Craig White wrote: >On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote: > > >>Craig White wrote: >> >> >> >>>Trying to follow instructions at >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 >>> >>>Step #8 >>>Copy the key3.db and cert8.db you created to the default databases >>>created at Directory Server installation: >>> >>>where is this 'default databases'? >>> >>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server >>> >>> >>> >>> >>/opt/fedora-ds/alias/slapd-srv1-key3.db >>/opt/fedora-ds/alias/slapd-srv1-cert8.db >> >> >---- >OK - well that was where I created them... > ># ls -l /opt/fedora-ds/alias/ >total 520 >-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db >-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db >-rw------- 1 root root 65536 Dec 8 11:18 cert8.db >-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12 >-rw------- 1 root root 16384 Dec 8 11:18 key3.db >-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so >-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt >-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt >-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db >-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db >-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db > >I didn't see them listed anywhere in the console. > > Didn't see what listed anywhere in the console? I think the directions mean "copy your new key3.db over slapd-srv1-key3.db and copy your new cert8.db over slapd-srv1-cert8.db". When you do this, make sure slapd isn't running, and make sure you retain the old ownership and permissions of those files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open those files in read-write mode. >I ended up doing this with openssl... ># first using console, I created a server csr (fedora-ds.csr) > >then... >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \ >-days 3650 -key ca.key -out ca.cert >openssl genrsa -out ldap.key 1024 >openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \ >-out ldap.csr >openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert \ >-CAkey ca.key -CAcreateserial -days 3650 >openssl x509 -req -in fedora-ds.csr -out fedora-ds.cert -CA ca.cert \ >-CAkey ca.key -CAcreateserial -days 3650cp ca.cert /etc/ssl > >Then using the console - in Administration console, Manage Certificates, >CA Certs, I 'installed' the file ca.cert (it seemed happy) > >Then in Server Certs, I installed fedora-ds.cert (it seemed happy) > >I pretty much repeated the process of creating the signing request and >signing it and generating another server cert and it seems to be happy >too as now, it too lists the certificates both in the server certs and >the CA certs. > >So I am pretty good to go right? > >Thanks > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051208/ca139108/attachment.bin
