[389-users] Command line to request certificate

Rich Megginson rmeggins at redhat.com
Mon Aug 10 18:00:49 UTC 2009 

Prashanth Sundaram wrote:
> All,
>
> I know I am being a bummer here, but I am running into problems now 
> and then. The reason is I am trying to script out the FDS deployment.
>
> Here are my questions:
>
>    1. What is the command line equivalent of requesting a server
>       certificate for Admin Server and Directory server? The console
>       works fine.
>
>          I am using openssl to generate certificates in x509 format.
There is a script which creates a self signed CA cert, then uses that CA 
to create server certs, using the certutil and pk12util command line 
tools.  Have you seen this - 
http://directory.fedoraproject.org/wiki/Howto:SSL#Script
>
>      2.  In order to setup subsequent FDS servers, I should copy 
> /etc/dirsrv ;  /usr/lib/dirsrv /  ;  /var/lib/dirsrv   to the other 
> hosts.  Is this correct?
No.
> And Run register-ds-admin.pl
No.

You should not copy anything.  You should simply run setup-ds-admin.pl 
on each machine.  If you want to use a centralized console, that is, if 
you want to be able to see all of your servers no matter where you run 
the console, then you should select the option to use an existing 
configuration directory server on each server (other than the first one, 
of course).

Have you read the Install Guide - 
http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html
>
>      3.If I do as in 2.  Not sure if the certificates will cause 
> issue. Also I am using ldap.domain.com as server identifier and 
> mapping a virtual IP for load balancing purpose. I read that server 
> name should be same as hostname, but I am using a DNS record if 
> ldap.domain.com. Will it cause any issues?
Yes.  You will probably want to use subjectAltName in your directory 
server certificates.  See 
http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
>
> Thanks,
> Prashanth
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090810/b1d6592f/attachment.bin>

More information about the Fedora-directory-users mailing list