Emmanuel BILLOT wrote: > Hi, > > I want to import a personal cert generated lik this : > * /usr/bin/openssl x509 -extfile .cfg -days 365 -CAserial ca.ser -CA > ca.crt -CAkey ca.key -in toutou.csr -req -out toutou.crt > I make a PKCS12 export : > * /usr/bin/openssl pkcs12 -export -in toutou.crt -inkey toutou.key > -certfile ca.crt -name "toutou" -caname "toutou" -out toutou.p12 > I introduce it in FDS db : > * pk12util -d /etc/dirsrv/slapd-ldapnew -n "toutou" -i toutou.p12 > I check import : > * certutil -L -d /etc/dirsrv/slapd-ldapnew > > I configure FDS ti user SSL encryption with management console, and > restart it. > It fails with error : > > [27/Feb/2009:13:59:17 +0100] - SSL alert: CERT_VerifyCertificateNow: > verify certificate failed for cert toutou of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8101 > - Certificate type not approved for application.) > [27/Feb/2009:13:59:17 +0100] - SSL failure: None of the cipher are valid Hints should be in "verify certificate failed" and "Certificate type not approved for application" From a certutil -L verify your have the correct CA chain, and the correct trusted flags for both CA chain certs and server cert. See: http://directory.fedoraproject.org/wiki/Howto:SSL http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html M. > > What's wrong ? > Is there any special option to give to openssl for generating cert ? > > BR, >
