Jeff Falgout wrote:
> Brian K. Jones said:
>
>> Hi,
>>
>> Anyone have a procedure for self signing a certificate request from FDS
>> using
>> an existing CA cert with openssl? Also - anyone know why I can't just
>> use
>> an
>> existing cert/key pair with FDS that was created and self-signed
>> already -
>> or
>> if I can, how?
>>
>> brian.
>
>
>
>
> openssl x509 -req -in /path/to/csr \
> -CA /path/to/cacert \
> -CAkey /path/to/cakey -CAcreateserial \
> -out /path/to/signed.crt
>
> I just use this command to sign the csr generated from the console. I
> haven't figured out how to use an existing cert/key - I'd very much like
> to see how to do that.
>
This was just discussed on IRC, may as well document it here as well.
First, head into console and initialize your certificate database and
assign a password. To do this, log into the console, select your
directory instance and under Tasks select Manage Certificates. If you
don't already have a certificate database created, it will prompt you
for a password.
Now, at a unix prompt, change to your server root as a user that can
write to the files in alias (probably root).
This assumes that the existing cert is in the file ssl-cert.pem and the
existing key is in ssl-key.pem and your instance is named "myinstance":
# cd /opt/redhat-ds
# openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out
ssl-cert.p12 -name "Server-Cert"
You now have the openssl cert in a pkcs#12 file (cert and key together)
Now import it into your DS database:
# shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance-
This will work for both Fedora and Red Hat DS.
rob
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users