certutil: generating new .db files for server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Brian Jones wrote:
> Hi Rob, thanks for the reply. I've clarified inline:
> 
> On 7/10/06, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Brian Jones wrote:
>>
>> > 3. Is it true that I cannot reuse a signed server certificate in a 
>> newly
>> > created database, even if the new database has the same root ca
>> > installed as
>> > the old one? I need to generate a request every time I run certutil -N?
>>
>> The signed certificate is only half of what you need. You also need the
>> private key. Without more information on what you're trying to do I
>> can't really make a recommendation.
> 
> 
> 
> Right, I know I need the root ca and the server cert (signed by said root
> ca) both installed in the db. What I'm doing is this:
> 
> I have /opt/fedora-ds/alias set up as a symlink to alias-test1, 
> alias-test2,
> etc. I have a couple of these directories around for... um.... testing :)
> 
> What I want to confirm is whether or not I can use, for example, the cert
> request I generated (using certutil -R) for the db files in alias-test1 for
> the new db files created in alias-test2.

Ok, so what you want to do is issue the certificate once, then perhaps 
move it to other directories? If so here is what you do:

1. Generate a new database (or use an existing one, it doesn't really 
matter).
2. generate your Certifiacte Server Request (CSR)
3. Sign this with your CA
4. Import the new server certificate into your database (certutil -A ...)
5. Export this server cert, which I've nicknamed Server-Cert, into a 
PKCS#12 file with:

pk12util -o server.p12 -n Server-Cert -P slapd-foo- -d alias

6. You can now import this into another certificate database with

pk12util -i server.p12 -n Server-Cert -P slapd-bar- -d alias-test1

The other alternative is to simply copy the database files between 
directories, but you'll pick up all certificates/keys rather than 
discretely copying a single cert/key combo.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060710/00880aa9/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux