Re: [Fedora-directory-users] cert signing

Jeff Falgout wrote: > Brian K. Jones said: > >> Hi, >> >> Anyone have a procedure for self signing a certificate request from FDS >> using >> an existing CA cert with openssl? Also - anyone know why I can't just >> use >> an >> existing cert/key pair with FDS that was created and self-signed >> already - >> or >> if I can, how? >> >> brian. > > > > > openssl x509 -req -in /path/to/csr \ > -CA /path/to/cacert \ > -CAkey /path/to/cakey -CAcreateserial \ > -out /path/to/signed.crt > > I just use this command to sign the csr generated from the console. I > haven't figured out how to use an existing cert/key - I'd very much like > to see how to do that. > This was just discussed on IRC, may as well document it here as well. First, head into console and initialize your certificate database and assign a password. To do this, log into the console, select your directory instance and under Tasks select Manage Certificates. If you don't already have a certificate database created, it will prompt you for a password. Now, at a unix prompt, change to your server root as a user that can write to the files in alias (probably root). This assumes that the existing cert is in the file ssl-cert.pem and the existing key is in ssl-key.pem and your instance is named "myinstance": # cd /opt/redhat-ds # openssl pkcs12 -export -in ssl-cert.pem -inkey ssl-key.pem -out ssl-cert.p12 -name "Server-Cert" You now have the openssl cert in a pkcs#12 file (cert and key together) Now import it into your DS database: # shared/bin/pk12util -i ssl-cert.p12 -d alias -P slapd-myinstance- This will work for both Fedora and Red Hat DS. rob ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users