[Fedora-directory-users] self signed certificates
Craig White
craigwhite at azapple.com
Thu Dec 8 21:53:36 UTC 2005
On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote:
> Craig White wrote:
>
> >On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:
> >
> >
> >>Craig White wrote:
> >>
> >>
> >>
> >>>Trying to follow instructions at
> >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> >>>
> >>>Step #8
> >>>Copy the key3.db and cert8.db you created to the default databases
> >>>created at Directory Server installation:
> >>>
> >>>where is this 'default databases'?
> >>>
> >>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server
> >>>
> >>>
> >>>
> >>>
> >>/opt/fedora-ds/alias/slapd-srv1-key3.db
> >>/opt/fedora-ds/alias/slapd-srv1-cert8.db
> >>
> >>
> >----
> >OK - well that was where I created them...
> >
> ># ls -l /opt/fedora-ds/alias/
> >total 520
> >-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db
> >-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db
> >-rw------- 1 root root 65536 Dec 8 11:18 cert8.db
> >-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12
> >-rw------- 1 root root 16384 Dec 8 11:18 key3.db
> >-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so
> >-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt
> >-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt
> >-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db
> >-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db
> >-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db
> >
> >I didn't see them listed anywhere in the console.
> >
> >
> Didn't see what listed anywhere in the console?
----
the certificates that I generated using certutil. I never could find
evidence of them in any console. The files listed above I am certain
were generated by openssl creation of the CA certificate and using that
to sign the requests from the Server Certs portions of the
Administration and Directory Consoles - and 'installing' them in the
console...because of the time signatures.
----
>
> I think the directions mean "copy your new key3.db over
> slapd-srv1-key3.db and copy your new cert8.db over
> slapd-srv1-cert8.db". When you do this, make sure slapd isn't running,
> and make sure you retain the old ownership and permissions of those
> files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open
> those files in read-write mode.
>
----
it would appear that having the above contents of /opt/fedora-ds/alias
and the db files chmod 600 nobody:nobody as per above - that even though
I generated them ultimately with openssl and not certutil and they are
listed in both Administration and Directory consoles in both CA Certs
and Server Certs that I am good to go to next step.
Thanks
Craig
More information about the Fedora-directory-users
mailing list