Hi, Anyone have a procedure for self signing a certificate request from FDS using an existing CA cert with openssl? Also - anyone know why I can''t just use an existing cert/key pair with FDS that was created and self-signed already - or if I can, how? brian.
Brian K. Jones said:> Hi, > > Anyone have a procedure for self signing a certificate request from FDS > using > an existing CA cert with openssl? Also - anyone know why I can''t just use > an > existing cert/key pair with FDS that was created and self-signed already - > or > if I can, how? > > brian.openssl x509 -req -in /path/to/csr \ -CA /path/to/cacert \ -CAkey /path/to/cakey -CAcreateserial \ -out /path/to/signed.crt I just use this command to sign the csr generated from the console. I haven''t figured out how to use an existing cert/key - I''d very much like to see how to do that. Jeff
Jeff Falgout wrote:> > I just use this command to sign the csr generated from the console. I > haven''t figured out how to use an existing cert/key - I''d very much like > to see how to do that.http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html /opt/fedora-ds/shared/bin/certutil Mike -- LDAP Directory Consulting - http://www.netauth.com
Jeff Falgout wrote:>Brian K. Jones said: > > >>Hi, >> >>Anyone have a procedure for self signing a certificate request from FDS >>using >>an existing CA cert with openssl? Also - anyone know why I can''t just use >>an >>existing cert/key pair with FDS that was created and self-signed already - >>or >>if I can, how? >> >>brian. >> >> > > >openssl x509 -req -in /path/to/csr \ > -CA /path/to/cacert \ > -CAkey /path/to/cakey -CAcreateserial \ > -out /path/to/signed.crt > >I just use this command to sign the csr generated from the console. I >haven''t figured out how to use an existing cert/key - I''d very much like >to see how to do that. > >Can openssl handle a .p12 file? If so, you can use the pk12util to export your cert/key material.>Jeff > > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Jeff Falgout wrote:> Brian K. Jones said: > >>Hi, >> >>Anyone have a procedure for self signing a certificate request from FDS >>using >>an existing CA cert with openssl? Also - anyone know why I can''t just use >>an >>existing cert/key pair with FDS that was created and self-signed already - >>or >>if I can, how? >> >>brian. > > > > openssl x509 -req -in /path/to/csr \ > -CA /path/to/cacert \ > -CAkey /path/to/cakey -CAcreateserial \ > -out /path/to/signed.crt > > I just use this command to sign the csr generated from the console. I > haven''t figured out how to use an existing cert/key - I''d very much like > to see how to do that. >This was just discussed on IRC, may as well document it here as well. First, head into console and initialize your certificate database and assign a password. To do this, log into the console, select your directory instance and under Tasks select Manage Certificates. If you don''t already have a certificate database created, it will prompt you for a password. Now, at a unix prompt, change to your server root as a user that can write to the files in alias (probably root). This assumes that the existing cert is in the file ssl-cert.pem and the existing key is in ssl-key.pem and your instance is named "myinstance": # cd /opt/redhat-ds # openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out ssl-cert.p12 -name "Server-Cert" You now have the openssl cert in a pkcs#12 file (cert and key together) Now import it into your DS database: # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- This will work for both Fedora and Red Hat DS. rob
A final note that Rob''s solution worked wonderfully once I took note that the dash in the "-P slapd-myinstance-" is significant -- don''t forget that! Your cert won''t show up in the server cert section without it. On Jun 20, 2005, at 3:21 PM, Rob Crittenden wrote:> Jeff Falgout wrote: > >> Brian K. Jones said: >> >>> Hi, >>> >>> Anyone have a procedure for self signing a certificate request >>> from FDS >>> using >>> an existing CA cert with openssl? Also - anyone know why I can''t >>> just use >>> an >>> existing cert/key pair with FDS that was created and self-signed >>> already - >>> or >>> if I can, how? >>> >>> brian. >>> >> openssl x509 -req -in /path/to/csr \ >> -CA /path/to/cacert \ >> -CAkey /path/to/cakey -CAcreateserial \ >> -out /path/to/signed.crt >> I just use this command to sign the csr generated from the console. I >> haven''t figured out how to use an existing cert/key - I''d very >> much like >> to see how to do that. >> > > This was just discussed on IRC, may as well document it here as well. > > First, head into console and initialize your certificate database > and assign a password. To do this, log into the console, select > your directory instance and under Tasks select Manage Certificates. > If you don''t already have a certificate database created, it will > prompt you for a password. > > Now, at a unix prompt, change to your server root as a user that > can write to the files in alias (probably root). > > This assumes that the existing cert is in the file ssl-cert.pem and > the existing key is in ssl-key.pem and your instance is named > "myinstance": > > # cd /opt/redhat-ds > # openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out > ssl-cert.p12 -name "Server-Cert" > > You now have the openssl cert in a pkcs#12 file (cert and key > together) > > Now import it into your DS database: > > # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- > > This will work for both Fedora and Red Hat DS. > > rob > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Can we get this into the FAQ? --Chris Rob Crittenden wrote:> Jeff Falgout wrote: > >> Brian K. Jones said: >> >>> Hi, >>> >>> Anyone have a procedure for self signing a certificate request from FDS >>> using >>> an existing CA cert with openssl? Also - anyone know why I can''t just >>> use >>> an >>> existing cert/key pair with FDS that was created and self-signed >>> already - >>> or >>> if I can, how? >>> >>> brian. >> >> >> >> >> openssl x509 -req -in /path/to/csr \ >> -CA /path/to/cacert \ >> -CAkey /path/to/cakey -CAcreateserial \ >> -out /path/to/signed.crt >> >> I just use this command to sign the csr generated from the console. I >> haven''t figured out how to use an existing cert/key - I''d very much like >> to see how to do that. >> > > This was just discussed on IRC, may as well document it here as well. > > First, head into console and initialize your certificate database and > assign a password. To do this, log into the console, select your > directory instance and under Tasks select Manage Certificates. If you > don''t already have a certificate database created, it will prompt you > for a password. > > Now, at a unix prompt, change to your server root as a user that can > write to the files in alias (probably root). > > This assumes that the existing cert is in the file ssl-cert.pem and the > existing key is in ssl-key.pem and your instance is named "myinstance": > > # cd /opt/redhat-ds > # openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out > ssl-cert.p12 -name "Server-Cert" > > You now have the openssl cert in a pkcs#12 file (cert and key together) > > Now import it into your DS database: > > # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- > > This will work for both Fedora and Red Hat DS. > > rob > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Christopher Blizzard wrote:> Can we get this into the FAQ? > > --Chris >It''s probably good to show how to do it with certutil as a primary method, and openssl as an alternative method. It''s on my to-do list to write a short howto for the NSS tools. I already have experimented with it quite a lot half a year ago. -- mike
I have a ksh script that demonstrates how to use certutil to create a self-signed, CA and use that to generate a SSL server cert as well as a user certificate. I just need to double-check it''s cleanliness and I''ll get it posted. rob Mike Jackson wrote:> Christopher Blizzard wrote: > >> Can we get this into the FAQ? >> >> --Chris >> > > It''s probably good to show how to do it with certutil as a primary > method, and openssl as an alternative method. > > It''s on my to-do list to write a short howto for the NSS tools. I > already have experimented with it quite a lot half a year ago. > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users