Re: Trying to renew a certificate - nss error 8168

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Not sure what the problem is, but if you create a second test DS instance, can you import it there?
Maybe remove the old cert first?  If you try that though please make a backup of these files under /etc/dirsrv/slapd-INST: cert8.db, key3.db, and secmod.db in case it doesn't work. 

HTH,

Mark

On 8/24/20 3:24 AM, rainer@xxxxxxxxxxxxxxx wrote:

Hi,

I'm trying to renew a certificate in 389 server.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/administration_guide/index#renewing_a_certificate 

I've created a new private key and CSR with

certutil -d /etc/dirsrv/slapd-instance/ -R -g 4096 -a \
     -o /root/slapd-name.csr -8 name.fqdn \
     -s "CN=name.fqdn,O=org,ST=State,C=CH"


I try to import it with

certutil -d /etc/dirsrv/slapd-instance/ -A \
     -n "Server Cert" -t ",," -a -i /root/slapd-name.crt

But this results in
"certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database." 

If I try this using the GUI, I also get the NSS error code 8168



What exactly is the problem?
It seems there is no "verbose" switch for certutil - or at least it's not documented. 


389-admin-1.1.46-1.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-adminutil-1.1.22-2.el7.x86_64
389-console-1.1.19-6.el7.noarch
389-ds-base-1.3.10.1-9.el7_8.x86_64
389-ds-base-libs-1.3.10.1-9.el7_8.x86_64
389-ds-base-snmp-1.3.10.1-9.el7_8.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch

CentOS 7, 64bit.


Now, I tried to list the private keys with -K, I get
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. 


Is there documentation on how to upgrade the database?




Rainer
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx 

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux