Re: Enabling SSL

["George Holbert" <gholbert@xxxxxxxxxxxx>]

Rich M answered my question in his recent post:

> If you followed the other steps up until this one, then you already 
> have the required certs for slapd to use.  You only need to export the 
> cert to the .pfx file if you need to import that key and cert into 
> another program (e.g. use openssl to convert the .pfx file to other 
> formats).

So there apparently is not a need for the pk12 file in the alias directory.

Thanks Rich,
-- George



George Holbert wrote:

> A follow up question:  why does pk12util need to be run against the 
> certificate db at all?  Doesn't RedHat/Fedora DS read certificate and 
> key information directly from the cert8.db and key3.db files?
>
> In the RedHat SSL setup docs at:
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> ... it says:
>
> > Run pk12util to convert the certificate database to pkcs12 format, so 
> > it is accessbile by the Directory Server:
>
>
>
> As Adam Stokes mentioned, the incantation for this should be:
>
> > Again another typo the line should read
> >
> > pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
> But what does it buy you to have the "servercert.pk12" file sitting in 
> the alias directory with the cert and key db files?  How does this 
> make the certificate database "accessible by the Directory Server"?
>
> In previous versions of Netscape DS, I don't recall the need for a 
> pk12 file in the alias directory.  Is this a new requirement for 
> version 7.1 ?
>
> Thanks,
> -- George
>
>
> Adam Stokes wrote:
>
> > On Wed, 3 Aug 2005 15:48:42 -0400
> > Kevin Kovach <kovach@xxxxxxxxx> wrote:
> >
> > Kevin,
> >
> > Again another typo the line should read
> >
> > pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
> >
> > and the -P option is the dbprefix in which case slapd-serverID- should
> > be replaced with whatever you have setup as your slapd-<instance>-
> >
> > Hope this helps
> >
> >  
> >
> > > Adam,
> > >
> > > My entry looks the same.  I'm pretty certain I have the ciphers
> > > correct now.
> > >
> > > I am curious about one thing though.  In following the wiki, I did as
> > > suggested and converted the cert db to pkcs12 with the following
> > > command ...
> > >
> > > pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
> > >
> > > However, I don't see anywhere where we make FDS aware of
> > > servercert.pfx?  I'd assume that we need to configure FDS for this
> > > pkcs12 db somewhere?
> > >
> > > Also, the wiki mentions the trailing - on the -P option but does not
> > > go into depth on it.  I'm pretty sure I executed this command
> > > correctly but am unsure how to double check it?
> > >
> > > Thanks again.
> > >
> > > - Kevin
> > >
> > > On 8/3/05, Adam Stokes <astokes@xxxxxxxxxx> wrote:
> > >   
> > >
> > > > dn: cn=encryption,cn=config
> > > > objectClass: top
> > > > objectClass: nsEncryptionConfig
> > > > cn: encryption
> > > > nsSSLSessionTimeout: 0
> > > > nsSSLClientAuth: allowed
> > > > nsSSL2: off
> > > > nsSSL3: on
> > > > creatorsName: cn=server,cn=plugins,cn=config
> > > > modifiersName: cn=directory manager
> > > > createTimestamp: 20050701182744Z
> > > > modifyTimestamp: 20050720192820Z
> > > > nsSSL3Ciphers:
> > > > -
> > > > rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha 
> > > >
> > > > nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-
> > > > directory-cert8.db numSubordinates: 1
> > > >
> > > > Above is my entry for reference
> > > >
> > > > On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> > > >     
> > > >
> > > > > Thanks Nathan.  I've made this change and again got farther than
> > > > > I have before.
> > > > >
> > > > > FYI, I got that cipher list from the Wiki.  That will need to be
> > > > > updated to contain the complete list.
> > > > >
> > > > > Although I got farther the server is still not starting up.  Now
> > > > > it's complaining that none of the ciphers are valid?  How to I
> > > > > ensure that I'm using a valid cypher?  Here's the error I'm
> > > > > seeing in the error log ...
> > > > >
> > > > > [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
> > > > > B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL
> > > > > failure: None of the cipher are valid
> > > > >
> > > > > Thanks again for the help.
> > > > >
> > > > > - Kevin
> > > > >
> > > > > And again have a different issue now.  Now it's complaining that
> > > > > there are no
> > > > >       
> > > >
> > > > --
> > > > Fedora-directory-users mailing list
> > > > Fedora-directory-users@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >
> > > >     
> > >
> > > --
> > > Take back the web, http://www.switch2firefox.com/
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >   
> >
> >
> >
> >  
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users