Hi,
I'm trying to renew a certificate in 389 server.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
I've created a new private key and CSR with
certutil -d /etc/dirsrv/slapd-instance/ -R -g 4096 -a \ -o /root/slapd-name.csr -8 name.fqdn \ -s "CN=name.fqdn,O=org,ST=State,C=CH"
I try to import it with
certutil -d /etc/dirsrv/slapd-instance/ -A \ -n "Server Cert" -t ",," -a -i /root/slapd-name.crt
But this results in "certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database."
If I try this using the GUI, I also get the NSS error code 8168
What exactly is the problem? It seems there is no "verbose" switch for certutil - or at least it's not documented.
389-admin-1.1.46-1.el7.x86_64 389-admin-console-1.1.12-1.el7.noarch 389-admin-console-doc-1.1.12-1.el7.noarch 389-adminutil-1.1.22-2.el7.x86_64 389-console-1.1.19-6.el7.noarch 389-ds-base-1.3.10.1-9.el7_8.x86_64 389-ds-base-libs-1.3.10.1-9.el7_8.x86_64 389-ds-base-snmp-1.3.10.1-9.el7_8.x86_64 389-ds-console-1.2.16-1.el7.noarch 389-ds-console-doc-1.2.16-1.el7.noarch
CentOS 7, 64bit.
Now, I tried to list the private keys with -K, I get
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Is there documentation on how to upgrade the database?
Rainer
Am 2020-08-24 09:24, schrieb rainer@ultra-secure.de:
Hi,
[...]
Now, I tried to list the private keys with -K, I get
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Ah, forget the "-d" switch.
I can list the private key(s), so it's not that problem.
Not sure what the problem is, but if you create a second test DS instance, can you import it there?
Maybe remove the old cert first? If you try that though please make a backup of these files under /etc/dirsrv/slapd-INST: cert8.db, key3.db, and secmod.db in case it doesn't work.
HTH,
Mark
On 8/24/20 3:24 AM, rainer@ultra-secure.de wrote:
Hi,
I'm trying to renew a certificate in 389 server.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
I've created a new private key and CSR with
certutil -d /etc/dirsrv/slapd-instance/ -R -g 4096 -a \ -o /root/slapd-name.csr -8 name.fqdn \ -s "CN=name.fqdn,O=org,ST=State,C=CH"
I try to import it with
certutil -d /etc/dirsrv/slapd-instance/ -A \ -n "Server Cert" -t ",," -a -i /root/slapd-name.crt
But this results in "certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database."
If I try this using the GUI, I also get the NSS error code 8168
What exactly is the problem? It seems there is no "verbose" switch for certutil - or at least it's not documented.
389-admin-1.1.46-1.el7.x86_64 389-admin-console-1.1.12-1.el7.noarch 389-admin-console-doc-1.1.12-1.el7.noarch 389-adminutil-1.1.22-2.el7.x86_64 389-console-1.1.19-6.el7.noarch 389-ds-base-1.3.10.1-9.el7_8.x86_64 389-ds-base-libs-1.3.10.1-9.el7_8.x86_64 389-ds-base-snmp-1.3.10.1-9.el7_8.x86_64 389-ds-console-1.2.16-1.el7.noarch 389-ds-console-doc-1.2.16-1.el7.noarch
CentOS 7, 64bit.
Now, I tried to list the private keys with -K, I get
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Is there documentation on how to upgrade the database?
Rainer _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Am 2020-08-24 15:18, schrieb Mark Reynolds:
Not sure what the problem is, but if you create a second test DS instance, can you import it there?
Maybe remove the old cert first? If you try that though please make a backup of these files under /etc/dirsrv/slapd-INST: cert8.db, key3.db, and secmod.db in case it doesn't work.
Hi Mark,
it seems that, yes indeed, you have to delete the old certificate first (and then also re-import the intermediate certificate).
Thanks a lot for the hint!
Best Regards Rainer
I think the issue was that the new certificate "might" have had the same name as the old one?
On 8/24/20 9:28 AM, rainer@ultra-secure.de wrote:
Am 2020-08-24 15:18, schrieb Mark Reynolds:
Not sure what the problem is, but if you create a second test DS instance, can you import it there?
Maybe remove the old cert first? If you try that though please make a backup of these files under /etc/dirsrv/slapd-INST: cert8.db, key3.db, and secmod.db in case it doesn't work.
Hi Mark,
it seems that, yes indeed, you have to delete the old certificate first (and then also re-import the intermediate certificate).
Thanks a lot for the hint!
Best Regards Rainer _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Mark Reynolds wrote:
I think the issue was that the new certificate "might" have had the same name as the old one?
I suspect it's because a new private key was generated there are two certs with the same name but different keys.
To re-use the existing private key the easiest way is to simply retain the original CSR and resubmit it when you need renewal. Or you can regenerate it and specify -k <key_id> when you do so to re-use the key rather than generating a new one.
certutil -K -d /path/to/db to get list of keys.
rob
On 8/24/20 9:28 AM, rainer@ultra-secure.de wrote:
Am 2020-08-24 15:18, schrieb Mark Reynolds:
Not sure what the problem is, but if you create a second test DS instance, can you import it there?
Maybe remove the old cert first? If you try that though please make a backup of these files under /etc/dirsrv/slapd-INST: cert8.db, key3.db, and secmod.db in case it doesn't work.
Hi Mark,
it seems that, yes indeed, you have to delete the old certificate first (and then also re-import the intermediate certificate).
Thanks a lot for the hint!
Best Regards Rainer _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Am 2020-08-24 16:13, schrieb Rob Crittenden:
Mark Reynolds wrote:
I think the issue was that the new certificate "might" have had the same name as the old one?
I suspect it's because a new private key was generated there are two certs with the same name but different keys.
To re-use the existing private key the easiest way is to simply retain the original CSR and resubmit it when you need renewal. Or you can regenerate it and specify -k <key_id> when you do so to re-use the key rather than generating a new one.
certutil -K -d /path/to/db to get list of keys.
Ah, OK - thank you.
I really just followed the documentation here - but I'll try that next time.
Best Regards Rainer
I had a similar experience. Any modification to the database with certutil suddenly made the legacy database error pop up. I assumed it was some change in the underlying system or certutil utility. The cleanest way I was able to get it to resolve it was to create a new, empty database in another location and then use the --merge option to merge the original db into the empty one. Then I could delete the old cert and add the new one without issue.
389-users@lists.fedoraproject.org