Ill update wiki accordingly thanks On Wed, 03 Aug 2005 13:14:00 -0700 "George Holbert" <gholbert at broadcom.com> wrote: > Rich M answered my question in his recent post: > > > If you followed the other steps up until this one, then you already > > have the required certs for slapd to use. You only need to export > > the cert to the .pfx file if you need to import that key and cert > > into another program (e.g. use openssl to convert the .pfx file to > > other formats). > > So there apparently is not a need for the pk12 file in the alias > directory. > > Thanks Rich, > -- George > > > > George Holbert wrote: > > > A follow up question: why does pk12util need to be run against the > > certificate db at all? Doesn't RedHat/Fedora DS read certificate > > and key information directly from the cert8.db and key3.db files? > > > > In the RedHat SSL setup docs at: > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > > ... it says: > > > >> Run pk12util to convert the certificate database to pkcs12 format, > >> so it is accessbile by the Directory Server: > > > > > > > > As Adam Stokes mentioned, the incantation for this should be: > > > >> Again another typo the line should read > >> > >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert > >> > > But what does it buy you to have the "servercert.pk12" file sitting > > in the alias directory with the cert and key db files? How does > > this make the certificate database "accessible by the Directory > > Server"? > > > > In previous versions of Netscape DS, I don't recall the need for a > > pk12 file in the alias directory. Is this a new requirement for > > version 7.1 ? > > > > Thanks, > > -- George > > > > > > Adam Stokes wrote: > > > >> On Wed, 3 Aug 2005 15:48:42 -0400 > >> Kevin Kovach <kovach at gmail.com> wrote: > >> > >> Kevin, > >> > >> Again another typo the line should read > >> > >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert > >> > >> and the -P option is the dbprefix in which case slapd-serverID- > >> should be replaced with whatever you have setup as your slapd- > >> <instance>- > >> > >> Hope this helps > >> > >> > >> > >>> Adam, > >>> > >>> My entry looks the same. I'm pretty certain I have the ciphers > >>> correct now. > >>> > >>> I am curious about one thing though. In following the wiki, I > >>> did as suggested and converted the cert db to pkcs12 with the > >>> following command ... > >>> > >>> pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert > >>> > >>> However, I don't see anywhere where we make FDS aware of > >>> servercert.pfx? I'd assume that we need to configure FDS for this > >>> pkcs12 db somewhere? > >>> > >>> Also, the wiki mentions the trailing - on the -P option but does > >>> not go into depth on it. I'm pretty sure I executed this command > >>> correctly but am unsure how to double check it? > >>> > >>> Thanks again. > >>> > >>> - Kevin > >>> > >>> On 8/3/05, Adam Stokes <astokes at redhat.com> wrote: > >>> > >>> > >>>> dn: cn=encryption,cn=config > >>>> objectClass: top > >>>> objectClass: nsEncryptionConfig > >>>> cn: encryption > >>>> nsSSLSessionTimeout: 0 > >>>> nsSSLClientAuth: allowed > >>>> nsSSL2: off > >>>> nsSSL3: on > >>>> creatorsName: cn=server,cn=plugins,cn=config > >>>> modifiersName: cn=directory manager > >>>> createTimestamp: 20050701182744Z > >>>> modifyTimestamp: 20050720192820Z > >>>> nsSSL3Ciphers: > >>>> - > >>>> rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha > >>>> > >>>> nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd- > >>>> directory-cert8.db numSubordinates: 1 > >>>> > >>>> Above is my entry for reference > >>>> > >>>> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote: > >>>> > >>>> > >>>>> Thanks Nathan. I've made this change and again got farther than > >>>>> I have before. > >>>>> > >>>>> FYI, I got that cipher list from the Wiki. That will need to be > >>>>> updated to contain the complete list. > >>>>> > >>>>> Although I got farther the server is still not starting up. Now > >>>>> it's complaining that none of the ciphers are valid? How to I > >>>>> ensure that I'm using a valid cypher? Here's the error I'm > >>>>> seeing in the error log ... > >>>>> > >>>>> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 > >>>>> B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL > >>>>> failure: None of the cipher are valid > >>>>> > >>>>> Thanks again for the help. > >>>>> > >>>>> - Kevin > >>>>> > >>>>> And again have a different issue now. Now it's complaining that > >>>>> there are no > >>>>> > >>>> > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>>> > >>> > >>> -- > >>> Take back the web, http://www.switch2firefox.com/ > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >> > >> > >> > >> > >> > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ....<(^_^)> adam stokes ....
