database: # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- This will work for both Fedora and Red Hat DS. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050620/f258d26f/attachment.bin
