[Fedora-directory-users] Enabling SSL

George Holbert gholbert at broadcom.com
Wed Aug 3 20:14:00 UTC 2005 

Rich M answered my question in his recent post:

> If you followed the other steps up until this one, then you already 
> have the required certs for slapd to use.  You only need to export the 
> cert to the .pfx file if you need to import that key and cert into 
> another program (e.g. use openssl to convert the .pfx file to other 
> formats).

So there apparently is not a need for the pk12 file in the alias directory.

Thanks Rich,
-- George



George Holbert wrote:

> A follow up question:  why does pk12util need to be run against the 
> certificate db at all?  Doesn't RedHat/Fedora DS read certificate and 
> key information directly from the cert8.db and key3.db files?
>
> In the RedHat SSL setup docs at:
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> ... it says:
>
>> Run pk12util to convert the certificate database to pkcs12 format, so 
>> it is accessbile by the Directory Server:
>
>
>
> As Adam Stokes mentioned, the incantation for this should be:
>
>> Again another typo the line should read
>>
>> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>>
> But what does it buy you to have the "servercert.pk12" file sitting in 
> the alias directory with the cert and key db files?  How does this 
> make the certificate database "accessible by the Directory Server"?
>
> In previous versions of Netscape DS, I don't recall the need for a 
> pk12 file in the alias directory.  Is this a new requirement for 
> version 7.1 ?
>
> Thanks,
> -- George
>
>
> Adam Stokes wrote:
>
>> On Wed, 3 Aug 2005 15:48:42 -0400
>> Kevin Kovach <kovach at gmail.com> wrote:
>>
>> Kevin,
>>
>> Again another typo the line should read
>>
>> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>>
>> and the -P option is the dbprefix in which case slapd-serverID- should
>> be replaced with whatever you have setup as your slapd-<instance>-
>>
>> Hope this helps
>>
>>  
>>
>>> Adam,
>>>
>>> My entry looks the same.  I'm pretty certain I have the ciphers
>>> correct now.
>>>
>>> I am curious about one thing though.  In following the wiki, I did as
>>> suggested and converted the cert db to pkcs12 with the following
>>> command ...
>>>
>>> pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>>>
>>> However, I don't see anywhere where we make FDS aware of
>>> servercert.pfx?  I'd assume that we need to configure FDS for this
>>> pkcs12 db somewhere?
>>>
>>> Also, the wiki mentions the trailing - on the -P option but does not
>>> go into depth on it.  I'm pretty sure I executed this command
>>> correctly but am unsure how to double check it?
>>>
>>> Thanks again.
>>>
>>> - Kevin
>>>
>>> On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
>>>   
>>>
>>>> dn: cn=encryption,cn=config
>>>> objectClass: top
>>>> objectClass: nsEncryptionConfig
>>>> cn: encryption
>>>> nsSSLSessionTimeout: 0
>>>> nsSSLClientAuth: allowed
>>>> nsSSL2: off
>>>> nsSSL3: on
>>>> creatorsName: cn=server,cn=plugins,cn=config
>>>> modifiersName: cn=directory manager
>>>> createTimestamp: 20050701182744Z
>>>> modifyTimestamp: 20050720192820Z
>>>> nsSSL3Ciphers:
>>>> -
>>>> rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha 
>>>>
>>>> nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-
>>>> directory-cert8.db numSubordinates: 1
>>>>
>>>> Above is my entry for reference
>>>>
>>>> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>>>     
>>>>
>>>>> Thanks Nathan.  I've made this change and again got farther than
>>>>> I have before.
>>>>>
>>>>> FYI, I got that cipher list from the Wiki.  That will need to be
>>>>> updated to contain the complete list.
>>>>>
>>>>> Although I got farther the server is still not starting up.  Now
>>>>> it's complaining that none of the ciphers are valid?  How to I
>>>>> ensure that I'm using a valid cypher?  Here's the error I'm
>>>>> seeing in the error log ...
>>>>>
>>>>> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
>>>>> B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL
>>>>> failure: None of the cipher are valid
>>>>>
>>>>> Thanks again for the help.
>>>>>
>>>>> - Kevin
>>>>>
>>>>> And again have a different issue now.  Now it's complaining that
>>>>> there are no
>>>>>       
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>     
>>>
>>> -- 
>>> Take back the web, http://www.switch2firefox.com/
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>>
>>
>>  
>>
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list