[Fedora-directory-users] Converting a 4-way replication setup to SSL

Rob Crittenden rcritten at redhat.com
Tue Jul 11 12:52:44 UTC 2006 

Philip Kime wrote:
> What a nightmare.
>  
> I tried to use the script on the Wiki but this isn't really set up to do
> this. I would like one CA and then to generate all of the DS and AS
> certificates from this. I can't work out if I need to copy the CA db or
> just the .asc file to the other servers to generate the certs - it seems
> to need the key for the CA cert and also the noise and pwd files? I
> finally got two servers on SSL but they won't replicate as they don't
> like each other's certificates even though I had the CA certs on both
> servers.
>  
> I have spent eight hours getting nowhere and will have to start again
> from scratch. If there are any clues on how to:
>  
> Have one CA for all server certs
> How to install this CA cert on all servers
> What is needed for replication over SSL to work
>  
>

It sounds like you're trying to use the setupssl.sh script from the How 
to at http://directory.fedora.redhat.com/wiki/Howto:SSL. It isn't really 
designed to be a poor-man's CA, as you're seeing.

I can't help with the replication but I can help getting SSL set up.

It should be possible to use this setupssl.sh script, here is one way. 
Just know that setting up a PKI infrastructure is hard (and harder to do 
properly). If this CA is going to be only used for the replication 
agreements it's probably fine. If you want to use it for web servers, 
client certificates, LDAP-based login, you may want to spend some time 
planning.

In any case, let's jump right in.

Normally when one has a CA you keep the key material locked away and 
just pulled it out when you want to issue a new certificate. If you 
really are going to use this just for replication agreements this is 
less a problem.

I'm assuming you have 4 servers, A-D, and each server only 1 instance 
installed.

So, start with server A, and blow away 
/opt/fedora-ds/alias/slapd-<instance>-*.db (or better, make a copy 
somewhere in case you ever want it).

This is going to be our "master" server. Run setupssl.sh.

You now have a self-signed CA that has issued a server certificate for 
server A. The nickname is Server-Cert.

Now you could just copy this whole certificate database to the other 
machines, tweak setupssl.sh a bit, and re-run it and get your 
certificates that way, but you'd really be spreading your CA keys all 
over the place, so I'm not going to do that.

Instead we're going to use the server A certificate database to generate 
the 3 remaining certificates we need.

You'll do this 3 times:

1. edit setupssl.sh and find step 7
2. replace myhost=`hostname --fqdn` with myhost="foo.domain.com" where 
foo.domain.com is the output of hostname -fqdn on the target server (B, 
C or D).
3. Find the certutil line 2 lines below this myhost statement you'll see 
something like "-m 1001". Increment this starting from 1003. This is the 
certificate serial number and it needs to be unique. 1002 is the server 
A admin server certificate.
4. in the same line you'll see -n "Server-Cert". This nickname needs to 
be unique, pick another one. It could be Server-CertB, a name, it isn't 
important as long as it is unique.
5. run setupssl.sh

Now that you've done this 3 times, you now have in server A a 
certificate database with a CA certificate and 4 server certificates (5 
if you count the admin one)

IMPORTANT: there is a trailing dash (-) at the end of each -P argument. 
If you do not have this dash things will not work.

Now we need to export the 3 other server certificates, we do this with:

# cd /opt/fedora-ds/alias
# ../shared/bin/pk12util -o serverb.p12 -P slapd-<instance>- -d . -n 
"Server-CertB"

Do this for each of the 3 nicknames you created.

Do the following on servers B - D. Note that the prefix for 
slapd-<instance> will likely be different for each server.

1. Copy the appropriate server?.p12 and the file cacert.asc to 
/opt/fedora-ds/alias on the target server (B,C,D)
2. Remove/archive *.db
3. Generate a new database with:
   # ../shared/bin/certutil -N -P slapd-<instance>- -d .
4. Import the CA certificate with:
   # ../shared/bin/certutil -A -d . -P slapd-<instance>- -n "CA 
certificate" -t "CT,," -a -i cacert.asc
5. Import your server certificate with:
   # ../shared/bin/pk12util -i serverb.p12 -P slapd-<instance>- -d . -n 
"Server-CertB"
6. Check ownership/permissions of the database(s). They should be owned 
by nobody by default.

I think it would probably best to do this just on Server A and B and 
give it a quick test. You can always go back and add in C and D later.

This would be infinitely easier if you had a real CA.

There are also easier ways to do this using a combination of the java 
console and the command-line, but I've stuck with the command-line here.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060711/6f97722a/attachment.bin>

More information about the Fedora-directory-users mailing list