Howard Wilkinson wrote:
We have a CA using our corporate certificate which we want to sign
our
certificates for the fedora-ds and clients.
I am trying to work out how to do this. The setupssl2 script works
fine in generating and installing a self-signed certifictae on the
server(s) but we now want to generate and sign using our CA.
Does anybody have a set of instructions that would cover this case?
Do you have any
instructions in general about generating cert requests
and signing them with your CA? If so, then they would mostly apply.
You would use certutil to generate your CSR (certutil -R) for your
server, then create the server cert on your CA from the server CSR, then
install the new server cert in your server's key/cert db using certutil
(certutil -A for an ascii/pem cert).
In particular I would like to understand when the use of certutil is
mandatory and when it can be replaced with one or more openssl commands.
Anything
which touches the key/cert databases (generate server cert
request, add a cert) must use certutil. The other operations can be
done with openssl.
Eventually I would like to be able to configure the server using the
setup-ds-admin script with a certificate already pre-generated by
openssl quoted as the CACertificate parameter.
That will work fine for the SSL
client side of things. But
setup-ds-admin cannot generate a server cert request, wait for the new
cert to be issued, and install the new server cert.
One complication to all of this is that we need to assign a number of
SubjectAltNames to the certificates so that a server may have multiple
identities!
Sure. When you generate your cert request using certutil -R, use the
-8
argument to specify the subject alt names. See also
http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
Regards, Howard
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users