Ryan Braun wrote: > On Friday 21 September 2007 18:27, Richard Megginson wrote: > >>> Rather then run the script, I tried to run it for one example first >>> >>> eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n >>> "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t >>> "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z >>> noise.txt -f pwdfile.txt Generating key. This may take a few moments... >>> eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o >>> eastldap1.test.com.p12 -n "Server-Cert-eastdap1" -k pwdfile.txt -w >>> pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL >>> >>> So at this point I had the .p12 file and the existing cacert.asc created, >>> and sent them over to eastldap1. >>> >>> >>>> For all of the commands listed above, you may have to specify -P >>>> slapd-instance- if you are not using cert8.db and key3.db. >>>> >>>> Then, copy each file $server.p12 to that $server, along with the >>>> cacert.asc file >>>> Then, on each server: >>>> cd /opt/fedora-ds/alias >>>> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w >>>> pwdfile.txt -k pwdfile.txt >>>> # the -w argument is the file containing the password used to encrypt >>>> the .p12 file >>>> # the -k argument is the file containing the password for the new key >>>> database >>>> # you may use a different password for -k here - this is the same >>>> password used >>>> # in your slapd-instance-pin.txt file >>>> >>>> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t >>>> "CT,," -a -i cacert.asc >>>> >>>> # this imports your CA cert >>>> >>> Now the importing, >>> >>> eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P >>> slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k >>> pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL >>> ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P >>> slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc >>> >>> >>> Send over enable ssl ldif >>> >>> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory >>> manager" -W -f ssl_enable.ldif Enter LDAP Password: >>> modifying entry "cn=encryption,cn=config" >>> >>> modifying entry "cn=config" >>> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory >>> manager" -W -f addrsa.ldif Enter LDAP Password: >>> adding new entry "cn=RSA,cn=encryption,cn=config" >>> >>> But when I restart slapd on eastldap1 >>> >>> Enter PIN for Internal (Software) Token: >>> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't >>> find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config >>> (Netscape Portable Runtime error -8174 - security library: bad database.) >>> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable >>> to retrieve private key for cert Server-Cert of family >>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - >>> security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL >>> failure: None of the cipher are valid >>> >>> Did I miss importing a private key from somewhere? Do I need to use the >>> cacert.pfx I created in the basic steps? >>> >> No. I think the problem is that the name of the server cert in the cert >> db is Server-Cert-$server not Server-Cert. I thought there was an >> option to pk12util to import it and rename it, but apparently not. To >> find out what the server cert name is: >> cd /opt/fedora-ds/alias >> ../shared/bin/certutil -L -d . -P slapd-eastldap1- >> I'm assuming it will be Server-Cert-$server >> Unless someone knows an easy way to rename it, you can just tell slapd >> to use the new name. >> stop-slapd >> edit dse.ldif - look for Server-Cert and change it to whatever the >> actual name of your server cert is (Server-Cert-$server) >> save and start-slapd >> >> > > Thanks for the help!, the modifying of dse.ldif did the trick and it all > seems to be working. > > Now what in the process would I have to change in order to be able to generate > the certs with a Server-Cert-$server nickname and have fds recognize the > proper name, without having to edit dse.ldif for each box? > I'm not sure. There's probably a way to use pk12util to export/import a cert with a different name, or use certutil to change the name, but I just don't know. > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070921/0bb14d7f/attachment.bin
