On 01/26/2011 10:50 AM, Tim Weichel wrote: > > I have successfully installed the intermediate CA certificates into > the cert database and no longer having an issue. > > The ldap server is up and running with SSL now. > > To summarize my issues and resolution: > > The First issue I found was that I was not utilizing the proper > intermediate certificates from VeriSign, this is based on the flavor > of certificates you own. > > Please be sure you are utilizing the correct intermediate certs from > your CA, this can be confusing and since LDAP servers are not the main > consumers > > Of certificates they are not really listed. Mostly guidance for WWW > servers are provided. Here is the certs I has to utilize. > > http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html > > I was using the bundled certificates and not the individual Primary > and Secondary certs individually. > > But even after that change I was still having issues installing the > certificates, here is an example error: > > [root at ldap1 slapd-ldap1]# certutil -A -n VeriSign_Intermediate -t > "CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d > /etc/dirsrv/slapd-ldap1 > > certutil: could not obtain certificate from file: security library: > improperly formatted DER-encoded message. > Give the -a flag - -a means the cert is ascii, not binary DER. Looking at the web site above, the certificates encoded with -----BEGIN CERTIFICATE----- are ascii encoded DER. The ascii format is the same as PEM. > > The Second issue is that I suspected that I needed to recreate the > database (cert8.db), I assumed it must have been corrupted in some manner. > This is a different issue than the issue above? > > [root at ldap1 slapd-ldap1]#certutil -N -d /etc/dirsrv/slapd-ldap1 > > Once I recreated the database I was able to successfully reinstall all > of the certs with no issues using the following commands: > > [root at ldap1 slapd-ldap1]#pk12util -i > /etc/dirsrv/slapd-ldap1/ldap1cert.p12 -d . > > [root at ldap1 slapd-ldap1]#certutil -A -n VeriSign_Intermediate -t > "CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d > /etc/dirsrv/slapd-ldap1 > > [root at ldap1 slapd-ldap1]#certutil -A -n VeriSign_Secondary -t "CT,," > -i /etc/dirsrv/slapd-ldap1/secondary.crt -d /etc/dirsrv/slapd-ldap1 > Very strange. I would not expect it to work if the .crt files are ascii encoded, without using the -a flag, unless the certutil has some sort of automatic detection. > > The ldap server now starts with no certificate issues and binds over > port 636. Hooray!! > > Appreciate the response and anyone else who was contemplating my issue. > > I hope this helps someone else from making the same mistake I > did.................Tim > > *From:*Tim Weichel > *Sent:* Tuesday, January 25, 2011 5:08 PM > *To:* '389-users at lists.fedoraproject.org' > *Cc:* Identitysupport > *Subject:* HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS > > All, > > I have installed 389 servers and in the process of requesting new 4 > year SSL certificates for my servers. To do so Verisign is only > accepting 2048-bit and higher CSR's only for 3 year certificates. > > No problem I manually created a new CSR with 2048 bits using openssl, > received my new cert from verisign and have installed it successfully. > > Now that I have the new cert installed and SSL configured and my > pin.txt file in place I find that upon start-up of the directory > service the certificate will not properly verify and the startup fails. > > Based on the VeriSign advisory AD220 > (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220 > <https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220>) > > > It appears that I need to update the directory servers VeriSign > intermediate certificates in order to properly validate my new 2048 > cert upon startup. > > My new certificate came with the notice also as follows: In order for > your VeriSign SSL Certificate to function properly, NEW Primary and > Secondary VeriSign Intermediate CA Certificates must be installed. > > So has anyone actually updated or installed the new primary and > secondary intermediate CA certificates. > > The usual methods of certutil command and the Management Console > wizard have all failed to install the provided intermediate CA bundle > provided by VeriSign. > > Also I am not running Apache, I only have the 389 Management Console > serving web for the servers. > > Thanks appreciate your assistance. Love the list server you guys > ROCK!.........................Tim > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110126/fbac03d2/attachment-0001.html
