I was able to dig out that portion of the plan from our internal docs: We need to import the CA cert into the database of the centos-idm-console user, i.e., the user running the GUI. In their home directory is a .centos-idm-console. Enter that directory and issue the following command (assuming it is running on the same computer as the admin-server - otherwise change the CA cert source appropriately): certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/CA.pem Close the centos-idm-console if it is still running. Reopen it but be sure to change the login Administration url to https://ldap1.mycompany.com:9830 rather than http. On Wed, 2009-06-17 at 10:46 -0400, John A. Sullivan III wrote: > I believe we encountered this problem, too, and found we needed to > import the CA cert into the nss database for the user running > centos-idm-console. The details are in that long, long, post - John > > On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote: > > Thanks Dave - that worked. > > > > I am still some problem with the certificates though. > > > > If it I try this in the directory where the certificates are: > > > > openssl s_client -connect localhost:636 -CAfile filename > > > > I get a listing of the certificates without errors. > > > > If I try: > > > > ldapsearch -H ldaps://localhost:636 > > > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > If I start the console using: > > > > centos-idm-console -a https://127.0.0.1:9830 > > > > I have to "Accept" the certificate each time. > > > > It looks like there may be some problem with the certificate or some > > setting in DS that still needs to be switched on. > > > > What do you think? > > > > Thanks again for all of your help! > > > > > > On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan > > <david.donnan@xxxxxxxxxxxxxxx> wrote: > > Hello. I think I understand the problem. > > > > I copied the CA cert locally to /tmp/CAcert.txt > > > > I then ran 'system-config-authentication' and used a URL like > > the following (where it says 'Download CA Certificate'): > > > > file:///tmp/CAcert.txt > > > > It's a lazy man's approach but it worked. > > > > Cdlt, Dave > > -------- > > > > > > > > And John A. Sullivan III wrote: > > > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > > > > > > > So my next hurdle I am tackling SSL certificates. I produced > > > > self-signed certificates and have installed them in through the > > > > Management Console. I can run the Management Console using a secure > > > > connection. > > > > > > > > Linux uses DS to authenticate (configured using System > > > > > Administration > Authentication and enableing LDAP support). If I try > > > > to "Use TLS to encrypt connection" I can't program a URL that will let > > > > me download the CA Certificate successfully. I hope that all made > > > > sence. > > > > > > > > Am I missing something? Do I need this? > > > > > > > <snip> > > > > > > Sorry, I don't quite follow. I know it was a difficult to follow post > > > but I did post how we set up SSL communications including the client > > > side setup. We simply copied the CA cert to the clients (servers using > > > LDAP for authentication) via scp - John > > > > > > > > > > > -- > > 389 users mailing list > > 389-users@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > 389 users mailing list > > 389-users@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
