Re: Using self-signed SSL certificate with 389 DS under CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 8/23/19 4:26 PM, Nicolas Kovacs wrote:

Le 23/08/2019 à 15:56, Marc Muehlfeld a écrit :


I can't reproduce the problem. I verified the procedure [1] on RHEL 7.7
with RHDS 10.4, and it still works.

Just to be sure: is the name of your DS instance really "instance_name"?
"instance_name" in the RHDS docs as a placeholder (that's why it is italic).


Of course.

That was the problem. Thanks very much.

I tried the procedure described in the RHDS guide, and it looks like it
worked. My self-signed certificate is now installed.

I have a follow-up question. What option do I have to use with certutil
to make my self-signed certificate valid for 10 years instead of 3 months ?



According to the "certutil --help" output, use
>   -v months-valid   Months valid (default is 3)
when you create the certificate.


Instead of using only a self-signed cert, wouldn't it make more sense to
1) create your own CA
2) create a CSR using certutil (see RHDS docs, section 9.3.2)
3) let your CA issue the cert
4) import the CA cert (see RHDS docs, section 9.3.3)
5) import the server cert (see RHDS docs, section 9.3.4)
6) install the CA cert on your clients (not yet in RHDS 10 docs,
   but I can easily backport the content)

Then clients who trust the CA cert will automatically trust the connection.
For step 1 and 3, you can use, for example, EasyRSA [1]. This script makes all the CA stuff really simple, and you don't need to know all the complex and long openssl commands. :-)
And you can use the same CA to issue certs for your internal web servers and other service as well. 


Regards,
Marc


[1] https://github.com/OpenVPN/easy-rsa




--
Marc Muehlfeld (Senior Technical Writer)
Customer Content Services
_______________________________________________________________________________
Red Hat GmbH, Werner-von-Siemens-Ring 14, 85630 Grasbrunn, Germany
http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael O'Neill,
Tom Savage, Eric Shander
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux