Generating and installing certificates for Fedora-ds 1.1.0 usig Openssl base CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Howard Wilkinson wrote:
> We have a CA using our corporate certificate which we want to sign our 
> certificates for the fedora-ds and clients.
>
> I am trying to work out how to do this. The setupssl2 script works 
> fine in generating and installing a self-signed certifictae on the 
> server(s) but we now want to generate and sign using our CA.
>
> Does anybody have a set of instructions that would cover this case?
Do you have any instructions in general about generating cert requests 
and signing them with your CA?  If so, then they would mostly apply.  
You would use certutil to generate your CSR (certutil -R) for your 
server, then create the server cert on your CA from the server CSR, then 
install the new server cert in your server's key/cert db using certutil 
(certutil -A for an ascii/pem cert).
>
> In particular I would like to understand when the use of certutil is 
> mandatory and when it can be replaced with one or more openssl commands.
Anything which touches the key/cert databases (generate server cert 
request, add a cert) must use certutil.  The other operations can be 
done with openssl.
>
> Eventually I would like to be able to configure the server using the 
> setup-ds-admin script with a certificate already pre-generated by 
> openssl quoted as the CACertificate parameter.
That will work fine for the SSL client side of things.  But 
setup-ds-admin cannot generate a server cert request, wait for the new 
cert to be issued, and install the new server cert.
>
> One complication to all of this is that we need to assign a number of 
> SubjectAltNames to the certificates so that a server may have multiple 
> identities!
Sure.  When you generate your cert request using certutil -R, use the -8 
argument to specify the subject alt names.  See also 
http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
>
> Regards, Howard
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080206/0c9b9ed3/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux