xinhuan zheng wrote:
Hello,
I need to create certificate signing request file that can be sent to certificate
authority vendors, like GoDaddy, etc. I have two questions:
1) The certutil command line output a CSR file which has different format than the CSR
file generated using 389-console the GUI. The main difference is that the certutil command
line generates something like:
Certificate request generated by Netscape certutil
Phone: xxx-xxx-xxxx
Common Name: ....
Email: (not specified)
Organization: my organization
State: ...
Country: US
Following above, it's the "BEGIN NEW CERTIFICATE" section.
However, if it's GUI, only "BEGIN NEW CERTIFICATE" section is there.
Why the two methods generates output file different? Will it be ok to just use certuti
command output with "BEGIN NEW CERTIFICATE" section to send to vendor?
The other bit are just a comment. You can strip it out if you want. As
for why they are different I don't know, that is probably lost to time
but it's been doing that since the late 90's in the Netscape products.
2) Do I also need to create certificate signing request file for each
admin server? Will that be the same procedure for the directory server instance?
Yes, you need a CSR for each server. The issued certificate will have
the hostname for that server baked into it and it needs to match the
server name.
I believe the procedure is very similar for the directory server cert
though it's been quite a long time since I've done this.
rob