On Thu, 2005-12-08 at 13:27 -0700, Richard Megginson wrote:
Craig White wrote:
>On Thu, 2005-12-08 at 13:00 -0700, Richard Megginson wrote:
>
>
>>Craig White wrote:
>>
>>
>>
>>>Trying to follow instructions at
>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
>>>
>>>Step #8
>>>Copy the key3.db and cert8.db you created to the default databases
>>>created at Directory Server installation:
>>>
>>>where is this 'default databases'?
>>>
>>>/opt/fedora-ds/slapd-srv1/ ? # srv1 is name of my server
>>>
>>>
>>>
>>>
>>/opt/fedora-ds/alias/slapd-srv1-key3.db
>>/opt/fedora-ds/alias/slapd-srv1-cert8.db
>>
>>
>----
>OK - well that was where I created them...
>
># ls -l /opt/fedora-ds/alias/
>total 520
>-rw------- 1 nobody nobody 65536 Dec 8 12:55 admin-serv-srv1-cert8.db
>-rw------- 1 nobody nobody 16384 Dec 8 12:55 admin-serv-srv1-key3.db
>-rw------- 1 root root 65536 Dec 8 11:18 cert8.db
>-rw------- 1 root root 2644 Dec 8 11:18 cert.pk12
>-rw------- 1 root root 16384 Dec 8 11:18 key3.db
>-rwxr-xr-x 1 root nobody 194880 Nov 29 15:06 libnssckbi.so
>-rw-r--r-- 1 root root 55 Dec 8 11:09 noise.txt
>-rw------- 1 root root 9 Dec 8 11:09 pwdfile.txt
>-rw------- 1 nobody nobody 16384 Dec 6 08:46 secmod.db
>-rw------- 1 nobody nobody 65536 Dec 8 10:55 slapd-srv1-cert8.db
>-rw------- 1 nobody nobody 16384 Dec 8 10:55 slapd-srv1-key3.db
>
>I didn't see them listed anywhere in the console.
>
>
Didn't see what listed anywhere in the console?
----
the certificates that I generated using certutil. I never could find
evidence of them in any console. The files listed above I am certain
were generated by openssl creation of the CA certificate and using that
to sign the requests from the Server Certs portions of the
Administration and Directory Consoles - and 'installing' them in the
console...because of the time signatures.
----
I think the directions mean "copy your new key3.db over
slapd-srv1-key3.db and copy your new cert8.db over
slapd-srv1-cert8.db". When you do this, make sure slapd isn't running,
and make sure you retain the old ownership and permissions of those
files (e.g. nobody:nobody and 0600). Slapd (uid nobody) has to open
those files in read-write mode.
----
it would appear that having the above contents of /opt/fedora-ds/alias
and the db files chmod 600 nobody:nobody as per above - that even though
I generated them ultimately with openssl and not certutil and they are
listed in both Administration and Directory consoles in both CA Certs
and Server Certs that I am good to go to next step.
Thanks
Craig