[Fedora-directory-users] SSL problem on replication!

Rob Crittenden rcritten at redhat.com
Tue Mar 28 20:33:16 UTC 2006 

Richard Megginson wrote:
> Alex wrote:
> 
>>  
>>  
>>
>>> yea, that's what I was saying earlier.  I think the problem is that 
>>> identical scripts/noise/password files produce identical certs, I 
>>> think.  I had to change both noise & password on the 2nd server to 
>>> produce a 2nd server cert which I could then import into the server A 
>>> DB.
>>>
>>>     
>>
>>
>>
>> Uff...it's a soap-opera :-)...so:
>>
>> For SUSAN:
>>
>> I tried to make a certificate from nodo2 changing both pwdfile.txt and
>> noise.txt...importing CA certificate in nodo1 it return the same
>> error...(same issuer/serial)...have you change only that?
>>
>> For RICHARD:
>>
>> I tried also to make a certificate for nodo2 from nodo1, but when I 
>> try to
>> run Step 7 command, it return an error (same issuer/serial )
>>   
> 
> Ah yes - you must use a unique number for the -m argument.
> 

Ok, a few things. I don't know a lot about the script(s) being used to 
generate the certificates, but the noise file affects only the quality 
of the key generated, not the certificate itself. The idea of using 
noise is to seed the random number generator within NSS so you get a 
good key. The password file also is just a nice thing to have. You can 
have the same password anywhere you want, as long as your policy allows 
it. It also ultimately allows for unattended startup.

If I understand it, you want to issue 2 server certs using the same CA. 
Here is what you need to do. You can do this all one one machine if you 
want, then move the database.

I'm going to skip the -P argument for brevity, you can rename the 
database later.

I'm also skipping the password and noise files. The difference is that 
you'll be prompted a few times for your PIN and to enter a bunch of 
keystrokes to seed the random number generator, no big deal.

Note that I tend to use a lot of certificate extensions, so this may 
differ from the setupssl script.

The serial number I'm using starts at 1. It doesn't really matter, as 
long as they are all unique.

1. Create a certificate database.

# cd /opt/fedora-ds/alias
# ../shared/bin/certutil -N -d .

2. Generate your self-signed CA

# ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x 
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5

(type in a bunch of characters)

You will answer:

5 - Cert signing key
9 - finish
n - not a critical extension
y - yes CA cert
10 - path length
y - critical extension
5 - SSL CA
6 - SSL S/MIME CA
7 - Object Signing CA
9 - finish
n - not a critical extension

3. Generate server key and certificate for server #1

# ../shared/bin/certutil -R -d . -s 'CN=hostname.example.com,ou=Fedora 
Directory Server' -o tmpcertreq -g 1024
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o 
tmpcert.der -m 3 -v 120 -1 -5

You will answer:

2 - Key encipherment
9 - finish
n - not a critical extension
1 - SSL server
9 - finish
n - not a critical extension

4. Import the server certificate

# ../shared/bin/certutil -A -d . -n "host.example.com" -t u,u,u -i 
tmpcert.der
# rm tmpcert.der
# rm tmpcertreq

5. Generate server key and certificate for server #2

# ../shared/bin/certutil -R -d . -s 'CN=hostname2.example.com,ou=Fedora 
Directory Server' -o tmpcertreq -g 1024
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o 
tmpcert.der -m 4 -v 120 -1 -5

You will answer:

2 - Key encipherment
9 - finish
n - not a critical extension
1 - SSL server
9 - finish
n - not a critical extension

6. Import the server certificate

# ../shared/bin/certutil -A -d . -n "host2.example.com" -t u,u,u -i 
tmpcert.der
# rm tmpcert.der
# rm tmpcertreq

7. List your certs:
# ../shared/bin/certutil -L -d .
CA certificate                                               CTu,Cu,Cu
host.example.com                                             u,u,u
host2.example.com                                            u,u,u

8. Verify your certificates just to be sure:

# ../shared/bin/certutil -V -u V -d . -n host.example.com
certutil-bin: certificate is valid
# ../shared/bin/certutil -V -u V -d . -n host2.example.com
certutil-bin: certificate is valid

Now you have one certificate database with a self-signed CA and 2 server 
certificates. Now just copy this database to server #2.

If you want you can remove the extra server cert from each of the 
database, so on server #1 you would do:

# ../shared/bin/certutil -D -d . -n "host2.example.com"

And on server #2 you would do:

# ../shared/bin/certutil -D -d . -n "host.example.com"

Now you can rename the database with your prefix and away you go.

Create a pin file if you want.

And finally, double check the file permissions! The database(s) need to 
be owned by the user that the server runs as and permissions should be 600.

Hope this helps.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060328/35bb1423/attachment.bin>

More information about the Fedora-directory-users mailing list