Trying to follow instructions at http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 Step #8 Copy the key3.db and cert8.db you created to the default databases created at Directory Server installation: where is this ''default databases''? /opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server Craig
Richard Megginson
2005-Dec-08 20:00 UTC
Re: [Fedora-directory-users] self signed certificates
Craig White wrote:>Trying to follow instructions at >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > >Step #8 >Copy the key3.db and cert8.db you created to the default databases >created at Directory Server installation: > >where is this ''default databases''? > >/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server > >/opt/fedora-ds/alias/slapd-srv1-key3.db /opt/fedora-ds/alias/slapd-srv1-cert8.db>Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:> Craig White wrote: > > >Trying to follow instructions at > >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > > > >Step #8 > >Copy the key3.db and cert8.db you created to the default databases > >created at Directory Server installation: > > > >where is this ''default databases''? > > > >/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server > > > > > /opt/fedora-ds/alias/slapd-srv1-key3.db > /opt/fedora-ds/alias/slapd-srv1-cert8.db---- OK - well that was where I created them... # ls -l /opt/fedora-ds/alias/ total 520 -rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db -rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db -rw------- 1 root root 65536 Dec 8 11:18 cert8.db -rw------- 1 root root 2644 Dec 8 11:18 cert.pk12 -rw------- 1 root root 16384 Dec 8 11:18 key3.db -rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so -rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt -rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt -rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db -rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db -rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db I didn''t see them listed anywhere in the console. I ended up doing this with openssl... # first using console, I created a server csr (fedora-ds.csr) then... openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \ -days 3650 -key ca.key -out ca.cert openssl genrsa -out ldap.key 1024 openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \ -out ldap.csr openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert \ -CAkey ca.key -CAcreateserial -days 3650 openssl x509 -req -in fedora-ds.csr -out fedora-ds.cert -CA ca.cert \ -CAkey ca.key -CAcreateserial -days 3650cp ca.cert /etc/ssl Then using the console - in Administration console, Manage Certificates, CA Certs, I ''installed'' the file ca.cert (it seemed happy) Then in Server Certs, I installed fedora-ds.cert (it seemed happy) I pretty much repeated the process of creating the signing request and signing it and generating another server cert and it seems to be happy too as now, it too lists the certificates both in the server certs and the CA certs. So I am pretty good to go right? Thanks Craig
Richard Megginson
2005-Dec-08 20:27 UTC
Re: [Fedora-directory-users] self signed certificates
Craig White wrote:>On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote: > > >>Craig White wrote: >> >> >> >>>Trying to follow instructions at >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 >>> >>>Step #8 >>>Copy the key3.db and cert8.db you created to the default databases >>>created at Directory Server installation: >>> >>>where is this ''default databases''? >>> >>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server >>> >>> >>> >>> >>/opt/fedora-ds/alias/slapd-srv1-key3.db >>/opt/fedora-ds/alias/slapd-srv1-cert8.db >> >> >---- >OK - well that was where I created them... > ># ls -l /opt/fedora-ds/alias/ >total 520 >-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db >-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db >-rw------- 1 root root 65536 Dec 8 11:18 cert8.db >-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12 >-rw------- 1 root root 16384 Dec 8 11:18 key3.db >-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so >-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt >-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt >-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db >-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db >-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db > >I didn''t see them listed anywhere in the console. > >Didn''t see what listed anywhere in the console? I think the directions mean "copy your new key3.db over slapd-srv1-key3.db and copy your new cert8.db over slapd-srv1-cert8.db". When you do this, make sure slapd isn''t running, and make sure you retain the old ownership and permissions of those files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open those files in read-write mode.>I ended up doing this with openssl... ># first using console, I created a server csr (fedora-ds.csr) > >then... >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \ >-days 3650 -key ca.key -out ca.cert >openssl genrsa -out ldap.key 1024 >openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \ >-out ldap.csr >openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert \ >-CAkey ca.key -CAcreateserial -days 3650 >openssl x509 -req -in fedora-ds.csr -out fedora-ds.cert -CA ca.cert \ >-CAkey ca.key -CAcreateserial -days 3650cp ca.cert /etc/ssl > >Then using the console - in Administration console, Manage Certificates, >CA Certs, I ''installed'' the file ca.cert (it seemed happy) > >Then in Server Certs, I installed fedora-ds.cert (it seemed happy) > >I pretty much repeated the process of creating the signing request and >signing it and generating another server cert and it seems to be happy >too as now, it too lists the certificates both in the server certs and >the CA certs. > >So I am pretty good to go right? > >Thanks > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote:> Craig White wrote: > > >On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote: > > > > > >>Craig White wrote: > >> > >> > >> > >>>Trying to follow instructions at > >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > >>> > >>>Step #8 > >>>Copy the key3.db and cert8.db you created to the default databases > >>>created at Directory Server installation: > >>> > >>>where is this ''default databases''? > >>> > >>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server > >>> > >>> > >>> > >>> > >>/opt/fedora-ds/alias/slapd-srv1-key3.db > >>/opt/fedora-ds/alias/slapd-srv1-cert8.db > >> > >> > >---- > >OK - well that was where I created them... > > > ># ls -l /opt/fedora-ds/alias/ > >total 520 > >-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db > >-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db > >-rw------- 1 root root 65536 Dec 8 11:18 cert8.db > >-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12 > >-rw------- 1 root root 16384 Dec 8 11:18 key3.db > >-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so > >-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt > >-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt > >-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db > >-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db > >-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db > > > >I didn''t see them listed anywhere in the console. > > > > > Didn''t see what listed anywhere in the console?---- the certificates that I generated using certutil. I never could find evidence of them in any console. The files listed above I am certain were generated by openssl creation of the CA certificate and using that to sign the requests from the Server Certs portions of the Administration and Directory Consoles - and ''installing'' them in the console...because of the time signatures. ----> > I think the directions mean "copy your new key3.db over > slapd-srv1-key3.db and copy your new cert8.db over > slapd-srv1-cert8.db". When you do this, make sure slapd isn''t running, > and make sure you retain the old ownership and permissions of those > files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open > those files in read-write mode. >---- it would appear that having the above contents of /opt/fedora-ds/alias and the db files chmod 600 nobody:nobody as per above - that even though I generated them ultimately with openssl and not certutil and they are listed in both Administration and Directory consoles in both CA Certs and Server Certs that I am good to go to next step. Thanks Craig
Richard Megginson
2005-Dec-08 23:29 UTC
Re: [Fedora-directory-users] self signed certificates
Craig White wrote:>On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote: > > >>Craig White wrote: >> >> >> >>>On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote: >>> >>> >>> >>> >>>>Craig White wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Trying to follow instructions at >>>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 >>>>> >>>>>Step #8 >>>>>Copy the key3.db and cert8.db you created to the default databases >>>>>created at Directory Server installation: >>>>> >>>>>where is this ''default databases''? >>>>> >>>>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>/opt/fedora-ds/alias/slapd-srv1-key3.db >>>>/opt/fedora-ds/alias/slapd-srv1-cert8.db >>>> >>>> >>>> >>>> >>>---- >>>OK - well that was where I created them... >>> >>># ls -l /opt/fedora-ds/alias/ >>>total 520 >>>-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db >>>-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db >>>-rw------- 1 root root 65536 Dec 8 11:18 cert8.db >>>-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12 >>>-rw------- 1 root root 16384 Dec 8 11:18 key3.db >>>-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so >>>-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt >>>-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt >>>-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db >>>-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db >>>-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db >>> >>>I didn''t see them listed anywhere in the console. >>> >>> >>> >>> >>Didn''t see what listed anywhere in the console? >> >> >---- >the certificates that I generated using certutil. I never could find >evidence of them in any console. >They have to be in the file called slapd-name-cert8.db - it won''t find them if they are in cert8.db.>The files listed above I am certain >were generated by openssl creation of the CA certificate and using that >to sign the requests from the Server Certs portions of the >Administration and Directory Consoles - and ''installing'' them in the >console...because of the time signatures. >---- > >>>I think the directions mean "copy your new key3.db over >>slapd-srv1-key3.db and copy your new cert8.db over >>slapd-srv1-cert8.db". When you do this, make sure slapd isn''t running, >>and make sure you retain the old ownership and permissions of those >>files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open >>those files in read-write mode. >> >> >> >---- >it would appear that having the above contents of /opt/fedora-ds/alias >and the db files chmod 600 nobody:nobody as per above - that even though >I generated them ultimately with openssl and not certutil and they are >listed in both Administration and Directory consoles in both CA Certs >and Server Certs that I am good to go to next step. > >Ok.>Thanks > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >