[Fedora-directory-users] question about SSL configuration with IP takeover HA setup

Richard Megginson rmeggins at redhat.com
Fri Sep 21 18:27:56 UTC 2007 

Ryan Braun wrote:
> On Friday 21 September 2007 16:37, Richard Megginson wrote:
>   
>> Ryan Braun wrote:
>>     
>>> On Thursday 20 September 2007 21:36, George Holbert wrote:
>>>
>>> Ok so I managed to create a new certificate using subjectAltName
>>> extenstions, and it works as advertised.  I can run ldapsearchs on
>>> eastldap on both eastldap0.
>>>
>>> Now my question is for generating certs for the other servers.  Now that
>>> I have the CA cert on eastldap0,  I would assume I need to install the CA
>>> on each additional server.  Can I just copy and paste the cacert.asc into
>>> the manage certificate wizard?
>>>       
>> You cannot use the CA cert to generate server certs.  You need the CA
>> cert and key.  This CA key was created when you created your initial CA
>> cert.  The CA key is stored in the key3.db in which you initially
>> created in steps 5 and 6 here -
>> http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
>>
>> I would suggest you create all of your server certs using this initial
>> CA cert and key.
>> cd /opt/fedora-ds/alias
>> serialnumber=1002
>> for server in serverFQDN ; do
>>   ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s
>> "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u"
>> -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt
>>   # each cert must have a unique serial number
>>   serialnumber=`expr $serialnumber + 1`
>>   # export the new server cert+key
>>   ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k
>> pwdfile.txt -w pwdfile.txt
>> done
>>     
> Rather then run the script,  I tried to run it for one example first
>
> eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z noise.txt -f pwdfile.txt
> Generating key.  This may take a few moments...
> eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o ywgldap1.isb.ec.gc.ca.p12 -n "Server-Cert-ywgldap1" -k pwdfile.txt -w pwdfile.txt
> pk12util-bin: PKCS12 EXPORT SUCCESSFUL
>
> So at this point I had the .p12 file and the existing cacert.asc created,  and sent them over to eastldap1.
>
>   
>> For all of the commands listed above, you may have to specify -P
>> slapd-instance- if you are not using cert8.db and key3.db.
>>
>> Then, copy each file $server.p12 to that $server, along with the
>> cacert.asc file
>> Then, on each server:
>> cd /opt/fedora-ds/alias
>> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w
>> pwdfile.txt -k pwdfile.txt
>> # the -w argument is the file containing the password used to encrypt
>> the .p12 file
>> # the -k argument is the file containing the password for the new key
>> database
>> # you may use a different password for -k here - this is the same
>> password used
>> # in your slapd-instance-pin.txt file
>>
>> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t
>> "CT,," -a -i cacert.asc
>>
>> # this imports your CA cert
>>     
>
> Now the importing, 
>
> eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k pwdfile.txt
> pk12util-bin: PKCS12 IMPORT SUCCESSFUL
> ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc
>
>
> Send over enable ssl ldif
>
> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f ssl_enable.ldif
> Enter LDAP Password:
> modifying entry "cn=encryption,cn=config"
>
> modifying entry "cn=config"
> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f addrsa.ldif
> Enter LDAP Password:
> adding new entry "cn=RSA,cn=encryption,cn=config"
>
> But when I restart slapd on eastldap1
>
> Enter PIN for Internal (Software) Token:
> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
> [21/Sep/2007:17:52:33 +0000] - SSL failure: None of the cipher are valid
>
> Did I miss importing a private key from somewhere?  Do I need to use the cacert.pfx I created in the basic steps?
>   
No.  I think the problem is that the name of the server cert in the cert 
db is Server-Cert-$server not Server-Cert.  I thought there was an 
option to pk12util to import it and rename it, but apparently not.  To 
find out what the server cert name is:
cd /opt/fedora-ds/alias
../shared/bin/certutil -L -d . -P slapd-eastldap1-
I'm assuming it will be Server-Cert-$server
Unless someone knows an easy way to rename it, you can just tell slapd 
to use the new name.
stop-slapd
edit dse.ldif - look for Server-Cert and change it to whatever the 
actual name of your server cert is (Server-Cert-$server)
save and start-slapd
> Thanks 
>
> Ryan
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070921/53c47484/attachment.bin>

More information about the Fedora-directory-users mailing list