On Friday 21 September 2007 16:37, Richard Megginson wrote:
Ryan Braun wrote:
On Thursday 20 September 2007 21:36, George Holbert wrote:
Ok so I managed to create a new certificate using subjectAltName extenstions, and it works as advertised. I can run ldapsearchs on eastldap on both eastldap0.
Now my question is for generating certs for the other servers. Now that I have the CA cert on eastldap0, I would assume I need to install the CA on each additional server. Can I just copy and paste the cacert.asc into the manage certificate wizard?
You cannot use the CA cert to generate server certs. You need the CA cert and key. This CA key was created when you created your initial CA cert. The CA key is stored in the key3.db in which you initially created in steps 5 and 6 here - http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
I would suggest you create all of your server certs using this initial CA cert and key. cd /opt/fedora-ds/alias serialnumber=1002 for server in serverFQDN ; do ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt # each cert must have a unique serial number serialnumber=`expr $serialnumber + 1` # export the new server cert+key ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k pwdfile.txt -w pwdfile.txt done
Rather then run the script, I tried to run it for one example first
eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z noise.txt -f pwdfile.txt Generating key. This may take a few moments... eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o ywgldap1.isb.ec.gc.ca.p12 -n "Server-Cert-ywgldap1" -k pwdfile.txt -w pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL
So at this point I had the .p12 file and the existing cacert.asc created, and sent them over to eastldap1.
For all of the commands listed above, you may have to specify -P slapd-instance- if you are not using cert8.db and key3.db.
Then, copy each file $server.p12 to that $server, along with the cacert.asc file Then, on each server: cd /opt/fedora-ds/alias ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w pwdfile.txt -k pwdfile.txt # the -w argument is the file containing the password used to encrypt the .p12 file # the -k argument is the file containing the password for the new key database # you may use a different password for -k here - this is the same password used # in your slapd-instance-pin.txt file
../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t "CT,," -a -i cacert.asc
# this imports your CA cert
Now the importing,
eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc
Send over enable ssl ldif
ryan@infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f ssl_enable.ldif Enter LDAP Password: modifying entry "cn=encryption,cn=config"
modifying entry "cn=config" ryan@infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f addrsa.ldif Enter LDAP Password: adding new entry "cn=RSA,cn=encryption,cn=config"
But when I restart slapd on eastldap1
Enter PIN for Internal (Software) Token: [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL failure: None of the cipher are valid
Did I miss importing a private key from somewhere? Do I need to use the cacert.pfx I created in the basic steps?
Thanks
Ryan