[Fedora-directory-users] SSL failure
Marc Sauton
msauton at redhat.com
Fri Feb 27 17:53:44 UTC 2009
Emmanuel BILLOT wrote:
> Hi,
>
> I want to import a personal cert generated lik this :
> * /usr/bin/openssl x509 -extfile .cfg -days 365 -CAserial ca.ser -CA
> ca.crt -CAkey ca.key -in toutou.csr -req -out toutou.crt
> I make a PKCS12 export :
> * /usr/bin/openssl pkcs12 -export -in toutou.crt -inkey toutou.key
> -certfile ca.crt -name "toutou" -caname "toutou" -out toutou.p12
> I introduce it in FDS db :
> * pk12util -d /etc/dirsrv/slapd-ldapnew -n "toutou" -i toutou.p12
> I check import :
> * certutil -L -d /etc/dirsrv/slapd-ldapnew
>
> I configure FDS ti user SSL encryption with management console, and
> restart it.
> It fails with error :
>
> [27/Feb/2009:13:59:17 +0100] - SSL alert: CERT_VerifyCertificateNow:
> verify certificate failed for cert toutou of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8101
> - Certificate type not approved for application.)
> [27/Feb/2009:13:59:17 +0100] - SSL failure: None of the cipher are valid
Hints should be in "verify certificate failed" and "Certificate type not
approved for application"
From a certutil -L verify your have the correct CA chain, and the
correct trusted flags for both CA chain certs and server cert.
See:
http://directory.fedoraproject.org/wiki/Howto:SSL
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
M.
>
> What's wrong ?
> Is there any special option to give to openssl for generating cert ?
>
> BR,
>
More information about the 389-users
mailing list