Proper way to generate a server certificate.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chavez, James R. wrote:
> Rich,
> Thank you again.
> The GUI console will not allow me to get past the 3rd screen where it
> asks for a password to the internal software store..I enter the correct
> password and it just sits there. I know the pass is correct because from
> the command line the same pass works to access the store.
> It will not go past. I have done this on various machines and it is the
> same result. Is there some kind of bug or needed software I need to have
> this function. All boxes are running.
>   
Try running fedora-idm-console -D 9 -f console.log
email me the console.log
also check the admin server error log - /var/log/dirsrv/admin-serv/error
> Fedora 9 and 
>
> fedora-ds 
> version 1.1.1
> Release 3.fc9 
>
>
> Also, I sent a cert request (CSR) to the needed Novell CA and had them
> sign it and return it. 
> I successfully imported it.
> The server cert I imported shows as having a broken chain on the
> certification path tab. And issued by null.
> I am assuming this is due to not having imported the CA cert that issued
> this cert yet..Is that a valid assumption?
>   
Yes.
> Do I need the CA certificate in order to properly use this server cert
> that was generated?
>   
Yes.
>
> Thank you
> James
>
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com] 
> Sent: Wednesday, January 28, 2009 3:21 PM
> To: Chavez, James R.
> Cc: General discussion list for the Fedora Directory server project.
> Subject: Re: Proper way to generate a server
> certificate.
>
> Chavez, James R. wrote:
>   
>> Mr. Rich, you responded!!
>> Thank you
>>
>> Thing is I generate a certificate request but am having issues 
>> importing it...
>> I generate a key and cert with.. 
>> "openssl genrsa -des3 -out server.key 2048" for the key "openssl req 
>> -new -key server.key -out server.csr"
>> I send it to the Novell Admin and sends back a server.b64 file.
>> I try and import it through the gui as a server cert and it fails 
>> saying that.
>>
>> " Either the certificate is for another server or the certificate was 
>> not requested using this server and the selected security device 
>> "internal (software)""
>>
>> I can import it as a CA cert but it shows as a broken chain and it is 
>> supposed to be server cert anyway.
>>
>> Any ideas on how to properly import this base 64 signed cert?
>> Perhaps certutil or openssl commands?
>>   
>>     
> If you are going to generate a server cert request, and you are going to
> use the GUI, you should just use the GUI to generate the server cert
> request.  Then you can submit that request to your CA and have it
> generate the server cert, then you can use the GUI again to install your
> new server cert.  You will also need to install the CA cert using the
> Fedora DS console GUI.
>   
>> Thank You
>> James
>>
>> Openssl
>> -----Original Message-----
>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>> Sent: Wednesday, January 28, 2009 1:48 PM
>> To: Chavez, James R.; General discussion list for the Fedora Directory
>>     
>
>   
>> server project.
>> Subject: Re: Proper way to generate a server 
>> certificate.
>>
>> James Chavez wrote:
>>   
>>     
>>> Hello List,
>>>
>>> I am trying to setup SSL between an AD or edir box and my FDS box. 
>>> I want to generate a server cert for the AD or edir box and import it
>>>       
>
>   
>>> into edir/AD and import the CA cert into AD/edir as well.
>>>
>>> What commands do i use to accomplish this.
>>> Also what format does the cert need to be to successfully import into
>>>       
>
>   
>>> AD or edir.
>>>
>>> I have generated a self signed CA cert named "FDS CA"
>>> exported with 
>>> certutil -L -d . -n "FDS CA" -a > ca.asc   and
>>> certutil -L -d . -n "FDS CA" -r > ca.der
>>>
>>>
>>>
>>> I have generated a server cert for the AD/edir box with
>>>
>>>  certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t
>>>       
>
>   
>>> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt
>>>
>>> And exported it with..
>>> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert"
>>>
>>> I then send the CA cert in ascii and .der format along with the
>>> server-cert.p12 to the admin but he gets errors below trying to 
>>> import
>>>     
>>>       
>>   
>>     
>>> into edir.
>>> Need help on this one please. 
>>> ..
>>>
>>> -1240 FFFFFB28 PKI E PARSE CERTIFICATE
>>>   
>>>     
>>>       
>> I'm not sure, but why not just use Novell Certificate Server to 
>> generate all of your server certs?
>>   
>>     
>>> Source
>>>
>>> Novell(r) Certificate Server
>>>
>>> Explanation
>>>
>>> Novell Certificate Server was unable to parse a certificate that has 
>>> been stored or is being stored.
>>>
>>> Possible Cause
>>>
>>> The user attempted to store a certificate or a certificate chain with
>>>       
>
>   
>>> an invalid encoding into a Server Certificate object. The certificate
>>>       
>
>   
>>> or certificate chain obtained from the Certificate Authority is
>>>     
>>>       
>> invalid.
>>   
>>     
>>> Action
>>>
>>> Perform the following operations:
>>>
>>>     * Contact the Certificate Authority that issued the server 
>>> certificate to obtain the Certificate Authority's certificate.
>>>     * Using ConsoleOne(r), view the Server Certificate object. Click 
>>> Import.
>>>     * Import the Certificate Authority's certificate as the trusted 
>>> root.
>>>     * Import the server's certificate as the object certificate.
>>>
>>> If the problem persists, contact the Certificate Authority.
>>>
>>>
>>> Any body out there can help out please.
>>>
>>> Thanks
>>> James
>>>
>>> CONFIDENTIALITY
>>> This e-mail message and any attachments thereto, is intended only for
>>>     
>>>       
>> use by the addressee(s) named herein and may contain legally 
>> privileged and/or confidential information. If you are not the 
>> intended recipient of this e-mail message, you are hereby notified 
>> that any dissemination, distribution or copying of this e-mail 
>> message, and any attachments thereto, is strictly prohibited.  If you 
>> have received this e-mail message in error, please immediately notify 
>> the sender and permanently delete the original and any copies of this
>>     
> email and any prints thereof.
>   
>>   
>>     
>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
>>>     
>>>       
>> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the 
>> Uniform Electronic Transactions Act or the applicability of any other 
>> law of similar substance and effect, absent an express statement to 
>> the contrary hereinabove, this e-mail message its contents, and any 
>> attachments hereto are not intended to represent an offer or 
>> acceptance to enter into a contract and are not otherwise intended to 
>> bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries),
>>     
>
>   
>> or any other person or entity.
>>   
>>     
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>     
>>>       
>> CONFIDENTIALITY
>> This e-mail message and any attachments thereto, is intended only for
>>     
> use by the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail message, you are hereby notified that any dissemination,
> distribution or copying of this e-mail message, and any attachments
> thereto, is strictly prohibited.  If you have received this e-mail
> message in error, please immediately notify the sender and permanently
> delete the original and any copies of this email and any prints thereof.
>   
>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
>>     
> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
> Uniform Electronic Transactions Act or the applicability of any other
> law of similar substance and effect, absent an express statement to the
> contrary hereinabove, this e-mail message its contents, and any
> attachments hereto are not intended to represent an offer or acceptance
> to enter into a contract and are not otherwise intended to bind the
> sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
> other person or entity.
>   
>>   
>>     
>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090128/d2395032/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux