Re: cert signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A final note that Rob's solution worked wonderfully once I took note that the dash in the "-P slapd-myinstance-" is significant -- don't forget that! Your cert won't show up in the server cert section without it. 


On Jun 20, 2005, at 3:21 PM, Rob Crittenden wrote:


Jeff Falgout wrote:


Brian K. Jones said:


Hi,
Anyone have a procedure for self signing a certificate request from FDS 
using
an existing CA cert with openssl? Also - anyone know why I can't just use 
an
existing cert/key pair with FDS that was created and self-signed already - 
or
if I can, how?

brian.


openssl x509 -req -in /path/to/csr \
        -CA /path/to/cacert \
        -CAkey /path/to/cakey -CAcreateserial \
        -out /path/to/signed.crt
I just use this command to sign the csr generated from the console. I
haven't figured out how to use an existing cert/key - I'd very much like 
to see how to do that.



This was just discussed on IRC, may as well document it here as well.
First, head into console and initialize your certificate database and assign a password. To do this, log into the console, select your directory instance and under Tasks select Manage Certificates. If you don't already have a certificate database created, it will prompt you for a password.
Now, at a unix prompt, change to your server root as a user that can write to the files in alias (probably root).
This assumes that the existing cert is in the file ssl-cert.pem and the existing key is in ssl-key.pem and your instance is named "myinstance": 

# cd /opt/redhat-ds
# openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out ssl-cert.p12 -name "Server-Cert"
You now have the openssl cert in a pkcs#12 file (cert and key together) 

Now import it into your DS database:

# shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance-

This will work for both Fedora and Red Hat DS.

rob
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux