[Fedora-directory-users] Proper way to generate a server certificate.

Wed Jan 28 20:47:47 UTC 2009

James Chavez wrote:
> Hello List,
>
> I am trying to setup SSL between an AD or edir box and my FDS box. 
> I want to generate a server cert for the AD or edir box and import it
> into edir/AD and import the CA cert into AD/edir as well.
>
> What commands do i use to accomplish this.
> Also what format does the cert need to be to successfully import into AD
> or edir. 
>
> I have generated a self signed CA cert named "FDS CA"
> exported with 
> certutil -L -d . -n "FDS CA" -a > ca.asc   and
> certutil -L -d . -n "FDS CA" -r > ca.der
>
>
>
> I have generated a server cert for the AD/edir box with 
>
>  certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t
> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt
>
> And exported it with..
> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert"
>
> I then send the CA cert in ascii and .der format along with the
> server-cert.p12 to the admin but he gets errors below trying to import
> into edir.
> Need help on this one please. 
> ..
>
> -1240 FFFFFB28 PKI E PARSE CERTIFICATE
>   
I'm not sure, but why not just use Novell Certificate Server to generate 
all of your server certs?
> Source
>
> Novell(r) Certificate Server
>
> Explanation
>
> Novell Certificate Server was unable to parse a certificate that has
> been stored or is being stored.
>
> Possible Cause
>
> The user attempted to store a certificate or a certificate chain with an
> invalid encoding into a Server Certificate object. The certificate or
> certificate chain obtained from the Certificate Authority is invalid.
>
> Action
>
> Perform the following operations:
>
>     * Contact the Certificate Authority that issued the server
> certificate to obtain the Certificate Authority's certificate.
>     * Using ConsoleOne(r), view the Server Certificate object. Click
> Import.
>     * Import the Certificate Authority's certificate as the trusted
> root.
>     * Import the server's certificate as the object certificate.
>
> If the problem persists, contact the Certificate Authority.
>
>
> Any body out there can help out please.
>
> Thanks 
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090128/58ed30f5/attachment.bin>