Fedora directory users - Feb 2006 - self-signed certificates

It appears that the setup utility now creates self-signed certificates
in the alias directory, making the certutil instructions moot. Is that
correct? My alias directory contains the following files:

------
$ cd /opt/fedora-ds/alias/
$ ls -la
total 420
drwxr-xr-x   2 nobody nobody   4096 Feb 21 17:16 .
drwxr-xr-x  15 root   root     4096 Feb 21 16:57 ..
-rw-------   1 nobody nobody  65536 Feb 21 17:16 admin-serv-roam104-178-cert8.db
-rw-------   1 nobody nobody  16384 Feb 21 17:16 admin-serv-roam104-178-key3.db
-rwxr-xr-x   1 root   nobody 196340 Dec  8 11:04 libnssckbi.so
-rw-------   1 nobody nobody  16384 Feb 21 16:57 secmod.db
-rw-------   1 nobody nobody  65536 Feb 21 16:57 slapd-roam104-178-cert8.db
-rw-------   1 nobody nobody  16384 Feb 21 16:57 slapd-roam104-178-key3.db
------

I didn''t create any of these files myself.

My problem is that no certificate shows up in the drop-down menu under
Encryption in the Admin Server console.

As you can see, my hostname has a dash in it. Could that be causing
problems? Or do I need to use certutil manually?

Thanks,
Dan

Dan Lipsitt wrote:
>It appears that the setup utility now creates self-signed certificates
>in the alias directory, making the certutil instructions moot. Is that
>correct? My alias directory contains the following files:
>  
>
No, that''s not correct.  See below.
>------
>$ cd /opt/fedora-ds/alias/
>$ ls -la
>total 420
>drwxr-xr-x   2 nobody nobody   4096 Feb 21 17:16 .
>drwxr-xr-x  15 root   root     4096 Feb 21 16:57 ..
>-rw-------   1 nobody nobody  65536 Feb 21 17:16
admin-serv-roam104-178-cert8.db
>-rw-------   1 nobody nobody  16384 Feb 21 17:16
admin-serv-roam104-178-key3.db
>-rwxr-xr-x   1 root   nobody 196340 Dec  8 11:04 libnssckbi.so
>-rw-------   1 nobody nobody  16384 Feb 21 16:57 secmod.db
>-rw-------   1 nobody nobody  65536 Feb 21 16:57 slapd-roam104-178-cert8.db
>-rw-------   1 nobody nobody  16384 Feb 21 16:57 slapd-roam104-178-key3.db
>------
>
>I didn''t create any of these files myself.
>
>My problem is that no certificate shows up in the drop-down menu under
>Encryption in the Admin Server console.
>
>As you can see, my hostname has a dash in it. Could that be causing
>problems? Or do I need to use certutil manually?
>  
>
You still need to use certutil to create your certs.  Those are empty 
database files.

-NGK
>Thanks,
>Dan
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

--- Nathan Kinder <nkinder@redhat.com> wrote:
> Dan Lipsitt wrote:
> 
Yea.  I had to do it so often, that I''ve scripted it:

Put your cert DB password in pwdfile.txt, put some noise in the noise file and
run this.

I think these may be a little different from the manual, I got the syntax from
Rich M.  It works
though.

One thing I don''t understand still is the purpose of the pk12util...  I
run it because the wiki
says to run it.  No idea what it''s for, however.


____________________contents of cert gen script______________
[root@cnyldap01 alias]# cat certs.sh 
#!/bin/sh
../shared/bin/certutil -N -d . -f pwdfile.txt
../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert"
-x -t "CT,," -m 1000 -v 120 -d . -z
noise.txt -f pwdfile.txt
../shared/bin/certutil -S -n "Server-Cert" -s
"cn=server-cert" -c "CA certificate" -t "u,u,u" -m
1001 -v 120 -d . -z noise.txt -f pwdfile.txt
echo moving key..

mv key3.db slapd-`-hostname -s`-key3.db
mv cert8.db slapd-`hostname -s`-cert8.db
ln -s slapd-`hostname -s`-key3.db key3.db
ln -s slapd-`hostname -s`-cert8.db cert8.db
echo pk..
../shared/bin/pk12util -d . -P slapd-`hostname -s`- -o servercert.pfx -n
Server-Cert
____________________end of contents of cert gen script______________


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Susan wrote:
>--- Nathan Kinder <nkinder@redhat.com> wrote:
>
>  
>
>>Dan Lipsitt wrote:
>>
>>    
>>
>
>Yea.  I had to do it so often, that I''ve scripted it:
>
>Put your cert DB password in pwdfile.txt, put some noise in the noise file
and run this.
>
>I think these may be a little different from the manual, I got the syntax
from Rich M.  It works
>though.
>
>One thing I don''t understand still is the purpose of the
pk12util...  I run it because the wiki
>says to run it.  No idea what it''s for, however.
>  
>
It''s really just for backup purposes.  You can backup your key and cert
db files instead.
>
>____________________contents of cert gen script______________
>[root@cnyldap01 alias]# cat certs.sh 
>#!/bin/sh
>../shared/bin/certutil -N -d . -f pwdfile.txt
>../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
>../shared/bin/certutil -S -n "CA certificate" -s
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z
>noise.txt -f pwdfile.txt
>../shared/bin/certutil -S -n "Server-Cert" -s
"cn=server-cert" -c "CA certificate" -t "u,u,u" -m
>1001 -v 120 -d . -z noise.txt -f pwdfile.txt
>echo moving key..
>
>mv key3.db slapd-`-hostname -s`-key3.db
>mv cert8.db slapd-`hostname -s`-cert8.db
>ln -s slapd-`hostname -s`-key3.db key3.db
>ln -s slapd-`hostname -s`-cert8.db cert8.db
>echo pk..
>../shared/bin/pk12util -d . -P slapd-`hostname -s`- -o servercert.pfx -n
Server-Cert
>____________________end of contents of cert gen script______________
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>