Kevin Kovach wrote:
If you followed the other steps up until this one, then you already have the required certs for slapd to use. You only need to export the cert to the .pfx file if you need to import that key and cert into another program (e.g. use openssl to convert the .pfx file to other formats).Adam, My entry looks the same. I'm pretty certain I have the ciphers correct now. I am curious about one thing though. In following the wiki, I did as suggested and converted the cert db to pkcs12 with the following command ... pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert However, I don't see anywhere where we make FDS aware of servercert.pfx? I'd assume that we need to configure FDS for this pkcs12 db somewhere?
Look in your /opt/fedora-ds/alias directory. You should have files called slapd-serverID-cert8.db and slapd-serverID-key3.db, not slapd-serverIDcert8.db and slapd-serverIDkey3.db.Also, the wiki mentions the trailing - on the -P option but does not go into depth on it. I'm pretty sure I executed this command correctly but am unsure how to double check it?
Thanks again. - Kevin On 8/3/05, Adam Stokes <astokes@xxxxxxxxxx> wrote:dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: on creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20050701182744Z modifyTimestamp: 20050720192820Z nsSSL3Ciphers: -rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-directory-cert8.db numSubordinates: 1 Above is my entry for reference On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:Thanks Nathan. I've made this change and again got farther than I have before. FYI, I got that cipher list from the Wiki. That will need to be updated to contain the complete list. Although I got farther the server is still not starting up. Now it's complaining that none of the ciphers are valid? How to I ensure that I'm using a valid cypher? Here's the error I'm seeing in the error log ... [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid Thanks again for the help. - Kevin And again have a different issue now. Now it's complaining that there are no-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
