I was looking through the script from the wiki and I saw this line: ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... Wouldn''t it be better to change that to -n "`hostname`" or something like that because when you create certs for multiple servers, they all end up being called Server-Cert which causes confusion. What do you guys think? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Richard Megginson
2006-Mar-29 18:39 UTC
Re: [Fedora-directory-users] comment about setupssl.sh
Susan wrote:> I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn''t it be better to change that to -n "`hostname`" or something like that because when you > create certs for multiple servers, they all end up being called Server-Cert which causes > confusion. > > What do you guys think? >setupssl.sh was created in order to create only 3 certs - the initial CA cert, the initial DS cert, and the initial AS cert. It uses Server-Cert for DS and server-cert for AS because that is what the defaults are for those servers. If you do not use those names (and the server cannot automatically discover an appropriate cert to use), you will have to change the server SSL configuration. There needs to be a script that you can use to generate multiple key/cert pairs for multiple hosts, using your CA key/cert. One solution would be to change setupssl.sh to accept a list of FQDNs for which to create DS and AS certs. Then you could just create all of the key/cert databases at once, and just copy them to the /opt/fedora-ds/alias directory on each machine. Another solution would be to change setupssl.sh to be run on each machine. The first time you run it on your first machine, it would create a key/cert db for the CA only in addition to key/cert dbs for the DS and the AS. Then you would just copy the CA key/cert db and the setupssl.sh script to each machine and run it there.> __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Rob Crittenden
2006-Mar-29 18:40 UTC
Re: [Fedora-directory-users] comment about setupssl.sh
Susan wrote:> I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn''t it be better to change that to -n "`hostname`" or something like that because when you > create certs for multiple servers, they all end up being called Server-Cert which causes > confusion. > > What do you guys think? > >Server-Cert is a hold over from our Netscape days. It''s been the default certificate nickname for all the products for as long as I can remember (so at least 8 years). This script seems designed to get one host setup for SSL, not to setup multiple servers (e.g. for MMR) each with their own server cert. It does provide a good basis for issuing multiple certs and demonstrates how to do it in a safe way (by not writing over databases, re-issuing certs with conflicting nicknames, etc). Ideally you will use a real CA to issue the server certificates. Self-signed CA''s are bad, bad, bad. You don''t want your users to get in the habit of accepting unknown server certificates (though I guess this applies more to web servers than LDAP servers). rob
> I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s > "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn''t it be better to change that to -n "`hostname`" or > something like that because when you create certs for > multiple servers, they all end up being called Server-Cert > which causes confusion. >Ciao Susan, after so many troubles that you know..I think that your idea is useful....during my test I confuse it a lot of time...and I represent a classic newbe about it. I pinpoint that running setupssl.sh on both server after a fresh install didn''t resolve my problem...so I become doubtful about this way to generate ssl certificate My opinion is that Rob post could become a faq or a miniHowto Regards Alex
--- Richard Megginson <rmeggins@redhat.com> wrote:> One solution would be to change setupssl.sh to accept a list of FQDNs > for which to create DS and AS certs. Then you could just create all of > the key/cert databases at once, and just copy them to the > /opt/fedora-ds/alias directory on each machine.yeah, this is a good idea. Because I don''t know about other users but for me, creating certs is just 1 of the steps towards SSL encrypted client<->FDS comms & MMR. Another thing is this. If you create your certs with FQDNs, doesn''t that mean that all clients must refer to ldap server by FQDN? Because that''s how it works in the web world. If I create/sign a cert for webserver and somebody goes to https://webserver.company.com it''ll prompt the user, asking about this "new" cert, even though you''re already trusting the CA that signed it. If that''s the case, that would be pretty annoying because within a company, everybody always refers to hostnames, not fqdns (provided DNS works properly, obv.) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
George Holbert
2006-Mar-29 21:13 UTC
Re: [Fedora-directory-users] comment about setupssl.sh
> > If you create your certs with FQDNs, doesn''t that mean that all clients > must refer to ldap server by FQDN?In general, the answer is "yes." For example, Solaris'' LDAP name service will not work unless the server name in the Solaris client config exactly matches the CN on the LDAP server certificate. Some clients (like PADL''s nss_ldap used in most Linuxes) can be configured to disable server cert verification. Or others just have it always turned off (Outlook Express). In these cases, you could get away with using a shortname or alias instead of the exact name listed in the CN. So it depends on the LDAP client apps you need to support. Depending on your environment and requirements, you could technically use shortnames or aliases. But you''re really better off using FQDNs in both the server cert and your client configs, if possible. Of course, for non-SSL/TLS connections, no cert verification is involved, so you can use whatever name or alias you want for those. Susan wrote:> --- Richard Megginson <rmeggins@redhat.com> wrote: > >> One solution would be to change setupssl.sh to accept a list of FQDNs >> for which to create DS and AS certs. Then you could just create all of >> the key/cert databases at once, and just copy them to the >> /opt/fedora-ds/alias directory on each machine. >> > > yeah, this is a good idea. Because I don''t know about other users but for me, creating certs is > just 1 of the steps towards SSL encrypted client<->FDS comms & MMR. > > Another thing is this. If you create your certs with FQDNs, doesn''t that mean that all clients > must refer to ldap server by FQDN? Because that''s how it works in the web world. If I > create/sign a cert for webserver and somebody goes to https://webserver.company.com it''ll prompt > the user, asking about this "new" cert, even though you''re already trusting the CA that signed it. > If that''s the case, that would be pretty annoying because within a company, everybody always > refers to hostnames, not fqdns (provided DNS works properly, obv.) > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >