Richard Megginson wrote:
Alex wrote:yea, that's what I was saying earlier. I think the problem is that identical scripts/noise/password files produce identical certs, I think. I had to change both noise & password on the 2nd server to produce a 2nd server cert which I could then import into the server A DB.Uff...it's a soap-opera :-)...so: For SUSAN: I tried to make a certificate from nodo2 changing both pwdfile.txt and noise.txt...importing CA certificate in nodo1 it return the same error...(same issuer/serial)...have you change only that? For RICHARD:I tried also to make a certificate for nodo2 from nodo1, but when I try torun Step 7 command, it return an error (same issuer/serial )Ah yes - you must use a unique number for the -m argument.
Ok, a few things. I don't know a lot about the script(s) being used to generate the certificates, but the noise file affects only the quality of the key generated, not the certificate itself. The idea of using noise is to seed the random number generator within NSS so you get a good key. The password file also is just a nice thing to have. You can have the same password anywhere you want, as long as your policy allows it. It also ultimately allows for unattended startup.
If I understand it, you want to issue 2 server certs using the same CA. Here is what you need to do. You can do this all one one machine if you want, then move the database.
I'm going to skip the -P argument for brevity, you can rename the database later.
I'm also skipping the password and noise files. The difference is that you'll be prompted a few times for your PIN and to enter a bunch of keystrokes to seed the random number generator, no big deal.
Note that I tend to use a lot of certificate extensions, so this may differ from the setupssl script.
The serial number I'm using starts at 1. It doesn't really matter, as long as they are all unique.
1. Create a certificate database. # cd /opt/fedora-ds/alias # ../shared/bin/certutil -N -d . 2. Generate your self-signed CA# ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5
(type in a bunch of characters) You will answer: 5 - Cert signing key 9 - finish n - not a critical extension y - yes CA cert 10 - path length y - critical extension 5 - SSL CA 6 - SSL S/MIME CA 7 - Object Signing CA 9 - finish n - not a critical extension 3. Generate server key and certificate for server #1# ../shared/bin/certutil -R -d . -s 'CN=hostname.example.com,ou=Fedora Directory Server' -o tmpcertreq -g 1024 # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 3 -v 120 -1 -5
You will answer: 2 - Key encipherment 9 - finish n - not a critical extension 1 - SSL server 9 - finish n - not a critical extension 4. Import the server certificate# ../shared/bin/certutil -A -d . -n "host.example.com" -t u,u,u -i tmpcert.der
# rm tmpcert.der # rm tmpcertreq 5. Generate server key and certificate for server #2# ../shared/bin/certutil -R -d . -s 'CN=hostname2.example.com,ou=Fedora Directory Server' -o tmpcertreq -g 1024 # ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 4 -v 120 -1 -5
You will answer: 2 - Key encipherment 9 - finish n - not a critical extension 1 - SSL server 9 - finish n - not a critical extension 6. Import the server certificate# ../shared/bin/certutil -A -d . -n "host2.example.com" -t u,u,u -i tmpcert.der
# rm tmpcert.der # rm tmpcertreq 7. List your certs: # ../shared/bin/certutil -L -d . CA certificate CTu,Cu,Cu host.example.com u,u,u host2.example.com u,u,u 8. Verify your certificates just to be sure: # ../shared/bin/certutil -V -u V -d . -n host.example.com certutil-bin: certificate is valid # ../shared/bin/certutil -V -u V -d . -n host2.example.com certutil-bin: certificate is validNow you have one certificate database with a self-signed CA and 2 server certificates. Now just copy this database to server #2.
If you want you can remove the extra server cert from each of the database, so on server #1 you would do:
# ../shared/bin/certutil -D -d . -n "host2.example.com" And on server #2 you would do: # ../shared/bin/certutil -D -d . -n "host.example.com" Now you can rename the database with your prefix and away you go. Create a pin file if you want.And finally, double check the file permissions! The database(s) need to be owned by the user that the server runs as and permissions should be 600.
Hope this helps. rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
