Brian Jones wrote:
Hi Rob, thanks for the reply. I've clarified inline: On 7/10/06, Rob Crittenden <rcritten@xxxxxxxxxx> wrote:Brian Jones wrote:> 3. Is it true that I cannot reuse a signed server certificate in a newly> created database, even if the new database has the same root ca > installed as > the old one? I need to generate a request every time I run certutil -N? The signed certificate is only half of what you need. You also need the private key. Without more information on what you're trying to do I can't really make a recommendation.Right, I know I need the root ca and the server cert (signed by said root ca) both installed in the db. What I'm doing is this:I have /opt/fedora-ds/alias set up as a symlink to alias-test1, alias-test2,etc. I have a couple of these directories around for... um.... testing :) What I want to confirm is whether or not I can use, for example, the cert request I generated (using certutil -R) for the db files in alias-test1 for the new db files created in alias-test2.
Ok, so what you want to do is issue the certificate once, then perhaps move it to other directories? If so here is what you do:
1. Generate a new database (or use an existing one, it doesn't really matter).
2. generate your Certifiacte Server Request (CSR) 3. Sign this with your CA 4. Import the new server certificate into your database (certutil -A ...)5. Export this server cert, which I've nicknamed Server-Cert, into a PKCS#12 file with:
pk12util -o server.p12 -n Server-Cert -P slapd-foo- -d alias 6. You can now import this into another certificate database with pk12util -i server.p12 -n Server-Cert -P slapd-bar- -d alias-test1The other alternative is to simply copy the database files between directories, but you'll pick up all certificates/keys rather than discretely copying a single cert/key combo.
rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
