Can we get this into the FAQ? --Chris Rob Crittenden wrote: > Jeff Falgout wrote: > >> Brian K. Jones said: >> >>> Hi, >>> >>> Anyone have a procedure for self signing a certificate request from FDS >>> using >>> an existing CA cert with openssl? Also - anyone know why I can't just >>> use >>> an >>> existing cert/key pair with FDS that was created and self-signed >>> already - >>> or >>> if I can, how? >>> >>> brian. >> >> >> >> >> openssl x509 -req -in /path/to/csr \ >> -CA /path/to/cacert \ >> -CAkey /path/to/cakey -CAcreateserial \ >> -out /path/to/signed.crt >> >> I just use this command to sign the csr generated from the console. I >> haven't figured out how to use an existing cert/key - I'd very much like >> to see how to do that. >> > > This was just discussed on IRC, may as well document it here as well. > > First, head into console and initialize your certificate database and > assign a password. To do this, log into the console, select your > directory instance and under Tasks select Manage Certificates. If you > don't already have a certificate database created, it will prompt you > for a password. > > Now, at a unix prompt, change to your server root as a user that can > write to the files in alias (probably root). > > This assumes that the existing cert is in the file ssl-cert.pem and the > existing key is in ssl-key.pem and your instance is named "myinstance": > > # cd /opt/redhat-ds > # openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out > ssl-cert.p12 -name "Server-Cert" > > You now have the openssl cert in a pkcs#12 file (cert and key together) > > Now import it into your DS database: > > # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- > > This will work for both Fedora and Red Hat DS. > > rob > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
