Quoting Rich Megginson <rmeggins@xxxxxxxxxx>:
You need to get your CA to export your key/cert data in pkcs12 (.p12)
format, then use the FDS pk12util to import both the key and cert.
As luck usually has it, I pretty much came to that same conclusion
shortly after
I pressed send :)
http://developers.sun.com/prodtech/appserver/reference/techart/keymgmt.html
For the sake of archving:
As Rich noted, the certificate and key must be in PKCS12 format.
My CA is openssl - in order to have a successful import, you must export the
certificate to PKCS12 format with a nickname (my initial CA wrapper did not do
that, which resulted in a failed import). The following command would combine
a PEM certifiate and key and create a PKCS12 certificate and key:
openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname>
-out directory.p12
And then import it:
pk12util -d <nss_config_dir> -i directory.p12 [-h "NSS Certificate DB"]
From what I can gather, there are at least three certificate stores:
For the first two below, nss_config_dir is /opt/fedora-ds/alias.
Directory Server:
/opt/fedora-ds/alias/slapd-hostname-[cert|key][8|3].db
Admin Server:
/opt/fedora-ds/alias/admin-server-hostname-[cert|key][8|3].db
For the above two, to import, I created symbolic links for cert8.db and
key3.db
to their respective counterparts for slapd and admin-server (i.e. link
cert8.db
-> slapd-hostname-cert8.db and key3.db -> slapd-hostname-key3.db, import, then
remove links and relink to admin-server-hostname databases).
There's also a store in /opt/fedora-ds/admin-server/config - not sure
if that is
for the Admin Console, but I've skipped it for the moment.
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
