Hi,
I have done this (do not take it as good example - best would be IF you
can test it somehow... in any case, do full backup of
/etc/dirsrv/${INSTANCE} directory once your LDAP server is down, so at
least you can revert changes).
Use this at your own risk (unless someone confirms procedure, because it
might be that I didn't updated docs completely) !!!
Next steps assume that you can take superuser role and use it!
$ cd /etc/dirsrv/
$ INSTANCE=$(ls -1d slapd-*)
$ cd ${INSTANCE}
# Check for existing certificate(s) and remove ALL expired
$ certutil -L -d . # this will list those, and you can delete with:
$ certutil -D -d . -n <cert1>
$ certutil -D -d . -n <cert2> # ... etc
# Create p12 of new certificate (use password for p12 export) and import
p12 using combination of pin and p12 export password:
$ cat pin.txt
$ openssl pkcs12 -export -inkey /tmp/newcert.key -in /tmp/newcert.crt
-out /tmp/newcert.p12 -nodes -name newCertLDAPname
$ pk12util -i /tmp/newcert.p12 -d .
# Import CA bundle too:
$ certutil -d $(pwd) -A -n "newCertLDAPnameCA" -t CT,, -a -i
/tmp/newcert.ca-bundle
# Restart instance (redhat style):
$ service dirsrv restart
As I have mentioned earlier, would be nice if you can test this 1st.
Regards.
On 03/11/14 12:30 PM, Maurizio Marini wrote:
Hello
I have this very old installation:
389-ds-1.1.3-5.fc12.noarch
389-ds-console-doc-1.2.0-5.fc12.noarch
389-ds-base-1.2.5-1.fc12.i686
389-ds-console-1.2.0-5.fc12.noarch
389-console-1.1.3-5.fc12.noarch
389-admin-console-1.1.4-2.fc12.noarch
389-dsgw-1.1.4-1.fc12.i686
389-admin-console-doc-1.1.4-2.fc12.noarch
389-adminutil-1.1.8-4.fc12.i686
389-admin-1.1.10-1.fc12.i686
into an old FC12.
Now certs under /etc/httpd/alias
are expired
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Mon Mar 01 10:50:54 2010
Not After : Sat Mar 01 10:50:54 2014
Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
and I have this error into log:
[error] SSL Library Error: -8181 Certificate has expired
the it suggests to
" Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the
prob lem can be resolved."
I did, and it works.
Now I wonder how can I renew that expired cert.
I have googled around but I have not found any simple to re-create the cert.
I find this
http://directory.fedoraproject.org/wiki/Howto:SSL
but it is not so easy to regenerate an expired certificate.
Is there something simpler?
Can you help me?
My best rgards
Maurizio
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zecevic@xxxxxxxxxxxxxx
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
[***]===---
You will meet an important person who will help you advance professionally.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
