Brian Jones wrote: > Hi all, > > I'm generating new *.db files for my server, where I will install a new > root > ca, and a new server cert (new *.db files allows me to easily test and back > out). I have a couple of questions about *.db files and how FDS uses them: > > 1. When I use certutil -N to create the new db files, is the value I > give to > the '-P' flag arbitrary, or does the server look for a specific value based > on instance name or something? I have new files called > 'slapd-ldap-cert8.db' > and 'slapd-ldap-key3.db', because I thought this prefix value was > arbitrary, > but FDS fails to start because it says that files ' > slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing. > Those are the *old* db file names. By default the prefix needs to match the FDS instance name. Because the database files are stored in a common directory a way was needed to discretely name them, hence the prefix. > > 2. Related to 1, how do I (from the command line) change what files FDS > looks for? Is this possible? Recommended? I've never done this but a cursory look at the code found nsCertfile and nsKeyfile. I guess in theory you could change those values (stored in LDAP, of course) and point to new key/cert files. I grepped them out of dse.ldif to see the current settings. > > 3. Is it true that I cannot reuse a signed server certificate in a newly > created database, even if the new database has the same root ca > installed as > the old one? I need to generate a request every time I run certutil -N? The signed certificate is only half of what you need. You also need the private key. Without more information on what you're trying to do I can't really make a recommendation. > > 4. Are there other rules that these files have to conform to in order for > the server to start up? Are there docs on this that I've missed? Links? > I've > seen the mozilla NSS docs, but they're mostly for developers (except for > the > decent certutil reference), and the RHDS docs do everything from the GUI as > far as I've seen. > From the perspective of the command-line utilities, they could care less what the files are named as long as they end in cert8.db and key3.db. The prefix flag (-P) lets you set arbitrary data before that. For a bit more detail on how NSS is initialized, look at the function slapd_nss_init() at http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/ssl.c It looks like the only thing hardcoded is the directory where the files are located, server-root/alias. But like I said, I've never tried renaming those files in the DS. I just wonder if this would cause confusion in the future, or with the console. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060710/b285ad87/attachment.bin
