I had setup encryption on one of my test fds servers (1.1.2), generated a CAcert and a Server-Cert and turned on encryption. It all worked fine. I shut down fds, removed the Server-Cert and created a new Server-Cert with a few Subject Alt Name entries. I didn't import a p12 cert, I just used certutil to create a new cert in the database. I restarted the server and tested with ldapsearch -ZZ and it all still worked. When I had a look in the log recently, I noticed these entries everytime i restart the service. [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting up [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in attrcrypt_init [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in attrcrypt_init [11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS requests Looking back to when I first turned on encryption, I see [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting up [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in backend NetscapeRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in backend NetscapeRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS requests So I'm wondering if I need to somehow reinit some of the encryption keys? Or maybe I missed a step for replacing a Server-Cert? But from the docs it looks like a straight forward turn off fds, remove old cert, create/import new cert (with same name), restart fds. Ryan
