Re: [389-users] advice on ssl cert rotation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I use the following command.

certutil -A -n 'certname' -t 'u,,' -d . -i certfile.pem

If you change the cert database it has been my expierence that you need to restart the admin or dir server depending on which db you changed as the changes don't get re-read after startup.

Regards


> -----Original Message-----
> From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-
> bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Rob Crittenden
> Sent: 02 March 2011 04:48
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] advice on ssl cert rotation
> 
> Christopher Wood wrote:
> > You can use certutil to manually modify the cert stores. If you installed via
> rpm this will already be on your systems.
> >
> > Not at my work systems so I don't recall which package it's in.
> 
> nss-tools.
> 
> Do you already have the new certificate? If you have it in PKCS#12 format
> then you can use pk12util to load it into the appropriate NSS database (I'm
> not sure where the admin server db is, you should be able to find it in the
> admin server configuration).
> 
> If you have an updated certificate in the 389-ds NSS database under a
> different nickname and you just need to tell it to use the new one you can
> edit /etc/dirsrv/slapd-INSTANCE/dse.ldif and tell it the nickname to use.
> Look for nsSSLPersonalitySSL
> 
> rob
> 
> > On Tue, Mar 01, 2011 at 07:27:53PM -0800, jon heise wrote:
> >>     Recently i had ssl certs expire on my directory servers, currently i have
> >>     one running without using an ssl cert, the secondary server is still set
> >>     to use the old cert and as such it is not functioning.  On the primary
> >>     server the admin server has been set to use a new self signed cert but
> we
> >>     are locked out of that.  Is there a way to change what cert the ldap
> >>     server will load without the use of the admin server ?
> >
> >> --
> >> 389 users mailing list
> >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> > --
> > 389 users mailing list
> > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux