[Fedora-directory-users] certutil: generating new .db files for server
Rob Crittenden
rcritten at redhat.com
Mon Jul 10 14:06:40 UTC 2006
Brian Jones wrote:
> Hi Rob, thanks for the reply. I've clarified inline:
>
> On 7/10/06, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Brian Jones wrote:
>>
>> > 3. Is it true that I cannot reuse a signed server certificate in a
>> newly
>> > created database, even if the new database has the same root ca
>> > installed as
>> > the old one? I need to generate a request every time I run certutil -N?
>>
>> The signed certificate is only half of what you need. You also need the
>> private key. Without more information on what you're trying to do I
>> can't really make a recommendation.
>
>
>
> Right, I know I need the root ca and the server cert (signed by said root
> ca) both installed in the db. What I'm doing is this:
>
> I have /opt/fedora-ds/alias set up as a symlink to alias-test1,
> alias-test2,
> etc. I have a couple of these directories around for... um.... testing :)
>
> What I want to confirm is whether or not I can use, for example, the cert
> request I generated (using certutil -R) for the db files in alias-test1 for
> the new db files created in alias-test2.
Ok, so what you want to do is issue the certificate once, then perhaps
move it to other directories? If so here is what you do:
1. Generate a new database (or use an existing one, it doesn't really
matter).
2. generate your Certifiacte Server Request (CSR)
3. Sign this with your CA
4. Import the new server certificate into your database (certutil -A ...)
5. Export this server cert, which I've nicknamed Server-Cert, into a
PKCS#12 file with:
pk12util -o server.p12 -n Server-Cert -P slapd-foo- -d alias
6. You can now import this into another certificate database with
pk12util -i server.p12 -n Server-Cert -P slapd-bar- -d alias-test1
The other alternative is to simply copy the database files between
directories, but you'll pick up all certificates/keys rather than
discretely copying a single cert/key combo.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060710/00880aa9/attachment.bin>
More information about the Fedora-directory-users
mailing list