Re: Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

[Alberto Suárez <asuapaz@xxxxxxxxxxxxxxxxxxxxxx>]

Hi! Please, excuse me for confusing you. I'll try to give you the right 
instructions now.

For details about using certutil, please see 
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html. 
For details about using pk12util, please see 
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html

These should be the right steps:

1.Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label" -s "cn=myhost.myorg.example.com” 
-c “CA_cert_label” -t “u,u,u” -m 1001 -v 120
-d /etc/dirsrv/slapd-myhost -k rsa
-f /etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d /etc/dirsrv/slapd-myhost
-o /etc/dirsrv/slapd-myhost/directoryserver.p12
-n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server”
-c “CA_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

Note that the Admin Server's certificate is stored in the Directory 
Server's certs database (/etc/dirsrv/slapd-myhost/cert8.db)

4. Export it to p12 format:

pk12util -d /etc/dirsrv/slapd-myhost
-o /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d /etc/dirsrv/admin-serv
-i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database:

pk12util -d /etc/dirsrv/admin-serv -i 
/etc/dirsrv/slapd-myhost/directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

I did not need to distribute any cert (in my case i am using 389 as a 
backend to samba, both sitting on the same machine). I think that the 
protocol takes care of whatever is needed. If using start_tls, the 
connection is first established over a non secured channel and then 
negotiations start in order to change to a secured one.

Cheers,

Alberto






Ray wrote:
> Hi Alberto & 389ers,
>
> I've put this issue on the side for three weeks, now I have holidays and
> want to get to it…
>
> There are still dome open questions:
>
> 1) The -d . option: Where is "."? I ran the commands below with
> .=/etc/dirsrv/slapd-<mydirsrvname>

"-d" stands for the path to the directory containing the certificate and 
key database files (cert8.db and key3.db). You should replace "." for 
whatever that path is in your environment. The substitution you have 
done seems correct.

> When I do that, steps 5 and 6 fail, because
> /etc/dirsrv/admin-serv/adminserver.p12 does not exist. So I simply left
> the P12 files in /etc/dirsrv/slapd-<mydirsrvname> and switched
> directories with "cd ../admin-serv" and imported there like this:
>
> pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/Admin_Server.p12 -n
> "Admin_Server_cert_label" -w
> /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt -k
> /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt (Admin server)
>
> and
>
> pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/DS_Server.p12 -n
> "DS_Server_cert_label" -w /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt
> -k /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt
>
> (Could it be that Step 6 below is wrong?: You're simply importing the
> admin cert again instead of the DS cert)

Adminserver.p12 and
> That appears to have worked. But: were my assumptions with switching "."
> correct?
>
> 2) Where do I find the certificate that I need to distribute to all my
> client machines? Or do I first need to generate it resp. extract it? If
> so: how would I do that?
>
> Sorry if I'm appear a bit picky here but dealing with certificates is
> like open heart surgery for me. I'm far away from being as relaxed as
> you certificate expert superheros ;)
>
> Cheers,
> Ray
>
> Am 19.09.2012 10:34, schrieb Alberto Suárez:
> > Hi Ray,
> >
> > Ys, those are strings you choose to name the certificates. I should
> > have written "CA_cert_label" instead of "AC_cert_label", sorry about
> > that...
> >
> > All those lables are chosen by you when generating each certificate.
> > If you followed the setupssl2.sh script, it should be "CA certificate"
> > for the CA (see line 114 in
> > https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
> > generated with certutil yourself, it should be the string used after
> > "-n". If you are generating new certs for DS and Admin server you
> > could use the string you wish (in the script "Server-Cert" is used for
> > DS, see line 131, and "server-cert" for Admin server, see line 137).
> >
> > Alberto
> >
> > Ray wrote:
> > > Hi Alberto,
> > >
> > > thanks for the instructions. I have two more questions:
> > >
> > > 1) The labels DS_Server_cert_label and Admin_Server_cert_label are
> > > completely my choice, right?
> > >
> > > 2) How about the AC_cert_label though? Where does that come from?
> > >
> > > Cheers,
> > > Ray
> > >
> > > Am 18.09.2012 11:56, schrieb Alberto Suárez:
> > > > If you have toruble with the script, try this:
> > > >
> > > > 1. Produce the new DS server certificate:
> > > >
> > > > certutil -S -n "DS_Server_cert_label"
> > > > -s "cn=myhost.myorg.example.com” -c “AC_cert_label”
> > > > -t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
> > > > /etc/dirsrv/slapd-myhost/pwdfile.txt
> > > >
> > > > 2. Export it to p12 format:
> > > >
> > > > pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
> > > > -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > > > /etc/dirsrv/slapd-myhost/pwdfile.txt
> > > >
> > > > 3. Produce the new Admin server certificate:
> > > >
> > > > certutil -S -n "Admin_Server_cert_label"
> > > > -s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
> > > > “AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
> > > > -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt
> > > >
> > > > 4. Export it to p12 format:
> > > >
> > > > pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
> > > > -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > > > /etc/dirsrv/slapd-myhost/pwdfile.txt
> > > >
> > > > 5. Import into Admin server database:
> > > >
> > > > pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
> > > > “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > > > /etc/dirsrv/slapd-myhost/pwdfile.txt
> > > >
> > > > 6. Now import DS cert into Admin server's database
> > > >
> > > > pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
> > > > “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
> > > > /etc/dirsrv/slapd-myhost/pwdfile.txt
> > > >
> > > > 7. In "Manage certificates" window, replace the old DS cert by the new
> > > > one.
> > > >
> > > > Hope this helps,
> > > >
> > > > Alberto
> > > >
> > > > Ray wrote:
> > > > > Hi,
> > > > >
> > > > > I am running a 389 box with TLS enabled. Now I would like to change
> > > > > the
> > > > > hostname, which would render the current certificate invalid. Is there
> > > > > an easy way to create a new certificate with the new hostname?
> > > > >
> > > > > Cheers,
> > > > > Ray
> > > > >
> > > > >
> > > > > --
> > > > > 389 users mailing list
> > > > > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > https://admin.fedoraproject.org/mailman/listinfo/389-users
> > >
> > > .
>
> .
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users