[Fedora-directory-users] self signed certificates

Richard Megginson rmeggins at redhat.com
Thu Dec 8 20:27:53 UTC 2005 

Craig White wrote:

>On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:
>  
>
>>Craig White wrote:
>>
>>    
>>
>>>Trying to follow instructions at 
>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
>>>
>>>Step #8
>>>Copy the key3.db and cert8.db you created to the default databases
>>>created at Directory Server installation:
>>>
>>>where is this 'default databases'?
>>>
>>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server
>>> 
>>>
>>>      
>>>
>>/opt/fedora-ds/alias/slapd-srv1-key3.db
>>/opt/fedora-ds/alias/slapd-srv1-cert8.db
>>    
>>
>----
>OK - well that was where I created them...
>
># ls -l /opt/fedora-ds/alias/
>total 520
>-rw-------  1 nobody nobody  65536 Dec  8 12:55 admin-serv-srv1-cert8.db
>-rw-------  1 nobody nobody  16384 Dec  8 12:55 admin-serv-srv1-key3.db
>-rw-------  1 root   root    65536 Dec  8 11:18 cert8.db
>-rw-------  1 root   root     2644 Dec  8 11:18 cert.pk12
>-rw-------  1 root   root    16384 Dec  8 11:18 key3.db
>-rwxr-xr-x  1 root   nobody 194880 Nov 29 15:06 libnssckbi.so
>-rw-r--r--  1 root   root       55 Dec  8 11:09 noise.txt
>-rw-------  1 root   root        9 Dec  8 11:09 pwdfile.txt
>-rw-------  1 nobody nobody  16384 Dec  6 08:46 secmod.db
>-rw-------  1 nobody nobody  65536 Dec  8 10:55 slapd-srv1-cert8.db
>-rw-------  1 nobody nobody  16384 Dec  8 10:55 slapd-srv1-key3.db
>
>I didn't see them listed anywhere in the console.
>  
>
Didn't see what listed anywhere in the console?

I think the directions mean "copy your new key3.db over 
slapd-srv1-key3.db and copy your new cert8.db over 
slapd-srv1-cert8.db".  When you do this, make sure slapd isn't running, 
and make sure you retain the old ownership and permissions of those 
files (e.g. nobody:nobody and 0600).  Slapd (uid nobody) has to open 
those files in read-write mode.

>I ended up doing this with openssl...
># first using console, I created a server csr (fedora-ds.csr)
>
>then...
>openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \
>-days 3650 -key ca.key -out ca.cert
>openssl genrsa -out ldap.key 1024
>openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \
>-out ldap.csr
>openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert \
>-CAkey ca.key -CAcreateserial -days 3650
>openssl x509 -req -in fedora-ds.csr -out fedora-ds.cert -CA ca.cert \
>-CAkey ca.key -CAcreateserial -days 3650cp ca.cert /etc/ssl
>
>Then using the console - in Administration console, Manage Certificates,
>CA Certs, I 'installed' the file ca.cert (it seemed happy)
>
>Then in Server Certs, I installed fedora-ds.cert (it seemed happy)
>
>I pretty much repeated the process of creating the signing request and
>signing it and generating another server cert and it seems to be happy
>too as now, it too lists the certificates both in the server certs and
>the CA certs.
>
>So I am pretty good to go right?
>
>Thanks
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051208/ca139108/attachment.bin>

More information about the Fedora-directory-users mailing list