Proper way to generate a server certificate.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chavez, James R. wrote:
> Rich , Thanks again,
>
> Do I email the log to the entire list?
>   
No
> Or can I shoot it to you?
>   
Yes - or just paste it to fpaste.org and email the link
> Thank you
> James 
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com] 
> Sent: Wednesday, January 28, 2009 4:03 PM
> To: Chavez, James R.
> Cc: General discussion list for the Fedora Directory server project.
> Subject: Re: Proper way to generate a server
> certificate.
>
> Chavez, James R. wrote:
>   
>> Rich,
>> Thank you again.
>> The GUI console will not allow me to get past the 3rd screen where it 
>> asks for a password to the internal software store..I enter the 
>> correct password and it just sits there. I know the pass is correct 
>> because from the command line the same pass works to access the store.
>> It will not go past. I have done this on various machines and it is 
>> the same result. Is there some kind of bug or needed software I need 
>> to have this function. All boxes are running.
>>   
>>     
> Try running fedora-idm-console -D 9 -f console.log email me the
> console.log also check the admin server error log -
> /var/log/dirsrv/admin-serv/error
>   
>> Fedora 9 and
>>
>> fedora-ds
>> version 1.1.1
>> Release 3.fc9
>>
>>
>> Also, I sent a cert request (CSR) to the needed Novell CA and had them
>> sign it and return it. 
>> I successfully imported it.
>> The server cert I imported shows as having a broken chain on the
>> certification path tab. And issued by null.
>> I am assuming this is due to not having imported the CA cert that
>>     
> issued
>   
>> this cert yet..Is that a valid assumption?
>>   
>>     
> Yes.
>   
>> Do I need the CA certificate in order to properly use this server cert
>> that was generated?
>>   
>>     
> Yes.
>   
>> Thank you
>> James
>>
>>
>>
>> -----Original Message-----
>> From: Rich Megginson [mailto:rmeggins at redhat.com] 
>> Sent: Wednesday, January 28, 2009 3:21 PM
>> To: Chavez, James R.
>> Cc: General discussion list for the Fedora Directory server project.
>> Subject: Re: Proper way to generate a server
>> certificate.
>>
>> Chavez, James R. wrote:
>>   
>>     
>>> Mr. Rich, you responded!!
>>> Thank you
>>>
>>> Thing is I generate a certificate request but am having issues 
>>> importing it...
>>> I generate a key and cert with.. 
>>> "openssl genrsa -des3 -out server.key 2048" for the key "openssl req 
>>> -new -key server.key -out server.csr"
>>> I send it to the Novell Admin and sends back a server.b64 file.
>>> I try and import it through the gui as a server cert and it fails 
>>> saying that.
>>>
>>> " Either the certificate is for another server or the certificate was
>>>       
>
>   
>>> not requested using this server and the selected security device 
>>> "internal (software)""
>>>
>>> I can import it as a CA cert but it shows as a broken chain and it is
>>>       
>
>   
>>> supposed to be server cert anyway.
>>>
>>> Any ideas on how to properly import this base 64 signed cert?
>>> Perhaps certutil or openssl commands?
>>>   
>>>     
>>>       
>> If you are going to generate a server cert request, and you are going
>>     
> to
>   
>> use the GUI, you should just use the GUI to generate the server cert
>> request.  Then you can submit that request to your CA and have it
>> generate the server cert, then you can use the GUI again to install
>>     
> your
>   
>> new server cert.  You will also need to install the CA cert using the
>> Fedora DS console GUI.
>>   
>>     
>>> Thank You
>>> James
>>>
>>> Openssl
>>> -----Original Message-----
>>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>>> Sent: Wednesday, January 28, 2009 1:48 PM
>>> To: Chavez, James R.; General discussion list for the Fedora
>>>       
> Directory
>   
>>>     
>>>       
>>   
>>     
>>> server project.
>>> Subject: Re: Proper way to generate a server
>>>       
>
>   
>>> certificate.
>>>
>>> James Chavez wrote:
>>>   
>>>     
>>>       
>>>> Hello List,
>>>>
>>>> I am trying to setup SSL between an AD or edir box and my FDS box. 
>>>> I want to generate a server cert for the AD or edir box and import
>>>>         
> it
>   
>>>>       
>>>>         
>>   
>>     
>>>> into edir/AD and import the CA cert into AD/edir as well.
>>>>
>>>> What commands do i use to accomplish this.
>>>> Also what format does the cert need to be to successfully import
>>>>         
> into
>   
>>>>       
>>>>         
>>   
>>     
>>>> AD or edir.
>>>>
>>>> I have generated a self signed CA cert named "FDS CA"
>>>> exported with 
>>>> certutil -L -d . -n "FDS CA" -a > ca.asc   and
>>>> certutil -L -d . -n "FDS CA" -r > ca.der
>>>>
>>>>
>>>>
>>>> I have generated a server cert for the AD/edir box with
>>>>
>>>>  certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA"
>>>>         
> -t
>   
>>>>       
>>>>         
>>   
>>     
>>>> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt
>>>>
>>>> And exported it with..
>>>> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert"
>>>>
>>>> I then send the CA cert in ascii and .der format along with the
>>>> server-cert.p12 to the admin but he gets errors below trying to 
>>>> import
>>>>     
>>>>       
>>>>         
>>>   
>>>     
>>>       
>>>> into edir.
>>>> Need help on this one please. 
>>>> ..
>>>>
>>>> -1240 FFFFFB28 PKI E PARSE CERTIFICATE
>>>>   
>>>>     
>>>>       
>>>>         
>>> I'm not sure, but why not just use Novell Certificate Server to 
>>> generate all of your server certs?
>>>   
>>>     
>>>       
>>>> Source
>>>>
>>>> Novell(r) Certificate Server
>>>>
>>>> Explanation
>>>>
>>>> Novell Certificate Server was unable to parse a certificate that has
>>>>         
>
>   
>>>> been stored or is being stored.
>>>>
>>>> Possible Cause
>>>>
>>>> The user attempted to store a certificate or a certificate chain
>>>>         
> with
>   
>>>>       
>>>>         
>>   
>>     
>>>> an invalid encoding into a Server Certificate object. The
>>>>         
> certificate
>   
>>>>       
>>>>         
>>   
>>     
>>>> or certificate chain obtained from the Certificate Authority is
>>>>     
>>>>       
>>>>         
>>> invalid.
>>>   
>>>     
>>>       
>>>> Action
>>>>
>>>> Perform the following operations:
>>>>
>>>>     * Contact the Certificate Authority that issued the server 
>>>> certificate to obtain the Certificate Authority's certificate.
>>>>     * Using ConsoleOne(r), view the Server Certificate object. Click
>>>>         
>
>   
>>>> Import.
>>>>     * Import the Certificate Authority's certificate as the trusted 
>>>> root.
>>>>     * Import the server's certificate as the object certificate.
>>>>
>>>> If the problem persists, contact the Certificate Authority.
>>>>
>>>>
>>>> Any body out there can help out please.
>>>>
>>>> Thanks
>>>> James
>>>>
>>>> CONFIDENTIALITY
>>>> This e-mail message and any attachments thereto, is intended only
>>>>         
> for
>   
>>>>     
>>>>       
>>>>         
>>> use by the addressee(s) named herein and may contain legally 
>>> privileged and/or confidential information. If you are not the 
>>> intended recipient of this e-mail message, you are hereby notified 
>>> that any dissemination, distribution or copying of this e-mail 
>>> message, and any attachments thereto, is strictly prohibited.  If you
>>>       
>
>   
>>> have received this e-mail message in error, please immediately notify
>>>       
>
>   
>>> the sender and permanently delete the original and any copies of this
>>>     
>>>       
>> email and any prints thereof.
>>   
>>     
>>>   
>>>     
>>>       
>>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
>>>>     
>>>>       
>>>>         
>>> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the 
>>> Uniform Electronic Transactions Act or the applicability of any other
>>>       
>
>   
>>> law of similar substance and effect, absent an express statement to 
>>> the contrary hereinabove, this e-mail message its contents, and any 
>>> attachments hereto are not intended to represent an offer or 
>>> acceptance to enter into a contract and are not otherwise intended to
>>>       
>
>   
>>> bind the sender, Sanmina-SCI Corporation (or any of its
>>>       
> subsidiaries),
>   
>>>     
>>>       
>>   
>>     
>>> or any other person or entity.
>>>   
>>>     
>>>       
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>>     
>>>>       
>>>>         
>>> CONFIDENTIALITY
>>> This e-mail message and any attachments thereto, is intended only for
>>>     
>>>       
>> use by the addressee(s) named herein and may contain legally
>>     
> privileged
>   
>> and/or confidential information. If you are not the intended recipient
>> of this e-mail message, you are hereby notified that any
>>     
> dissemination,
>   
>> distribution or copying of this e-mail message, and any attachments
>> thereto, is strictly prohibited.  If you have received this e-mail
>> message in error, please immediately notify the sender and permanently
>> delete the original and any copies of this email and any prints
>>     
> thereof.
>   
>>   
>>     
>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
>>>     
>>>       
>> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
>> Uniform Electronic Transactions Act or the applicability of any other
>> law of similar substance and effect, absent an express statement to
>>     
> the
>   
>> contrary hereinabove, this e-mail message its contents, and any
>> attachments hereto are not intended to represent an offer or
>>     
> acceptance
>   
>> to enter into a contract and are not otherwise intended to bind the
>> sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
>> other person or entity.
>>   
>>     
>>>   
>>>     
>>>       
>> CONFIDENTIALITY
>> This e-mail message and any attachments thereto, is intended only for
>>     
> use by the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail message, you are hereby notified that any dissemination,
> distribution or copying of this e-mail message, and any attachments
> thereto, is strictly prohibited.  If you have received this e-mail
> message in error, please immediately notify the sender and permanently
> delete the original and any copies of this email and any prints thereof.
>   
>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
>>     
> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
> Uniform Electronic Transactions Act or the applicability of any other
> law of similar substance and effect, absent an express statement to the
> contrary hereinabove, this e-mail message its contents, and any
> attachments hereto are not intended to represent an offer or acceptance
> to enter into a contract and are not otherwise intended to bind the
> sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
> other person or entity.
>   
>>   
>>     
>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090128/06cfe27b/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux