[Fedora-directory-users] certutil: generating new .db files for server

Rob Crittenden rcritten at redhat.com
Mon Jul 10 14:06:40 UTC 2006 

Brian Jones wrote:
> Hi Rob, thanks for the reply. I've clarified inline:
> 
> On 7/10/06, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Brian Jones wrote:
>>
>> > 3. Is it true that I cannot reuse a signed server certificate in a 
>> newly
>> > created database, even if the new database has the same root ca
>> > installed as
>> > the old one? I need to generate a request every time I run certutil -N?
>>
>> The signed certificate is only half of what you need. You also need the
>> private key. Without more information on what you're trying to do I
>> can't really make a recommendation.
> 
> 
> 
> Right, I know I need the root ca and the server cert (signed by said root
> ca) both installed in the db. What I'm doing is this:
> 
> I have /opt/fedora-ds/alias set up as a symlink to alias-test1, 
> alias-test2,
> etc. I have a couple of these directories around for... um.... testing :)
> 
> What I want to confirm is whether or not I can use, for example, the cert
> request I generated (using certutil -R) for the db files in alias-test1 for
> the new db files created in alias-test2.

Ok, so what you want to do is issue the certificate once, then perhaps 
move it to other directories? If so here is what you do:

1. Generate a new database (or use an existing one, it doesn't really 
matter).
2. generate your Certifiacte Server Request (CSR)
3. Sign this with your CA
4. Import the new server certificate into your database (certutil -A ...)
5. Export this server cert, which I've nicknamed Server-Cert, into a 
PKCS#12 file with:

pk12util -o server.p12 -n Server-Cert -P slapd-foo- -d alias

6. You can now import this into another certificate database with

pk12util -i server.p12 -n Server-Cert -P slapd-bar- -d alias-test1

The other alternative is to simply copy the database files between 
directories, but you'll pick up all certificates/keys rather than 
discretely copying a single cert/key combo.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060710/00880aa9/attachment.bin>

More information about the Fedora-directory-users mailing list