[Fedora-directory-users] certutil: generating new .db files for server
Rob Crittenden
rcritten at redhat.com
Mon Jul 10 13:27:00 UTC 2006
Brian Jones wrote:
> Hi all,
>
> I'm generating new *.db files for my server, where I will install a new
> root
> ca, and a new server cert (new *.db files allows me to easily test and back
> out). I have a couple of questions about *.db files and how FDS uses them:
>
> 1. When I use certutil -N to create the new db files, is the value I
> give to
> the '-P' flag arbitrary, or does the server look for a specific value based
> on instance name or something? I have new files called
> 'slapd-ldap-cert8.db'
> and 'slapd-ldap-key3.db', because I thought this prefix value was
> arbitrary,
> but FDS fails to start because it says that files '
> slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing.
> Those are the *old* db file names.
By default the prefix needs to match the FDS instance name. Because the
database files are stored in a common directory a way was needed to
discretely name them, hence the prefix.
>
> 2. Related to 1, how do I (from the command line) change what files FDS
> looks for? Is this possible? Recommended?
I've never done this but a cursory look at the code found nsCertfile and
nsKeyfile. I guess in theory you could change those values (stored in
LDAP, of course) and point to new key/cert files. I grepped them out of
dse.ldif to see the current settings.
>
> 3. Is it true that I cannot reuse a signed server certificate in a newly
> created database, even if the new database has the same root ca
> installed as
> the old one? I need to generate a request every time I run certutil -N?
The signed certificate is only half of what you need. You also need the
private key. Without more information on what you're trying to do I
can't really make a recommendation.
>
> 4. Are there other rules that these files have to conform to in order for
> the server to start up? Are there docs on this that I've missed? Links?
> I've
> seen the mozilla NSS docs, but they're mostly for developers (except for
> the
> decent certutil reference), and the RHDS docs do everything from the GUI as
> far as I've seen.
>
From the perspective of the command-line utilities, they could care
less what the files are named as long as they end in cert8.db and
key3.db. The prefix flag (-P) lets you set arbitrary data before that.
For a bit more detail on how NSS is initialized, look at the function
slapd_nss_init() at
http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/ssl.c
It looks like the only thing hardcoded is the directory where the files
are located, server-root/alias. But like I said, I've never tried
renaming those files in the DS. I just wonder if this would cause
confusion in the future, or with the console.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060710/b285ad87/attachment.bin>
More information about the Fedora-directory-users
mailing list