Jo De Troy
2007-May-03 13:46 UTC
[Fedora-directory-users] use certificates from FedoraDS in Apache?
Hello, I was wondering if it''s possible to use the certifcates of Fedora DS for an Apache webserver running on the LDAP server. Is it possible to export the certificates in the cert7 and key3 databases and use the exported certificates for setting up an SSL enabled Apache? If it''s possible how should I go about? Thanks in advance, Jo
Rob Crittenden
2007-May-03 13:58 UTC
Re: [Fedora-directory-users] use certificates from FedoraDS in Apache?
Jo De Troy wrote:> Hello, > > I was wondering if it''s possible to use the certifcates of Fedora DS for > an Apache webserver running on the LDAP server. > Is it possible to export the certificates in the cert7 and key3 > databases and use the exported certificates for setting up an SSL > enabled Apache? > If it''s possible how should I go about?You can use pk12util to extract the certificate into a PKCS#12 file and then use openssl to extract the key and certificate into PEM format. Something like this, though this is off the top of my head so the syntax may not be exactly right: % pk12util -o /opt/fedora-ds/alias/mycert.p12 -P slapd-foo- -d /opt/fedora-ds/alias -n "server-cert" # Pull out as separate cert and key % openssl pkcs12 -in /opt/fedora-ds/alias/mycert.p12 -nokeys -out server-cert.crt % openssl pkcs12 -in /opt/fedora-ds/alias/mycert.p12 -nocerts -out server-cert.key Add -nodes to the key execution to have an unencrypted key (not very secure). To put the cert and key into the same file: % openssl pkcs12 -in /opt/fedora-ds/alias/mycert.p12 -out server-cert.pem rob
ashley
2007-May-04 01:37 UTC
Re: [Fedora-directory-users] use certificates from FedoraDS in Apache?
Yes you can, actually I''m actually doing that right now. But it depends on how you generated your certificates. Anyways I''m assuming you are using Fedora Core X if you installed aapche you would have this configeration file /etc/httpd/conf.d/ssl.conf To enable SSL or https you need to configure this file in that file the two lines you need to configure is SSLCertificateFile and SSLCertificateKeyFile. Point it to your certificates # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/httpd/conf/ssl/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you''ve both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key One last thing you need to tell apache to tell SSL to be turned on # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on This should be all done on the same file ssl.conf then restart apache then you can do https. But you have to export your SSLCertificateFile and SSLCertificateKeyFile file out. For me I had my certificate files before I converted them to pkcs12 and before I imported them in the form of cert7/key3 for FDS. So I never needed to export it out. If you want to check out I generated the certificates. http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html Look at Section 2.2 Secure Certificate Generation for LDAP Components The SSL certs I used is generated straight from there for my apache SSL & LDAPS But I''m pretty sure you can export it out? Cheers then, Ashley On Thu, 3 May 2007, Jo De Troy wrote:> Hello, > > I was wondering if it''s possible to use the certifcates of Fedora DS for an > Apache webserver running on the LDAP server. > Is it possible to export the certificates in the cert7 and key3 databases > and use the exported certificates for setting up an SSL enabled Apache? > If it''s possible how should I go about? > > Thanks in advance, > Jo > > > !DSPAM:272,4639e7c1106801219826867! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"