Re: Generating and installing certificates for Fedora-ds 1.1.0 usig Openssl base CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Howard Wilkinson wrote:
We have a CA using our corporate certificate which we want to sign our certificates for the fedora-ds and clients.
I am trying to work out how to do this. The setupssl2 script works fine in generating and installing a self-signed certifictae on the server(s) but we now want to generate and sign using our CA. 

Does anybody have a set of instructions that would cover this case?
Do you have any instructions in general about generating cert requests and signing them with your CA? If so, then they would mostly apply. You would use certutil to generate your CSR (certutil -R) for your server, then create the server cert on your CA from the server CSR, then install the new server cert in your server's key/cert db using certutil (certutil -A for an ascii/pem cert).
In particular I would like to understand when the use of certutil is mandatory and when it can be replaced with one or more openssl commands.
Anything which touches the key/cert databases (generate server cert request, add a cert) must use certutil. The other operations can be done with openssl.
Eventually I would like to be able to configure the server using the setup-ds-admin script with a certificate already pre-generated by openssl quoted as the CACertificate parameter.
That will work fine for the SSL client side of things. But setup-ds-admin cannot generate a server cert request, wait for the new cert to be issued, and install the new server cert.
One complication to all of this is that we need to assign a number of SubjectAltNames to the certificates so that a server may have multiple identities!
Sure. When you generate your cert request using certutil -R, use the -8 argument to specify the subject alt names. See also http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name 

Regards, Howard

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux