Can we get this into the FAQ?
--Chris
Rob Crittenden wrote:
Jeff Falgout wrote:
Brian K. Jones said:
Hi,
Anyone have a procedure for self signing a certificate request from FDS
using
an existing CA cert with openssl? Also - anyone know why I can't just
use
an
existing cert/key pair with FDS that was created and self-signed
already -
or
if I can, how?
brian.
openssl x509 -req -in /path/to/csr \
-CA /path/to/cacert \
-CAkey /path/to/cakey -CAcreateserial \
-out /path/to/signed.crt
I just use this command to sign the csr generated from the console. I
haven't figured out how to use an existing cert/key - I'd very much like
to see how to do that.
This was just discussed on IRC, may as well document it here as well.
First, head into console and initialize your certificate database and
assign a password. To do this, log into the console, select your
directory instance and under Tasks select Manage Certificates. If you
don't already have a certificate database created, it will prompt you
for a password.
Now, at a unix prompt, change to your server root as a user that can
write to the files in alias (probably root).
This assumes that the existing cert is in the file ssl-cert.pem and the
existing key is in ssl-key.pem and your instance is named "myinstance":
# cd /opt/redhat-ds
# openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out
ssl-cert.p12 -name "Server-Cert"
You now have the openssl cert in a pkcs#12 file (cert and key together)
Now import it into your DS database:
# shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance-
This will work for both Fedora and Red Hat DS.
rob
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
