[Fedora-directory-users] self signed certificates
Richard Megginson
rmeggins at redhat.com
Thu Dec 8 23:29:58 UTC 2005
Craig White wrote:
>On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote:
>
>
>>Craig White wrote:
>>
>>
>>
>>>On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:
>>>
>>>
>>>
>>>
>>>>Craig White wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Trying to follow instructions at
>>>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
>>>>>
>>>>>Step #8
>>>>>Copy the key3.db and cert8.db you created to the default databases
>>>>>created at Directory Server installation:
>>>>>
>>>>>where is this 'default databases'?
>>>>>
>>>>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>/opt/fedora-ds/alias/slapd-srv1-key3.db
>>>>/opt/fedora-ds/alias/slapd-srv1-cert8.db
>>>>
>>>>
>>>>
>>>>
>>>----
>>>OK - well that was where I created them...
>>>
>>># ls -l /opt/fedora-ds/alias/
>>>total 520
>>>-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db
>>>-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db
>>>-rw------- 1 root root 65536 Dec 8 11:18 cert8.db
>>>-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12
>>>-rw------- 1 root root 16384 Dec 8 11:18 key3.db
>>>-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so
>>>-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt
>>>-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt
>>>-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db
>>>-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db
>>>-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db
>>>
>>>I didn't see them listed anywhere in the console.
>>>
>>>
>>>
>>>
>>Didn't see what listed anywhere in the console?
>>
>>
>----
>the certificates that I generated using certutil. I never could find
>evidence of them in any console.
>
They have to be in the file called slapd-name-cert8.db - it won't find
them if they are in cert8.db.
>The files listed above I am certain
>were generated by openssl creation of the CA certificate and using that
>to sign the requests from the Server Certs portions of the
>Administration and Directory Consoles - and 'installing' them in the
>console...because of the time signatures.
>----
>
>
>>I think the directions mean "copy your new key3.db over
>>slapd-srv1-key3.db and copy your new cert8.db over
>>slapd-srv1-cert8.db". When you do this, make sure slapd isn't running,
>>and make sure you retain the old ownership and permissions of those
>>files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open
>>those files in read-write mode.
>>
>>
>>
>----
>it would appear that having the above contents of /opt/fedora-ds/alias
>and the db files chmod 600 nobody:nobody as per above - that even though
>I generated them ultimately with openssl and not certutil and they are
>listed in both Administration and Directory consoles in both CA Certs
>and Server Certs that I am good to go to next step.
>
>
Ok.
>Thanks
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051208/c6714a2d/attachment.bin>
More information about the Fedora-directory-users
mailing list