[Fedora-directory-users] self signed certificates

Craig White craigwhite at azapple.com
Thu Dec 8 21:53:36 UTC 2005 

On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote:
> Craig White wrote:
> 
> >On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:
> >  
> >
> >>Craig White wrote:
> >>
> >>    
> >>
> >>>Trying to follow instructions at 
> >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> >>>
> >>>Step #8
> >>>Copy the key3.db and cert8.db you created to the default databases
> >>>created at Directory Server installation:
> >>>
> >>>where is this 'default databases'?
> >>>
> >>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server
> >>> 
> >>>
> >>>      
> >>>
> >>/opt/fedora-ds/alias/slapd-srv1-key3.db
> >>/opt/fedora-ds/alias/slapd-srv1-cert8.db
> >>    
> >>
> >----
> >OK - well that was where I created them...
> >
> ># ls -l /opt/fedora-ds/alias/
> >total 520
> >-rw-------  1 nobody nobody  65536 Dec  8 12:55 admin-serv-srv1-cert8.db
> >-rw-------  1 nobody nobody  16384 Dec  8 12:55 admin-serv-srv1-key3.db
> >-rw-------  1 root   root    65536 Dec  8 11:18 cert8.db
> >-rw-------  1 root   root     2644 Dec  8 11:18 cert.pk12
> >-rw-------  1 root   root    16384 Dec  8 11:18 key3.db
> >-rwxr-xr-x  1 root   nobody 194880 Nov 29 15:06 libnssckbi.so
> >-rw-r--r--  1 root   root       55 Dec  8 11:09 noise.txt
> >-rw-------  1 root   root        9 Dec  8 11:09 pwdfile.txt
> >-rw-------  1 nobody nobody  16384 Dec  6 08:46 secmod.db
> >-rw-------  1 nobody nobody  65536 Dec  8 10:55 slapd-srv1-cert8.db
> >-rw-------  1 nobody nobody  16384 Dec  8 10:55 slapd-srv1-key3.db
> >
> >I didn't see them listed anywhere in the console.
> >  
> >
> Didn't see what listed anywhere in the console?
----
the certificates that I generated using certutil. I never could find
evidence of them in any console. The files listed above I am certain
were generated by openssl creation of the CA certificate and using that
to sign the requests from the Server Certs portions of the
Administration and Directory Consoles - and 'installing' them in the
console...because of the time signatures.
----
> 
> I think the directions mean "copy your new key3.db over 
> slapd-srv1-key3.db and copy your new cert8.db over 
> slapd-srv1-cert8.db".  When you do this, make sure slapd isn't running, 
> and make sure you retain the old ownership and permissions of those 
> files (e.g. nobody:nobody and 0600).  Slapd (uid nobody) has to open 
> those files in read-write mode.
> 
----
it would appear that having the above contents of /opt/fedora-ds/alias
and the db files chmod 600 nobody:nobody as per above - that even though
I generated them ultimately with openssl and not certutil and they are
listed in both Administration and Directory consoles in both CA Certs
and Server Certs that I am good to go to next step.

Thanks

Craig

More information about the Fedora-directory-users mailing list