Re: certutil: generating new .db files for server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Brian Jones wrote:

Hi all,
I'm generating new *.db files for my server, where I will install a new root 
ca, and a new server cert (new *.db files allows me to easily test and back
out). I have a couple of questions about *.db files and how FDS uses them:
1. When I use certutil -N to create the new db files, is the value I give to 
the '-P' flag arbitrary, or does the server look for a specific value based
on instance name or something? I have new files called 'slapd-ldap-cert8.db' and 'slapd-ldap-key3.db', because I thought this prefix value was arbitrary, 
but FDS fails to start because it says that files '
slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing.
Those are the *old* db file names.
By default the prefix needs to match the FDS instance name. Because the database files are stored in a common directory a way was needed to discretely name them, hence the prefix. 



2. Related to 1, how do I (from the command line) change what files FDS
looks for? Is this possible? Recommended?
I've never done this but a cursory look at the code found nsCertfile and nsKeyfile. I guess in theory you could change those values (stored in LDAP, of course) and point to new key/cert files. I grepped them out of dse.ldif to see the current settings. 



3. Is it true that I cannot reuse a signed server certificate in a newly
created database, even if the new database has the same root ca installed as 
the old one? I need to generate a request every time I run certutil -N?
The signed certificate is only half of what you need. You also need the private key. Without more information on what you're trying to do I can't really make a recommendation. 



4. Are there other rules that these files have to conform to in order for
the server to start up? Are there docs on this that I've missed? Links? I've seen the mozilla NSS docs, but they're mostly for developers (except for the 
decent certutil reference), and the RHDS docs do everything from the GUI as
far as I've seen.
From the perspective of the command-line utilities, they could care less what the files are named as long as they end in cert8.db and key3.db. The prefix flag (-P) lets you set arbitrary data before that.
For a bit more detail on how NSS is initialized, look at the function slapd_nss_init() at http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/ssl.c
It looks like the only thing hardcoded is the directory where the files are located, server-root/alias. But like I said, I've never tried renaming those files in the DS. I just wonder if this would cause confusion in the future, or with the console. 

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux