A follow up question: why does pk12util need to be run against the certificate db at all? Doesn't RedHat/Fedora DS read certificate and key information directly from the cert8.db and key3.db files? In the RedHat SSL setup docs at: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 ... it says: > Run pk12util to convert the certificate database to pkcs12 format, so > it is accessbile by the Directory Server: As Adam Stokes mentioned, the incantation for this should be: >Again another typo the line should read > >pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert > But what does it buy you to have the "servercert.pk12" file sitting in the alias directory with the cert and key db files? How does this make the certificate database "accessible by the Directory Server"? In previous versions of Netscape DS, I don't recall the need for a pk12 file in the alias directory. Is this a new requirement for version 7.1 ? Thanks, -- George Adam Stokes wrote: >On Wed, 3 Aug 2005 15:48:42 -0400 >Kevin Kovach <kovach at gmail.com> wrote: > >Kevin, > >Again another typo the line should read > >pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert > >and the -P option is the dbprefix in which case slapd-serverID- should >be replaced with whatever you have setup as your slapd-<instance>- > >Hope this helps > > > >>Adam, >> >>My entry looks the same. I'm pretty certain I have the ciphers >>correct now. >> >>I am curious about one thing though. In following the wiki, I did as >>suggested and converted the cert db to pkcs12 with the following >>command ... >> >>pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert >> >>However, I don't see anywhere where we make FDS aware of >>servercert.pfx? I'd assume that we need to configure FDS for this >>pkcs12 db somewhere? >> >>Also, the wiki mentions the trailing - on the -P option but does not >>go into depth on it. I'm pretty sure I executed this command >>correctly but am unsure how to double check it? >> >>Thanks again. >> >>- Kevin >> >>On 8/3/05, Adam Stokes <astokes at redhat.com> wrote: >> >> >>>dn: cn=encryption,cn=config >>>objectClass: top >>>objectClass: nsEncryptionConfig >>>cn: encryption >>>nsSSLSessionTimeout: 0 >>>nsSSLClientAuth: allowed >>>nsSSL2: off >>>nsSSL3: on >>>creatorsName: cn=server,cn=plugins,cn=config >>>modifiersName: cn=directory manager >>>createTimestamp: 20050701182744Z >>>modifyTimestamp: 20050720192820Z >>>nsSSL3Ciphers: >>>- >>>rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha >>>nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd- >>>directory-cert8.db numSubordinates: 1 >>> >>>Above is my entry for reference >>> >>>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote: >>> >>> >>>>Thanks Nathan. I've made this change and again got farther than >>>>I have before. >>>> >>>>FYI, I got that cipher list from the Wiki. That will need to be >>>>updated to contain the complete list. >>>> >>>>Although I got farther the server is still not starting up. Now >>>>it's complaining that none of the ciphers are valid? How to I >>>>ensure that I'm using a valid cypher? Here's the error I'm >>>>seeing in the error log ... >>>> >>>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 >>>>B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL >>>>failure: None of the cipher are valid >>>> >>>>Thanks again for the help. >>>> >>>>- Kevin >>>> >>>>And again have a different issue now. Now it's complaining that >>>>there are no >>>> >>>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>-- >>Take back the web, http://www.switch2firefox.com/ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > >
