Fedora directory users - Dec 2008 - Create client SSL certificates for Solaris boxes.

Hello,

I am having a bit of difficulty creating SSL client certificates for my
Solaris boxes or client boxes in general.

What I am trying to accomplish is to use TLS with simple authentication
i believe. I want to log into my Solaris boxes authenticating to FDS but
have it done over a secure TLS/SSL connection so the passwords cannot be
intercepted. I successfully created ther root CA certificate and Server
cert on the FDS box using the beautiful setupSSL script.

However I am new to SSL and I am having a difficult time understanding
what needs to be done on the client side machines to get SSL working
correctly. I know I need to import and trust the Root CA certificate on
each client. But what about creating a client certificate for each of my
Linux and Solaris clients? Can the client certificates be created and
exported on the server that I created the Root CA cert on? And from
there can I just import them into the clients? I have read the NSS tools
links regarding PKI and SSL but I am still having a bit of difficulty.

On the FDS wiki documentation site there are some good links but I am
not sure how to go about this to use TLS:simple authentication.

Thank you
James 

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

>
> But what about creating a client certificate for each of my
> Linux and Solaris clients?
If all you want is TLS with simple auth, you don''t need these.
Each client just needs to trust the CA which signed your directory 
server''s certificate; sounds like you''re already on top of
this part.


James Chavez wrote:
> Hello,
>
> I am having a bit of difficulty creating SSL client certificates for my
> Solaris boxes or client boxes in general.
>
> What I am trying to accomplish is to use TLS with simple authentication
> i believe. I want to log into my Solaris boxes authenticating to FDS but
> have it done over a secure TLS/SSL connection so the passwords cannot be
> intercepted. I successfully created ther root CA certificate and Server
> cert on the FDS box using the beautiful setupSSL script.
>
> However I am new to SSL and I am having a difficult time understanding
> what needs to be done on the client side machines to get SSL working
> correctly. I know I need to import and trust the Root CA certificate on
> each client. But what about creating a client certificate for each of my
> Linux and Solaris clients? Can the client certificates be created and
> exported on the server that I created the Root CA cert on? And from
> there can I just import them into the clients? I have read the NSS tools
> links regarding PKI and SSL but I am still having a bit of difficulty.
>
> On the FDS wiki documentation site there are some good links but I am
> not sure how to go about this to use TLS:simple authentication.
>
> Thank you
> James 
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use
by the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or copying
of this e-mail message, and any attachments thereto, is strictly prohibited.  If
you have received this e-mail message in error, please immediately notify the
sender and permanently delete the original and any copies of this email and any
prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Thank you for the reply. 
OK so the Root CA is self signed on the Directory server box.
The setupSSL script already exported the cacert.asc file I believe.
So my next step is to import it on each client that I want to use
TLS:simple on if I am understanding.

So I believe on each client I need to use certutil to create a cert
database with ...
certutil -N -d <directory> -f /passfile

Does it matter where I create this?

After this I just import the cacert.asc, is that accurate?

Thank you
James

On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
> >
> > But what about creating a client certificate for each of my
> > Linux and Solaris clients?
> 
> If all you want is TLS with simple auth, you don''t need these.
> Each client just needs to trust the CA which signed your directory 
> server''s certificate; sounds like you''re already on top
of this part.
> 
> 
> James Chavez wrote:
> > Hello,
> >
> > I am having a bit of difficulty creating SSL client certificates for
my
> > Solaris boxes or client boxes in general.
> >
> > What I am trying to accomplish is to use TLS with simple
authentication
> > i believe. I want to log into my Solaris boxes authenticating to FDS
but
> > have it done over a secure TLS/SSL connection so the passwords cannot
be
> > intercepted. I successfully created ther root CA certificate and
Server
> > cert on the FDS box using the beautiful setupSSL script.
> >
> > However I am new to SSL and I am having a difficult time understanding
> > what needs to be done on the client side machines to get SSL working
> > correctly. I know I need to import and trust the Root CA certificate
on
> > each client. But what about creating a client certificate for each of
my
> > Linux and Solaris clients? Can the client certificates be created and
> > exported on the server that I created the Root CA cert on? And from
> > there can I just import them into the clients? I have read the NSS
tools
> > links regarding PKI and SSL but I am still having a bit of difficulty.
> >
> > On the FDS wiki documentation site there are some good links but I am
> > not sure how to go about this to use TLS:simple authentication.
> >
> > Thank you
> > James 
> >
> > CONFIDENTIALITY
> > This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or copying
of this e-mail message, and any attachments thereto, is strictly prohibited.  If
you have received this e-mail message in error, please immediately notify the
sender and permanently delete the original and any copies of this email and any
prints thereof.
> > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform
Electronic Transactions Act or the applicability of any other law of similar
substance and effect, absent an express statement to the contrary hereinabove,
this e-mail message its contents, and any attachments hereto are not intended to
represent an offer or acceptance to enter into a contract and are not otherwise
intended to bind the sender, Sanmina-SCI Corporation (or any of its
subsidiaries), or any other person or entity.
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >   
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

James Chavez wrote:
> Thank you for the reply. 
> OK so the Root CA is self signed on the Directory server box.
> The setupSSL script already exported the cacert.asc file I believe.
> So my next step is to import it on each client that I want to use
> TLS:simple on if I am understanding.
>   
Yes.
> So I believe on each client I need to use certutil to create a cert
> database with ...
> certutil -N -d <directory> -f /passfile
>
> Does it matter where I create this?
>   
Yes.
The details are specific to the client OS and its bundled SSL and LDAP 
libraries.
For Solaris, you''re on the right track with certutil.
This Sun forum thread may be helpful:
http://forums.sun.com/thread.jspa?threadID=5330016

For Linux, check your distribution''s documentation.

If you''re using a RedHat variant, tls_cacertfile in /etc/ldap.conf is
probably what you''ll be most interested in.

> After this I just import the cacert.asc, is that accurate?
>
> Thank you
> James
>
> On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
>   
>>> But what about creating a client certificate for each of my
>>> Linux and Solaris clients?
>>>       
>> If all you want is TLS with simple auth, you don''t need these.
>> Each client just needs to trust the CA which signed your directory 
>> server''s certificate; sounds like you''re already on
top of this part.
>>
>>
>> James Chavez wrote:
>>     
>>> Hello,
>>>
>>> I am having a bit of difficulty creating SSL client certificates
for my
>>> Solaris boxes or client boxes in general.
>>>
>>> What I am trying to accomplish is to use TLS with simple
authentication
>>> i believe. I want to log into my Solaris boxes authenticating to
FDS but
>>> have it done over a secure TLS/SSL connection so the passwords
cannot be
>>> intercepted. I successfully created ther root CA certificate and
Server
>>> cert on the FDS box using the beautiful setupSSL script.
>>>
>>> However I am new to SSL and I am having a difficult time
understanding
>>> what needs to be done on the client side machines to get SSL
working
>>> correctly. I know I need to import and trust the Root CA
certificate on
>>> each client. But what about creating a client certificate for each
of my
>>> Linux and Solaris clients? Can the client certificates be created
and
>>> exported on the server that I created the Root CA cert on? And from
>>> there can I just import them into the clients? I have read the NSS
tools
>>> links regarding PKI and SSL but I am still having a bit of
difficulty.
>>>
>>> On the FDS wiki documentation site there are some good links but I
am
>>> not sure how to go about this to use TLS:simple authentication.
>>>
>>> Thank you
>>> James 
>>>
>>> CONFIDENTIALITY
>>> This e-mail message and any attachments thereto, is intended only
for use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient of this
e-mail message, you are hereby notified that any dissemination, distribution or
copying of this e-mail message, and any attachments thereto, is strictly
prohibited.  If you have received this e-mail message in error, please
immediately notify the sender and permanently delete the original and any copies
of this email and any prints thereof.
>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS
E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
Uniform Electronic Transactions Act or the applicability of any other law of
similar substance and effect, absent an express statement to the contrary
hereinabove, this e-mail message its contents, and any attachments hereto are
not intended to represent an offer or acceptance to enter into a contract and
are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any
of its subsidiaries), or any other person or entity.
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>   
>>>       
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use
by the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or copying
of this e-mail message, and any attachments thereto, is strictly prohibited.  If
you have received this e-mail message in error, please immediately notify the
sender and permanently delete the original and any copies of this email and any
prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

George,
Thank you much for the help with this. I read up on the links you sent
and they seem to have helped. I have been struggling with a Solaris 8
box for the past few hours. It would not work at first, I was getting an
end of file error in the access log. Then it just started working after
I restarted the client services a few times and readded the box using
the same profile.

I have another question in regards to SSL for replication. 
I had MMR going between two servers, this one and another prior to
enabling SSL on this server. I removed all the replication agreements
because as I understand it they need to be recreated with SSL. I would
appreciate the lists opinions on the following. The Admin guide states
that there are 2 ways of replicating over SSL, I pasted them below. I
would like to know the pros and cons of each and if a DNS PTR record is
an absolute necessity on each MMR member. 

There are two ways to use SSL for replication: 
      * 
      * 
      * Select SSL Client Authentication. 
      * 
      * With SSL client authentication, the supplier and consumer
        servers use certificates to authenticate to each other. 
      * 
      * Select Simple Authentication.
      * With simple authentication, the supplier and consumer servers
        use a bind DN and password to authenticate to each other


I have the ability to register these boxes in DNS using the net utility
but that does not create the inaddr-arpa reverse lookup PTR record. Is
that absolutely necessary for SSL replication to work or can I get
around it? This is my test environment so I would like to do without if
possible for the time being.

Thank you
James
      * 
      * 

> James Chavez wrote:
> > Thank you for the reply. 
> > OK so the Root CA is self signed on the Directory server box.
> > The setupSSL script already exported the cacert.asc file I believe.
> > So my next step is to import it on each client that I want to use
> > TLS:simple on if I am understanding.
> >   
> Yes.
> 
> > So I believe on each client I need to use certutil to create a cert
> > database with ...
> > certutil -N -d <directory> -f /passfile
> >
> > Does it matter where I create this?
> >   
> Yes.
> The details are specific to the client OS and its bundled SSL and LDAP 
> libraries.
> For Solaris, you''re on the right track with certutil.
> This Sun forum thread may be helpful:
> http://forums.sun.com/thread.jspa?threadID=5330016
> 
> For Linux, check your distribution''s documentation.
> 
> If you''re using a RedHat variant, tls_cacertfile in /etc/ldap.conf
is probably what you''ll be most interested in.
> 
> 
> > After this I just import the cacert.asc, is that accurate?
> >
> > Thank you
> > James
> >
> > On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
> >   
> >>> But what about creating a client certificate for each of my
> >>> Linux and Solaris clients?
> >>>       
> >> If all you want is TLS with simple auth, you don''t need
these.
> >> Each client just needs to trust the CA which signed your directory
> >> server''s certificate; sounds like you''re already
on top of this part.
> >>
> >>
> >> James Chavez wrote:
> >>     
> >>> Hello,
> >>>
> >>> I am having a bit of difficulty creating SSL client
certificates for my
> >>> Solaris boxes or client boxes in general.
> >>>
> >>> What I am trying to accomplish is to use TLS with simple
authentication
> >>> i believe. I want to log into my Solaris boxes authenticating
to FDS but
> >>> have it done over a secure TLS/SSL connection so the passwords
cannot be
> >>> intercepted. I successfully created ther root CA certificate
and Server
> >>> cert on the FDS box using the beautiful setupSSL script.
> >>>
> >>> However I am new to SSL and I am having a difficult time
understanding
> >>> what needs to be done on the client side machines to get SSL
working
> >>> correctly. I know I need to import and trust the Root CA
certificate on
> >>> each client. But what about creating a client certificate for
each of my
> >>> Linux and Solaris clients? Can the client certificates be
created and
> >>> exported on the server that I created the Root CA cert on? And
from
> >>> there can I just import them into the clients? I have read the
NSS tools
> >>> links regarding PKI and SSL but I am still having a bit of
difficulty.
> >>>
> >>> On the FDS wiki documentation site there are some good links
but I am
> >>> not sure how to go about this to use TLS:simple
authentication.
> >>>
> >>> Thank you
> >>> James 
> >>>
> >>> CONFIDENTIALITY
> >>> This e-mail message and any attachments thereto, is intended
only for use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient of this
e-mail message, you are hereby notified that any dissemination, distribution or
copying of this e-mail message, and any attachments thereto, is strictly
prohibited.  If you have received this e-mail message in error, please
immediately notify the sender and permanently delete the original and any copies
of this email and any prints thereof.
> >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS
E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
Uniform Electronic Transactions Act or the applicability of any other law of
similar substance and effect, absent an express statement to the contrary
hereinabove, this e-mail message its contents, and any attachments hereto are
not intended to represent an offer or acceptance to enter into a contract and
are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any
of its subsidiaries), or any other person or entity.
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>   
> >>>       
> >>
> >> --
> >> Fedora-directory-users mailing list
> >> Fedora-directory-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>     
> >
> > CONFIDENTIALITY
> > This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or copying
of this e-mail message, and any attachments thereto, is strictly prohibited.  If
you have received this e-mail message in error, please immediately notify the
sender and permanently delete the original and any copies of this email and any
prints thereof.
> > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform
Electronic Transactions Act or the applicability of any other law of similar
substance and effect, absent an express statement to the contrary hereinabove,
this e-mail message its contents, and any attachments hereto are not intended to
represent an offer or acceptance to enter into a contract and are not otherwise
intended to bind the sender, Sanmina-SCI Corporation (or any of its
subsidiaries), or any other person or entity.
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >   
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

James Chavez wrote:
> George,
> Thank you much for the help with this. I read up on the links you sent
> and they seem to have helped. I have been struggling with a Solaris 8
> box for the past few hours. It would not work at first, I was getting an
> end of file error in the access log. Then it just started working after
> I restarted the client services a few times and readded the box using
> the same profile.
>
> I have another question in regards to SSL for replication.
> I had MMR going between two servers, this one and another prior to
> enabling SSL on this server. I removed all the replication agreements
> because as I understand it they need to be recreated with SSL. I would
> appreciate the lists opinions on the following. The Admin guide states
> that there are 2 ways of replicating over SSL, I pasted them below. I
> would like to know the pros and cons of each and if a DNS PTR record is
> an absolute necessity on each MMR member.
>   
The end result with both SSL replication flavors is the same.
Both encrypt the replication traffic between your directory servers.
The client cert method, when properly implemented, will make life more 
challenging for a prospective attacker who would like to impersonate 
your replication manager identity.  In that sense, it is more secure 
than simple auth with SSL.

> There are two ways to use SSL for replication:
>       *
>       *
>       * Select SSL Client Authentication.
>       *
>       * With SSL client authentication, the supplier and consumer
>         servers use certificates to authenticate to each other.
>       *
>       * Select Simple Authentication.
>       * With simple authentication, the supplier and consumer servers
>         use a bind DN and password to authenticate to each other
>
>
> I have the ability to register these boxes in DNS using the net utility
> but that does not create the inaddr-arpa reverse lookup PTR record. Is
> that absolutely necessary for SSL replication to work or can I get
> around it? This is my test environment so I would like to do without if
> possible for the time being.
>
> Thank you
> James
>       *
>       *
>
>
>   
>> James Chavez wrote:
>>     
>>> Thank you for the reply.
>>> OK so the Root CA is self signed on the Directory server box.
>>> The setupSSL script already exported the cacert.asc file I believe.
>>> So my next step is to import it on each client that I want to use
>>> TLS:simple on if I am understanding.
>>>
>>>       
>> Yes.
>>
>>     
>>> So I believe on each client I need to use certutil to create a cert
>>> database with ...
>>> certutil -N -d <directory> -f /passfile
>>>
>>> Does it matter where I create this?
>>>
>>>       
>> Yes.
>> The details are specific to the client OS and its bundled SSL and LDAP
>> libraries.
>> For Solaris, you''re on the right track with certutil.
>> This Sun forum thread may be helpful:
>> http://forums.sun.com/thread.jspa?threadID=5330016
>>
>> For Linux, check your distribution''s documentation.
>>
>> If you''re using a RedHat variant, tls_cacertfile in
/etc/ldap.conf is probably what you''ll be most interested in.
>>
>>
>>     
>>> After this I just import the cacert.asc, is that accurate?
>>>
>>> Thank you
>>> James
>>>
>>> On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
>>>
>>>       
>>>>> But what about creating a client certificate for each of my
>>>>> Linux and Solaris clients?
>>>>>
>>>>>           
>>>> If all you want is TLS with simple auth, you don''t
need these.
>>>> Each client just needs to trust the CA which signed your
directory
>>>> server''s certificate; sounds like you''re
already on top of this part.
>>>>
>>>>
>>>> James Chavez wrote:
>>>>
>>>>         
>>>>> Hello,
>>>>>
>>>>> I am having a bit of difficulty creating SSL client
certificates for my
>>>>> Solaris boxes or client boxes in general.
>>>>>
>>>>> What I am trying to accomplish is to use TLS with simple
authentication
>>>>> i believe. I want to log into my Solaris boxes
authenticating to FDS but
>>>>> have it done over a secure TLS/SSL connection so the
passwords cannot be
>>>>> intercepted. I successfully created ther root CA
certificate and Server
>>>>> cert on the FDS box using the beautiful setupSSL script.
>>>>>
>>>>> However I am new to SSL and I am having a difficult time
understanding
>>>>> what needs to be done on the client side machines to get
SSL working
>>>>> correctly. I know I need to import and trust the Root CA
certificate on
>>>>> each client. But what about creating a client certificate
for each of my
>>>>> Linux and Solaris clients? Can the client certificates be
created and
>>>>> exported on the server that I created the Root CA cert on?
And from
>>>>> there can I just import them into the clients? I have read
the NSS tools
>>>>> links regarding PKI and SSL but I am still having a bit of
difficulty.
>>>>>
>>>>> On the FDS wiki documentation site there are some good
links but I am
>>>>> not sure how to go about this to use TLS:simple
authentication.
>>>>>
>>>>> Thank you
>>>>> James
>>>>>
>>>>> CONFIDENTIALITY
>>>>> This e-mail message and any attachments thereto, is
intended only for use by the addressee(s) named herein and may contain legally
privileged and/or confidential information. If you are not the intended
recipient of this e-mail message, you are hereby notified that any
dissemination, distribution or copying of this e-mail message, and any
attachments thereto, is strictly prohibited.  If you have received this e-mail
message in error, please immediately notify the sender and permanently delete
the original and any copies of this email and any prints thereof.
>>>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE,
THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
Uniform Electronic Transactions Act or the applicability of any other law of
similar substance and effect, absent an express statement to the contrary
hereinabove, this e-mail message its contents, and any attachments hereto are
not intended to represent an offer or acceptance to enter into a contract and
are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any
of its subsidiaries), or any other person or entity.
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>>
>>>>>           
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>         
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>       
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>