[389-users] advice on ssl cert rotation

Gerrard Geldenhuis Gerrard.Geldenhuis at betfair.com
Wed Mar 2 09:10:44 UTC 2011 

I use the following command.

certutil -A -n 'certname' -t 'u,,' -d . -i certfile.pem

If you change the cert database it has been my expierence that you need to restart the admin or dir server depending on which db you changed as the changes don't get re-read after startup.

Regards


> -----Original Message-----
> From: 389-users-bounces at lists.fedoraproject.org [mailto:389-users-
> bounces at lists.fedoraproject.org] On Behalf Of Rob Crittenden
> Sent: 02 March 2011 04:48
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] advice on ssl cert rotation
> 
> Christopher Wood wrote:
> > You can use certutil to manually modify the cert stores. If you installed via
> rpm this will already be on your systems.
> >
> > Not at my work systems so I don't recall which package it's in.
> 
> nss-tools.
> 
> Do you already have the new certificate? If you have it in PKCS#12 format
> then you can use pk12util to load it into the appropriate NSS database (I'm
> not sure where the admin server db is, you should be able to find it in the
> admin server configuration).
> 
> If you have an updated certificate in the 389-ds NSS database under a
> different nickname and you just need to tell it to use the new one you can
> edit /etc/dirsrv/slapd-INSTANCE/dse.ldif and tell it the nickname to use.
> Look for nsSSLPersonalitySSL
> 
> rob
> 
> > On Tue, Mar 01, 2011 at 07:27:53PM -0800, jon heise wrote:
> >>     Recently i had ssl certs expire on my directory servers, currently i have
> >>     one running without using an ssl cert, the secondary server is still set
> >>     to use the old cert and as such it is not functioning.  On the primary
> >>     server the admin server has been set to use a new self signed cert but
> we
> >>     are locked out of that.  Is there a way to change what cert the ldap
> >>     server will load without the use of the admin server ?
> >
> >> --
> >> 389 users mailing list
> >> 389-users at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

More information about the 389-users mailing list