[Fedora-directory-users] Generating and installing certificates for Fedora-ds 1.1.0 usig Openssl base CA
Rich Megginson
rmeggins at redhat.com
Wed Feb 6 15:45:40 UTC 2008
Howard Wilkinson wrote:
> We have a CA using our corporate certificate which we want to sign our
> certificates for the fedora-ds and clients.
>
> I am trying to work out how to do this. The setupssl2 script works
> fine in generating and installing a self-signed certifictae on the
> server(s) but we now want to generate and sign using our CA.
>
> Does anybody have a set of instructions that would cover this case?
Do you have any instructions in general about generating cert requests
and signing them with your CA? If so, then they would mostly apply.
You would use certutil to generate your CSR (certutil -R) for your
server, then create the server cert on your CA from the server CSR, then
install the new server cert in your server's key/cert db using certutil
(certutil -A for an ascii/pem cert).
>
> In particular I would like to understand when the use of certutil is
> mandatory and when it can be replaced with one or more openssl commands.
Anything which touches the key/cert databases (generate server cert
request, add a cert) must use certutil. The other operations can be
done with openssl.
>
> Eventually I would like to be able to configure the server using the
> setup-ds-admin script with a certificate already pre-generated by
> openssl quoted as the CACertificate parameter.
That will work fine for the SSL client side of things. But
setup-ds-admin cannot generate a server cert request, wait for the new
cert to be issued, and install the new server cert.
>
> One complication to all of this is that we need to assign a number of
> SubjectAltNames to the certificates so that a server may have multiple
> identities!
Sure. When you generate your cert request using certutil -R, use the -8
argument to specify the subject alt names. See also
http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
>
> Regards, Howard
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080206/0c9b9ed3/attachment.bin>
More information about the 389-users
mailing list