Re: SSL on console

[Fernando Fuentes <ffuentes@xxxxxxxxxxx>]

So I finally got it to take by doing the following:

[root@hypersouth ~]# openssl pkcs12 -export -out hypersouth-net.p12 
-inkey /etc/pki/tls/private/hypersouth_auth-2019.key -in 
/etc/pki/tls/certs/hypersouth.aasteel.net.pem -certfile 
/etc/pki/ca-trust/source/anchors/RapidSSLCA.crt
Enter pass phrase for /etc/pki/tls/private/hypersouth_auth-2019.key:
Enter Export Password:
Verifying - Enter Export Password:

[root@hypersouth ~]# ls
anaconda-ks.cfg  hypersouth-net.p12 SSL

[root@hypersouth ~]# certutil -A -n hypersouthCert -i 
/etc/pki/tls/certs/hypersouth.aasteel.net.pem -t "TCu,Cu,Tuw" -d 
/etc/dirsrv/slapd-hypersouth/
Notice: Trust flag u is set automatically if the private key is present.


[root@hypersouth ~]# certutil -A -n RapidSSLCA -i 
/etc/pki/ca-trust/source/anchors/RapidSSLCA.crt -t "TCu,Cu,Tuw" -d 
/etc/dirsrv/slapd-hypersouth/
Notice: Trust flag u is set automatically if the private key is present.

[root@hypersouth ~]# pk12util -i hypersouth-net.p12 -d 
/etc/dirsrv/slapd-hypersouth/
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL


Fernando Fuentes
Supervisor & Senior Systems Administrator
Email: ffuentes@xxxxxxxxxxx
 
American Alloy Steel, Inc.
Houston, Texas
Website: http://www.aasteel.com
 
Phone: 713-744-4222
Fax:   713-300-5688

On 8/22/19 11:25 AM, Fernando Fuentes wrote:
> I caught my mistake and corrected but now I get:
>
> [root@hypersouth SSL]# pk12util -i hypersouth-net.p12 -d 
> /etc/dirsrv/slapd-hypersouth/ -W password
> Enter Password or Pin for "NSS Certificate DB":
> pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The 
> security password entered is incorrect.
> pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: 
> security library: invalid arguments.
> [root@hypersouth SSL]#
>
> Fernando Fuentes
> Supervisor & Senior Systems Administrator
> Email: ffuentes@xxxxxxxxxxx
>
> American Alloy Steel, Inc.
> Houston, Texas
> Website: http://www.aasteel.com
>
> Phone: 713-744-4222
> Fax:   713-300-5688
>
> On 8/22/19 11:13 AM, Fernando Fuentes wrote:
> > Marc,
> >
> > Here is what I get:
> >
> > [root@hypersouth SSL]# pk12util -i hypersouth-net.p12 
> > /etc/dirsrv/slapd-hypersouth/ -W password
> > pk12util: function failed: SEC_ERROR_LEGACY_DATABASE: The 
> > certificate/key database is in an old, unsupported format.
> > [root@hypersouth SSL]#
> >
> > Regards,
> >
> > Fernando Fuentes
> > Supervisor & Senior Systems Administrator
> > Email: ffuentes@xxxxxxxxxxx
> >
> > American Alloy Steel, Inc.
> > Houston, Texas
> > Website: http://www.aasteel.com
> >
> > Phone: 713-744-4222
> > Fax:   713-300-5688
> >
> > On 8/22/19 2:31 AM, Marc Muehlfeld wrote:
> > > Hi Fernando,
> > >
> > > On 8/22/19 5:21 AM, Fernando Fuentes wrote:
> > > > Is there a how to for this procedure?
> > >
> > > ## Convert to PKCS#12:
> > > # openssl pkcs12 -export -out demo.p12 -inkey 
> > > pki/private/demo.example.com.key -in pki/issued/demo.example.com.crt
> > > Enter pass phrase for pki/private/demo.example.com.key:
> > > Enter Export Password:
> > > Verifying - Enter Export Password:
> > >
> > > # Import to DS NSS DB:
> > > # pk12util -i demo.p12 -d /etc/dirsrv/slapd-instance_name/ -W password
> > > Enter Password or Pin for "NSS Certificate DB":
> > > pk12util: no nickname for cert in PKCS12 file.
> > > pk12util: using nickname: demo.example.com
> > > pk12util: PKCS12 IMPORT SUCCESSFUL
> > >
> > >
> > > ## Display the imported cert:
> > > # certutil -d /etc/dirsrv/slapd-instance_name/ -L
> > >
> > > Certificate Nickname Trust Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > demo.example.com u,u,u
> > >
> > >
> > > ## Display the imported private key:
> > > # certutil -d /etc/dirsrv/slapd-instance_name/ -K
> > > certutil: Checking token "NSS Certificate DB" in slot "NSS User 
> > > Private Key and Certificate Services"
> > > Enter Password or Pin for "NSS Certificate DB":
> > > < 0> rsa      ec30598b2107c71dd69494d51d7de6ef0e57ffbe demo.example.com
> > >
> > >
> > >
> > > Please let me know if it works, and DS does not complain about it 
> > > when you use the key/cert.
> > >
> > >
> > > Regards,
> > > Marc
> > _______________________________________________
> > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx