Susan wrote:
setupssl.sh was created in order to create only 3 certs - the initial CA cert, the initial DS cert, and the initial AS cert. It uses Server-Cert for DS and server-cert for AS because that is what the defaults are for those servers. If you do not use those names (and the server cannot automatically discover an appropriate cert to use), you will have to change the server SSL configuration.I was looking through the script from the wiki and I saw this line: ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... Wouldn't it be better to change that to -n "`hostname`" or something like that because when you create certs for multiple servers, they all end up being called Server-Cert which causes confusion. What do you guys think?
There needs to be a script that you can use to generate multiple key/cert pairs for multiple hosts, using your CA key/cert.
One solution would be to change setupssl.sh to accept a list of FQDNs for which to create DS and AS certs. Then you could just create all of the key/cert databases at once, and just copy them to the /opt/fedora-ds/alias directory on each machine.
Another solution would be to change setupssl.sh to be run on each machine. The first time you run it on your first machine, it would create a key/cert db for the CA only in addition to key/cert dbs for the DS and the AS. Then you would just copy the CA key/cert db and the setupssl.sh script to each machine and run it there.
__________________________________________________ Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
