On 4/06/2011 8:00 a.m., Rich Megginson wrote: > On 06/03/2011 01:38 PM, solarflow99 wrote: >> For self signed certs, as I understand it, the 389 supplier that has the CA >> must create a server cert for the windows host? How can this cert be >> exported/imported since windows doesn't use pk12util? Has anyone set this up, >> and can say the steps on windows 2008? I see there are many options for >> installing IIS and Microsoft CA. > That's the easiest way to generate an SSL server cert for MS AD - Install MS CA > as an Enterprise Root CA - it will automatically issue the AD server cert. > > Otherwise, look here http://directory.fedoraproject.org/wiki/Howto:WindowsSync - > you can use mmc with the Certificates snap-in to import/export certs and pkcs12 > files. The procedure to generate the certificate request is outlined here http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 which is referenced from the howto Rich mentions. Here's something that may catch you out. When you use certreq on the Windows server to generate a certificate request, it generates a corresponding key for that request (storing it in the Documents and Settings hierarchy). If for any reason, you need to generate another certificate, do NOT re-use the request file (the .req file) you already have, you have to generate a new request. If, and only if, your windows domain is running at 2008 Functional level, the best place to put the CA certificate is in the NTDS service's certificate store (as outlined at the bottom of the Knowledge Base article above). Otherwise import it into the local computer account's personal store David. >> >> Thanks, >> >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
