xinhuan zheng wrote:
Hello, I need to create certificate signing request file that can be sent to certificate authority vendors, like GoDaddy, etc. I have two questions: 1) The certutil command line output a CSR file which has different format than the CSR file generated using 389-console the GUI. The main difference is that the certutil command line generates something like: Certificate request generated by Netscape certutil Phone: xxx-xxx-xxxx Common Name: .... Email: (not specified) Organization: my organization State: ... Country: US Following above, it's the "BEGIN NEW CERTIFICATE" section. However, if it's GUI, only "BEGIN NEW CERTIFICATE" section is there. Why the two methods generates output file different? Will it be ok to just use certuti command output with "BEGIN NEW CERTIFICATE" section to send to vendor?
The other bit are just a comment. You can strip it out if you want. As for why they are different I don't know, that is probably lost to time but it's been doing that since the late 90's in the Netscape products.
2) Do I also need to create certificate signing request file for each admin server? Will that be the same procedure for the directory server instance?
Yes, you need a CSR for each server. The issued certificate will have the hostname for that server baked into it and it needs to match the server name.
I believe the procedure is very similar for the directory server cert though it's been quite a long time since I've done this.
rob -- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
