Re: Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

[Alberto Suárez <asuapaz@xxxxxxxxxxxxxxxxxxxxxx>]

Hi Ray,

Ys, those are strings you choose to name the certificates. I should have 
written "CA_cert_label" instead of "AC_cert_label", sorry about that...

All those lables are chosen by you when generating each certificate. If 
you followed the setupssl2.sh script, it should be "CA certificate" for 
the CA (see line 114 in 
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you 
generated with certutil yourself, it should be the string used after 
"-n". If you are generating new certs for DS and Admin server you could 
use the string you wish (in the script "Server-Cert" is used for DS, see 
line 131, and "server-cert" for Admin server, see line 137).

Alberto

Ray wrote:
> Hi Alberto,
>
> thanks for the instructions. I have two more questions:
>
> 1) The labels DS_Server_cert_label and Admin_Server_cert_label are
> completely my choice, right?
>
> 2) How about the AC_cert_label though? Where does that come from?
>
> Cheers,
> Ray
>
> Am 18.09.2012 11:56, schrieb Alberto Suárez:
> > If you have toruble with the script, try this:
> >
> > 1. Produce the new DS server certificate:
> >
> > certutil -S -n "DS_Server_cert_label"
> > -s "cn=myhost.myorg.example.com” -c “AC_cert_label”
> > -t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
> > /etc/dirsrv/slapd-myhost/pwdfile.txt
> >
> > 2. Export it to p12 format:
> >
> > pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
> > -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > /etc/dirsrv/slapd-myhost/pwdfile.txt
> >
> > 3. Produce the new Admin server certificate:
> >
> > certutil -S -n "Admin_Server_cert_label"
> > -s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
> > “AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
> > -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt
> >
> > 4. Export it to p12 format:
> >
> > pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
> > -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > /etc/dirsrv/slapd-myhost/pwdfile.txt
> >
> > 5. Import into Admin server database:
> >
> > pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
> > “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > /etc/dirsrv/slapd-myhost/pwdfile.txt
> >
> > 6. Now import DS cert into Admin server's database
> >
> > pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
> > “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > /etc/dirsrv/slapd-myhost/pwdfile.txt
> >
> > 7. In "Manage certificates" window, replace the old DS cert by the new
> > one.
> >
> > Hope this helps,
> >
> > Alberto
> >
> > Ray wrote:
> > > Hi,
> > >
> > > I am running a 389 box with TLS enabled. Now I would like to change the
> > > hostname, which would render the current certificate invalid. Is there
> > > an easy way to create a new certificate with the new hostname?
> > >
> > > Cheers,
> > > Ray
> > >
> > >
> > > --
> > > 389 users mailing list
> > > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> .
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users