depending on your version of 389, look at "dsctl <instance name> tls import-ca"
{william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca --help
usage: dsctl [instance] tls import-ca [-h] cert_path nickname
positional arguments:
cert_path The path to the x509 cert to import as a server CA
nickname The name of the certificate once imported
optional arguments:
-h, --help show this help message and exit
This allows you to import a PEM CA file. There are a number of other helpers under the tls subcommand to make cert management easier.
> On 1 Dec 2020, at 18:55, Angel Bosch Mora <abosch@xxxxxxxxxxxxxxxx> wrote:
>
> hi,
>
> some time ago I asked for a scriptable way of creating a certificate request, here's the thread:
>
> https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/thread/EHWWAHOO3S2HZEWJEXTQKDDRH33NLSMU/#HF7ZPVLMUK32AIEEWPEOLUJGZFXXRCEK
>
> I didn't have the time to write anything and I would like to invest some time now.
>
> the goal is to create an unattended script for node creation INCLUDING certification with an external CA.
>
>
> I'm thinking about having several precreated certificate databases and download them to nodes.
> something like:
>
> openssl rand -base64 16 > pwfile.txt && certutil -N -d . -f pwfile.txt
>
> in several nodes and then scp/wget them to each node.
> also, do all CSR beforehand and already signed with our CA so I will have a repo of cert databases like:
>
>
> nss/ca_root.crt
> nss/ldap10
> nss/ldap10/cert9.db
> nss/ldap10/key4.db
> nss/ldap10/ldap10.example.com.crt
> nss/ldap10/pkcs11.txt
> nss/ldap10/pwfile.txt
> nss/ldap11
> nss/ldap11/cert9.db
> nss/ldap11/key4.db
> nss/ldap11/ldap11.example.com.crt
> nss/ldap11/pkcs11.txt
> nss/ldap11/pwfile.txt
> nss/ldap12
> nss/ldap12/cert9.db
> nss/ldap12/key4.db
> nss/ldap12/ldap12.example.com.crt
> nss/ldap12/pkcs11.txt
> nss/ldap12/pwfile.txt
> nss/ldap13
> nss/ldap13/cert9.db
> nss/ldap13/key4.db
> nss/ldap13/ldap13.example.com.crt
> nss/ldap13/pkcs11.txt
> nss/ldap13/pwfile.txt
> nss/ldap14
> nss/ldap14/cert9.db
> nss/ldap14/key4.db
> nss/ldap14/ldap14.example.com.crt
> nss/ldap14/pkcs11.txt
> nss/ldap14/pwfile.txt
> nss/ldap15
> nss/ldap15/cert9.db
> nss/ldap15/key4.db
> nss/ldap15/ldap15.example.com.crt
> nss/ldap15/pkcs11.txt
> nss/ldap15/pwfile.txt
>
>
> this step is the only one remaining on my recipe of unattended container creation, so any help will be really appreciated.
>
>
>
> best regards,
>
> abosch
>
>
> -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
