A follow up question: why does pk12util need to be run against the
certificate db at all? Doesn't RedHat/Fedora DS read certificate and
key information directly from the cert8.db and key3.db files?
In the RedHat SSL setup docs at:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
... it says:
Run pk12util to convert the certificate database to pkcs12 format, so
it is accessbile by the Directory Server:
As Adam Stokes mentioned, the incantation for this should be:
Again another typo the line should read
pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
But what does it buy you to have the "servercert.pk12" file sitting in
the alias directory with the cert and key db files? How does this make
the certificate database "accessible by the Directory Server"?
In previous versions of Netscape DS, I don't recall the need for a pk12
file in the alias directory. Is this a new requirement for version 7.1 ?
Thanks,
-- George
Adam Stokes wrote:
>On Wed, 3 Aug 2005 15:48:42 -0400
>Kevin Kovach <kovach(a)gmail.com> wrote:
>
>Kevin,
>
Again another typo the line should read
pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>and the -P option is the dbprefix in which case slapd-serverID- should
>be replaced with whatever you have setup as your slapd-<instance>-
>
>Hope this helps
>
>
>
>>Adam,
>>
>>My entry looks the same. I'm pretty certain I have the ciphers
>>correct now.
>>
>>I am curious about one thing though. In following the wiki, I did as
>>suggested and converted the cert db to pkcs12 with the following
>>command ...
>>
>>pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>>
>>However, I don't see anywhere where we make FDS aware of
>>servercert.pfx? I'd assume that we need to configure FDS for this
>>pkcs12 db somewhere?
>>
>>Also, the wiki mentions the trailing - on the -P option but does not
>>go into depth on it. I'm pretty sure I executed this command
>>correctly but am unsure how to double check it?
>>
>>Thanks again.
>>
>>- Kevin
>>
>>On 8/3/05, Adam Stokes <astokes(a)redhat.com> wrote:
>>
>>
>>>dn: cn=encryption,cn=config
>>>objectClass: top
>>>objectClass: nsEncryptionConfig
>>>cn: encryption
>>>nsSSLSessionTimeout: 0
>>>nsSSLClientAuth: allowed
>>>nsSSL2: off
>>>nsSSL3: on
>>>creatorsName: cn=server,cn=plugins,cn=config
>>>modifiersName: cn=directory manager
>>>createTimestamp: 20050701182744Z
>>>modifyTimestamp: 20050720192820Z
>>>nsSSL3Ciphers:
>>>-
>>>rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
>>>nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-
>>>directory-cert8.db numSubordinates: 1
>>>
>>>Above is my entry for reference
>>>
>>>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>>
>>>
>>>>Thanks Nathan. I've made this change and again got farther than
>>>>I have before.
>>>>
>>>>FYI, I got that cipher list from the Wiki. That will need to be
>>>>updated to contain the complete list.
>>>>
>>>>Although I got farther the server is still not starting up. Now
>>>>it's complaining that none of the ciphers are valid? How to I
>>>>ensure that I'm using a valid cypher? Here's the error I'm
>>>>seeing in the error log ...
>>>>
>>>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
>>>>B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL
>>>>failure: None of the cipher are valid
>>>>
>>>>Thanks again for the help.
>>>>
>>>>- Kevin
>>>>
>>>>And again have a different issue now. Now it's complaining that
>>>>there are no
>>>>
>>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>--
>>Take back the web,
http://www.switch2firefox.com/
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
>
>