Ryan Braun wrote:
No. I think the problem is that the name of the server cert in the cert db is Server-Cert-$server not Server-Cert. I thought there was an option to pk12util to import it and rename it, but apparently not. To find out what the server cert name is:On Friday 21 September 2007 16:37, Richard Megginson wrote:Ryan Braun wrote:On Thursday 20 September 2007 21:36, George Holbert wrote: Ok so I managed to create a new certificate using subjectAltName extenstions, and it works as advertised. I can run ldapsearchs on eastldap on both eastldap0. Now my question is for generating certs for the other servers. Now that I have the CA cert on eastldap0, I would assume I need to install the CA on each additional server. Can I just copy and paste the cacert.asc into the manage certificate wizard?You cannot use the CA cert to generate server certs. You need the CA cert and key. This CA key was created when you created your initial CA cert. The CA key is stored in the key3.db in which you initially created in steps 5 and 6 here - http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps I would suggest you create all of your server certs using this initial CA cert and key. cd /opt/fedora-ds/alias serialnumber=1002 for server in serverFQDN ; do ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt # each cert must have a unique serial number serialnumber=`expr $serialnumber + 1` # export the new server cert+key ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k pwdfile.txt -w pwdfile.txt doneRather then run the script, I tried to run it for one example first eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z noise.txt -f pwdfile.txt Generating key. This may take a few moments... eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o ywgldap1.isb.ec.gc.ca.p12 -n "Server-Cert-ywgldap1" -k pwdfile.txt -w pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL So at this point I had the .p12 file and the existing cacert.asc created, and sent them over to eastldap1.For all of the commands listed above, you may have to specify -P slapd-instance- if you are not using cert8.db and key3.db. Then, copy each file $server.p12 to that $server, along with the cacert.asc file Then, on each server: cd /opt/fedora-ds/alias ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w pwdfile.txt -k pwdfile.txt # the -w argument is the file containing the password used to encrypt the .p12 file # the -k argument is the file containing the password for the new key database # you may use a different password for -k here - this is the same password used # in your slapd-instance-pin.txt file ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t "CT,," -a -i cacert.asc # this imports your CA certNow the importing,eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc Send over enable ssl ldif ryan@infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f ssl_enable.ldif Enter LDAP Password: modifying entry "cn=encryption,cn=config" modifying entry "cn=config" ryan@infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f addrsa.ldif Enter LDAP Password: adding new entry "cn=RSA,cn=encryption,cn=config" But when I restart slapd on eastldap1 Enter PIN for Internal (Software) Token: [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL failure: None of the cipher are valid Did I miss importing a private key from somewhere? Do I need to use the cacert.pfx I created in the basic steps?
cd /opt/fedora-ds/alias ../shared/bin/certutil -L -d . -P slapd-eastldap1- I'm assuming it will be Server-Cert-$serverUnless someone knows an easy way to rename it, you can just tell slapd to use the new name.
stop-slapdedit dse.ldif - look for Server-Cert and change it to whatever the actual name of your server cert is (Server-Cert-$server)
save and start-slapd
ThanksRyan -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
