Ryan Braun wrote: > On Friday 21 September 2007 16:37, Richard Megginson wrote: > >> Ryan Braun wrote: >> >>> On Thursday 20 September 2007 21:36, George Holbert wrote: >>> >>> Ok so I managed to create a new certificate using subjectAltName >>> extenstions, and it works as advertised. I can run ldapsearchs on >>> eastldap on both eastldap0. >>> >>> Now my question is for generating certs for the other servers. Now that >>> I have the CA cert on eastldap0, I would assume I need to install the CA >>> on each additional server. Can I just copy and paste the cacert.asc into >>> the manage certificate wizard? >>> >> You cannot use the CA cert to generate server certs. You need the CA >> cert and key. This CA key was created when you created your initial CA >> cert. The CA key is stored in the key3.db in which you initially >> created in steps 5 and 6 here - >> http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps >> >> I would suggest you create all of your server certs using this initial >> CA cert and key. >> cd /opt/fedora-ds/alias >> serialnumber=1002 >> for server in serverFQDN ; do >> ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s >> "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" >> -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt >> # each cert must have a unique serial number >> serialnumber=`expr $serialnumber + 1` >> # export the new server cert+key >> ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k >> pwdfile.txt -w pwdfile.txt >> done >> > Rather then run the script, I tried to run it for one example first > > eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z noise.txt -f pwdfile.txt > Generating key. This may take a few moments... > eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o ywgldap1.isb.ec.gc.ca.p12 -n "Server-Cert-ywgldap1" -k pwdfile.txt -w pwdfile.txt > pk12util-bin: PKCS12 EXPORT SUCCESSFUL > > So at this point I had the .p12 file and the existing cacert.asc created, and sent them over to eastldap1. > > >> For all of the commands listed above, you may have to specify -P >> slapd-instance- if you are not using cert8.db and key3.db. >> >> Then, copy each file $server.p12 to that $server, along with the >> cacert.asc file >> Then, on each server: >> cd /opt/fedora-ds/alias >> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w >> pwdfile.txt -k pwdfile.txt >> # the -w argument is the file containing the password used to encrypt >> the .p12 file >> # the -k argument is the file containing the password for the new key >> database >> # you may use a different password for -k here - this is the same >> password used >> # in your slapd-instance-pin.txt file >> >> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t >> "CT,," -a -i cacert.asc >> >> # this imports your CA cert >> > > Now the importing, > > eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k pwdfile.txt > pk12util-bin: PKCS12 IMPORT SUCCESSFUL > ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc > > > Send over enable ssl ldif > > ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f ssl_enable.ldif > Enter LDAP Password: > modifying entry "cn=encryption,cn=config" > > modifying entry "cn=config" > ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f addrsa.ldif > Enter LDAP Password: > adding new entry "cn=RSA,cn=encryption,cn=config" > > But when I restart slapd on eastldap1 > > Enter PIN for Internal (Software) Token: > [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) > [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) > [21/Sep/2007:17:52:33 +0000] - SSL failure: None of the cipher are valid > > Did I miss importing a private key from somewhere? Do I need to use the cacert.pfx I created in the basic steps? > No. I think the problem is that the name of the server cert in the cert db is Server-Cert-$server not Server-Cert. I thought there was an option to pk12util to import it and rename it, but apparently not. To find out what the server cert name is: cd /opt/fedora-ds/alias ../shared/bin/certutil -L -d . -P slapd-eastldap1- I'm assuming it will be Server-Cert-$server Unless someone knows an easy way to rename it, you can just tell slapd to use the new name. stop-slapd edit dse.ldif - look for Server-Cert and change it to whatever the actual name of your server cert is (Server-Cert-$server) save and start-slapd > Thanks > > Ryan > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070921/53c47484/attachment.bin
