[Fedora-directory-users] self signed certificates

Richard Megginson rmeggins at redhat.com
Thu Dec 8 23:29:58 UTC 2005 

Craig White wrote:

>On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote:
>  
>
>>Craig White wrote:
>>
>>    
>>
>>>On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:
>>> 
>>>
>>>      
>>>
>>>>Craig White wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>Trying to follow instructions at 
>>>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
>>>>>
>>>>>Step #8
>>>>>Copy the key3.db and cert8.db you created to the default databases
>>>>>created at Directory Server installation:
>>>>>
>>>>>where is this 'default databases'?
>>>>>
>>>>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>/opt/fedora-ds/alias/slapd-srv1-key3.db
>>>>/opt/fedora-ds/alias/slapd-srv1-cert8.db
>>>>   
>>>>
>>>>        
>>>>
>>>----
>>>OK - well that was where I created them...
>>>
>>># ls -l /opt/fedora-ds/alias/
>>>total 520
>>>-rw-------  1 nobody nobody  65536 Dec  8 12:55 admin-serv-srv1-cert8.db
>>>-rw-------  1 nobody nobody  16384 Dec  8 12:55 admin-serv-srv1-key3.db
>>>-rw-------  1 root   root    65536 Dec  8 11:18 cert8.db
>>>-rw-------  1 root   root     2644 Dec  8 11:18 cert.pk12
>>>-rw-------  1 root   root    16384 Dec  8 11:18 key3.db
>>>-rwxr-xr-x  1 root   nobody 194880 Nov 29 15:06 libnssckbi.so
>>>-rw-r--r--  1 root   root       55 Dec  8 11:09 noise.txt
>>>-rw-------  1 root   root        9 Dec  8 11:09 pwdfile.txt
>>>-rw-------  1 nobody nobody  16384 Dec  6 08:46 secmod.db
>>>-rw-------  1 nobody nobody  65536 Dec  8 10:55 slapd-srv1-cert8.db
>>>-rw-------  1 nobody nobody  16384 Dec  8 10:55 slapd-srv1-key3.db
>>>
>>>I didn't see them listed anywhere in the console.
>>> 
>>>
>>>      
>>>
>>Didn't see what listed anywhere in the console?
>>    
>>
>----
>the certificates that I generated using certutil. I never could find
>evidence of them in any console.
>
They have to be in the file called slapd-name-cert8.db - it won't find 
them if they are in cert8.db.

>The files listed above I am certain
>were generated by openssl creation of the CA certificate and using that
>to sign the requests from the Server Certs portions of the
>Administration and Directory Consoles - and 'installing' them in the
>console...because of the time signatures.
>----
>  
>

>>I think the directions mean "copy your new key3.db over 
>>slapd-srv1-key3.db and copy your new cert8.db over 
>>slapd-srv1-cert8.db".  When you do this, make sure slapd isn't running, 
>>and make sure you retain the old ownership and permissions of those 
>>files (e.g. nobody:nobody and 0600).  Slapd (uid nobody) has to open 
>>those files in read-write mode.
>>
>>    
>>
>----
>it would appear that having the above contents of /opt/fedora-ds/alias
>and the db files chmod 600 nobody:nobody as per above - that even though
>I generated them ultimately with openssl and not certutil and they are
>listed in both Administration and Directory consoles in both CA Certs
>and Server Certs that I am good to go to next step.
>  
>
Ok.

>Thanks
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051208/c6714a2d/attachment.bin>

More information about the Fedora-directory-users mailing list