[Fedora-directory-users] Enabling SSL

Adam Stokes astokes at redhat.com
Wed Aug 3 20:15:51 UTC 2005 

Ill update wiki accordingly

thanks
On Wed, 03 Aug 2005 13:14:00 -0700
"George Holbert" <gholbert at broadcom.com> wrote:

> Rich M answered my question in his recent post:
> 
> > If you followed the other steps up until this one, then you already 
> > have the required certs for slapd to use.  You only need to export
> > the cert to the .pfx file if you need to import that key and cert
> > into another program (e.g. use openssl to convert the .pfx file to
> > other formats).
> 
> So there apparently is not a need for the pk12 file in the alias
> directory.
> 
> Thanks Rich,
> -- George
> 
> 
> 
> George Holbert wrote:
> 
> > A follow up question:  why does pk12util need to be run against the 
> > certificate db at all?  Doesn't RedHat/Fedora DS read certificate
> > and key information directly from the cert8.db and key3.db files?
> >
> > In the RedHat SSL setup docs at:
> > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> > ... it says:
> >
> >> Run pk12util to convert the certificate database to pkcs12 format,
> >> so it is accessbile by the Directory Server:
> >
> >
> >
> > As Adam Stokes mentioned, the incantation for this should be:
> >
> >> Again another typo the line should read
> >>
> >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
> >>
> > But what does it buy you to have the "servercert.pk12" file sitting
> > in the alias directory with the cert and key db files?  How does
> > this make the certificate database "accessible by the Directory
> > Server"?
> >
> > In previous versions of Netscape DS, I don't recall the need for a 
> > pk12 file in the alias directory.  Is this a new requirement for 
> > version 7.1 ?
> >
> > Thanks,
> > -- George
> >
> >
> > Adam Stokes wrote:
> >
> >> On Wed, 3 Aug 2005 15:48:42 -0400
> >> Kevin Kovach <kovach at gmail.com> wrote:
> >>
> >> Kevin,
> >>
> >> Again another typo the line should read
> >>
> >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
> >>
> >> and the -P option is the dbprefix in which case slapd-serverID-
> >> should be replaced with whatever you have setup as your slapd-
> >> <instance>-
> >>
> >> Hope this helps
> >>
> >>  
> >>
> >>> Adam,
> >>>
> >>> My entry looks the same.  I'm pretty certain I have the ciphers
> >>> correct now.
> >>>
> >>> I am curious about one thing though.  In following the wiki, I
> >>> did as suggested and converted the cert db to pkcs12 with the
> >>> following command ...
> >>>
> >>> pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
> >>>
> >>> However, I don't see anywhere where we make FDS aware of
> >>> servercert.pfx?  I'd assume that we need to configure FDS for this
> >>> pkcs12 db somewhere?
> >>>
> >>> Also, the wiki mentions the trailing - on the -P option but does
> >>> not go into depth on it.  I'm pretty sure I executed this command
> >>> correctly but am unsure how to double check it?
> >>>
> >>> Thanks again.
> >>>
> >>> - Kevin
> >>>
> >>> On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
> >>>   
> >>>
> >>>> dn: cn=encryption,cn=config
> >>>> objectClass: top
> >>>> objectClass: nsEncryptionConfig
> >>>> cn: encryption
> >>>> nsSSLSessionTimeout: 0
> >>>> nsSSLClientAuth: allowed
> >>>> nsSSL2: off
> >>>> nsSSL3: on
> >>>> creatorsName: cn=server,cn=plugins,cn=config
> >>>> modifiersName: cn=directory manager
> >>>> createTimestamp: 20050701182744Z
> >>>> modifyTimestamp: 20050720192820Z
> >>>> nsSSL3Ciphers:
> >>>> -
> >>>> rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha 
> >>>>
> >>>> nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-
> >>>> directory-cert8.db numSubordinates: 1
> >>>>
> >>>> Above is my entry for reference
> >>>>
> >>>> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> >>>>     
> >>>>
> >>>>> Thanks Nathan.  I've made this change and again got farther than
> >>>>> I have before.
> >>>>>
> >>>>> FYI, I got that cipher list from the Wiki.  That will need to be
> >>>>> updated to contain the complete list.
> >>>>>
> >>>>> Although I got farther the server is still not starting up.  Now
> >>>>> it's complaining that none of the ciphers are valid?  How to I
> >>>>> ensure that I'm using a valid cypher?  Here's the error I'm
> >>>>> seeing in the error log ...
> >>>>>
> >>>>> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
> >>>>> B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL
> >>>>> failure: None of the cipher are valid
> >>>>>
> >>>>> Thanks again for the help.
> >>>>>
> >>>>> - Kevin
> >>>>>
> >>>>> And again have a different issue now.  Now it's complaining that
> >>>>> there are no
> >>>>>       
> >>>>
> >>>> -- 
> >>>> Fedora-directory-users mailing list
> >>>> Fedora-directory-users at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>
> >>>>     
> >>>
> >>> -- 
> >>> Take back the web, http://www.switch2firefox.com/
> >>>
> >>> -- 
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>   
> >>
> >>
> >>
> >>  
> >>
> >
> >
> >
> > -- 
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


-- 
....<(^_^)> adam stokes ....

More information about the Fedora-directory-users mailing list