Re: Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Alberto & 389ers,
I've put this issue on the side for three weeks, now I have holidays and want to get to it… 

There are still dome open questions:
1) The -d . option: Where is "."? I ran the commands below with .=/etc/dirsrv/slapd-<mydirsrvname>
When I do that, steps 5 and 6 fail, because /etc/dirsrv/admin-serv/adminserver.p12 does not exist. So I simply left the P12 files in /etc/dirsrv/slapd-<mydirsrvname> and switched directories with "cd ../admin-serv" and imported there like this:
pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/Admin_Server.p12 -n "Admin_Server_cert_label" -w /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt -k /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt (Admin server) 

and
pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/DS_Server.p12 -n "DS_Server_cert_label" -w /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt -k /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt
(Could it be that Step 6 below is wrong?: You're simply importing the admin cert again instead of the DS cert)
That appears to have worked. But: were my assumptions with switching "." correct?
2) Where do I find the certificate that I need to distribute to all my client machines? Or do I first need to generate it resp. extract it? If so: how would I do that?
Sorry if I'm appear a bit picky here but dealing with certificates is like open heart surgery for me. I'm far away from being as relaxed as you certificate expert superheros ;) 

Cheers,
Ray

Am 19.09.2012 10:34, schrieb Alberto Suárez:

Hi Ray,

Ys, those are strings you choose to name the certificates. I should
have written "CA_cert_label" instead of "AC_cert_label", sorry about
that...

All those lables are chosen by you when generating each certificate.
If you followed the setupssl2.sh script, it should be "CA certificate" 
for the CA (see line 114 in
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
generated with certutil yourself, it should be the string used after
"-n". If you are generating new certs for DS and Admin server you
could use the string you wish (in the script "Server-Cert" is used for 
DS, see line 131, and "server-cert" for Admin server, see line 137).

Alberto

Ray wrote:

Hi Alberto,

thanks for the instructions. I have two more questions:

1) The labels DS_Server_cert_label and Admin_Server_cert_label are
completely my choice, right?

2) How about the AC_cert_label though? Where does that come from?

Cheers,
Ray

Am 18.09.2012 11:56, schrieb Alberto Suárez:

If you have toruble with the script, try this:

1. Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost 
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

4. Export it to p12 format:

pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k 
/etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k 
/etc/dirsrv/slapd-myhost/pwdfile.txt
7. In "Manage certificates" window, replace the old DS cert by the new 
one.

Hope this helps,

Alberto

Ray wrote:

Hi,
I am running a 389 box with TLS enabled. Now I would like to change the hostname, which would render the current certificate invalid. Is there 
an easy way to create a new certificate with the new hostname?

Cheers,
Ray


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


.



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux