Jeff Falgout wrote:
Brian K. Jones said:Hi, Anyone have a procedure for self signing a certificate request from FDS using an existing CA cert with openssl? Also - anyone know why I can't just use an existing cert/key pair with FDS that was created and self-signed already - or if I can, how? brian.openssl x509 -req -in /path/to/csr \ -CA /path/to/cacert \ -CAkey /path/to/cakey -CAcreateserial \ -out /path/to/signed.crt I just use this command to sign the csr generated from the console. I haven't figured out how to use an existing cert/key - I'd very much like to see how to do that.
This was just discussed on IRC, may as well document it here as well.First, head into console and initialize your certificate database and assign a password. To do this, log into the console, select your directory instance and under Tasks select Manage Certificates. If you don't already have a certificate database created, it will prompt you for a password.
Now, at a unix prompt, change to your server root as a user that can write to the files in alias (probably root).
This assumes that the existing cert is in the file ssl-cert.pem and the existing key is in ssl-key.pem and your instance is named "myinstance":
# cd /opt/redhat-ds# openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out ssl-cert.p12 -name "Server-Cert"
You now have the openssl cert in a pkcs#12 file (cert and key together) Now import it into your DS database: # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- This will work for both Fedora and Red Hat DS. rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
