[Fedora-directory-users] certutil: generating new .db files for server

Rob Crittenden rcritten at redhat.com
Mon Jul 10 13:27:00 UTC 2006


Brian Jones wrote:
> Hi all,
> 
> I'm generating new *.db files for my server, where I will install a new 
> root
> ca, and a new server cert (new *.db files allows me to easily test and back
> out). I have a couple of questions about *.db files and how FDS uses them:
> 
> 1. When I use certutil -N to create the new db files, is the value I 
> give to
> the '-P' flag arbitrary, or does the server look for a specific value based
> on instance name or something? I have new files called 
> 'slapd-ldap-cert8.db'
> and 'slapd-ldap-key3.db', because I thought this prefix value was 
> arbitrary,
> but FDS fails to start because it says that files '
> slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing.
> Those are the *old* db file names.

By default the prefix needs to match the FDS instance name. Because the 
database files are stored in a common directory a way was needed to 
discretely name them, hence the prefix.

> 
> 2. Related to 1, how do I (from the command line) change what files FDS
> looks for? Is this possible? Recommended?

I've never done this but a cursory look at the code found nsCertfile and 
nsKeyfile. I guess in theory you could change those values (stored in 
LDAP, of course) and point to new key/cert files. I grepped them out of 
dse.ldif to see the current settings.

> 
> 3. Is it true that I cannot reuse a signed server certificate in a newly
> created database, even if the new database has the same root ca 
> installed as
> the old one? I need to generate a request every time I run certutil -N?

The signed certificate is only half of what you need. You also need the 
private key. Without more information on what you're trying to do I 
can't really make a recommendation.

> 
> 4. Are there other rules that these files have to conform to in order for
> the server to start up? Are there docs on this that I've missed? Links? 
> I've
> seen the mozilla NSS docs, but they're mostly for developers (except for 
> the
> decent certutil reference), and the RHDS docs do everything from the GUI as
> far as I've seen.
> 

 From the perspective of the command-line utilities, they could care 
less what the files are named as long as they end in cert8.db and 
key3.db. The prefix flag (-P) lets you set arbitrary data before that.

For a bit more detail on how NSS is initialized, look at the function 
slapd_nss_init() at 
http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/ssl.c

It looks like the only thing hardcoded is the directory where the files 
are located, server-root/alias. But like I said, I've never tried 
renaming those files in the DS. I just wonder if this would cause 
confusion in the future, or with the console.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060710/b285ad87/attachment.bin>


More information about the Fedora-directory-users mailing list