On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote: > Craig White wrote: > > >On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote: > > > > > >>Craig White wrote: > >> > >> > >> > >>>Trying to follow instructions at > >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > >>> > >>>Step #8 > >>>Copy the key3.db and cert8.db you created to the default databases > >>>created at Directory Server installation: > >>> > >>>where is this 'default databases'? > >>> > >>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server > >>> > >>> > >>> > >>> > >>/opt/fedora-ds/alias/slapd-srv1-key3.db > >>/opt/fedora-ds/alias/slapd-srv1-cert8.db > >> > >> > >---- > >OK - well that was where I created them... > > > ># ls -l /opt/fedora-ds/alias/ > >total 520 > >-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db > >-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db > >-rw------- 1 root root 65536 Dec 8 11:18 cert8.db > >-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12 > >-rw------- 1 root root 16384 Dec 8 11:18 key3.db > >-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so > >-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt > >-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt > >-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db > >-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db > >-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db > > > >I didn't see them listed anywhere in the console. > > > > > Didn't see what listed anywhere in the console? ---- the certificates that I generated using certutil. I never could find evidence of them in any console. The files listed above I am certain were generated by openssl creation of the CA certificate and using that to sign the requests from the Server Certs portions of the Administration and Directory Consoles - and 'installing' them in the console...because of the time signatures. ---- > > I think the directions mean "copy your new key3.db over > slapd-srv1-key3.db and copy your new cert8.db over > slapd-srv1-cert8.db". When you do this, make sure slapd isn't running, > and make sure you retain the old ownership and permissions of those > files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open > those files in read-write mode. > ---- it would appear that having the above contents of /opt/fedora-ds/alias and the db files chmod 600 nobody:nobody as per above - that even though I generated them ultimately with openssl and not certutil and they are listed in both Administration and Directory consoles in both CA Certs and Server Certs that I am good to go to next step. Thanks Craig
