[Fedora-directory-users] Proper way to generate a server certificate.

James Chavez james.chavez at sanmina-sci.com
Wed Jan 28 00:37:48 UTC 2009 

Hello List,

I am trying to setup SSL between an AD or edir box and my FDS box. 
I want to generate a server cert for the AD or edir box and import it
into edir/AD and import the CA cert into AD/edir as well.

What commands do i use to accomplish this.
Also what format does the cert need to be to successfully import into AD
or edir. 

I have generated a self signed CA cert named "FDS CA"
exported with 
certutil -L -d . -n "FDS CA" -a > ca.asc   and
certutil -L -d . -n "FDS CA" -r > ca.der



I have generated a server cert for the AD/edir box with 

 certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t
"u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt

And exported it with..
pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert"

I then send the CA cert in ascii and .der format along with the
server-cert.p12 to the admin but he gets errors below trying to import
into edir.
Need help on this one please. 
..

-1240 FFFFFB28 PKI E PARSE CERTIFICATE

Source

Novell(r) Certificate Server

Explanation

Novell Certificate Server was unable to parse a certificate that has
been stored or is being stored.

Possible Cause

The user attempted to store a certificate or a certificate chain with an
invalid encoding into a Server Certificate object. The certificate or
certificate chain obtained from the Certificate Authority is invalid.

Action

Perform the following operations:

    * Contact the Certificate Authority that issued the server
certificate to obtain the Certificate Authority's certificate.
    * Using ConsoleOne(r), view the Server Certificate object. Click
Import.
    * Import the Certificate Authority's certificate as the trusted
root.
    * Import the server's certificate as the object certificate.

If the problem persists, contact the Certificate Authority.


Any body out there can help out please.

Thanks 
James

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

More information about the 389-users mailing list