[Fedora-directory-users] Proper way to generate a server certificate.

Wed Jan 28 21:24:16 UTC 2009

Mr. Rich, you responded!!
Thank you

Thing is I generate a certificate request but am having issues importing
it...
I generate a key and cert with.. 
"openssl genrsa -des3 -out server.key 2048" for the key
"openssl req -new -key server.key -out server.csr"
I send it to the Novell Admin and sends back a server.b64 file.
I try and import it through the gui as a server cert and it fails saying
that.

" Either the certificate is for another server or the certificate was
not requested using this server and the selected security device
"internal (software)""

I can import it as a CA cert but it shows as a broken chain and it is
supposed to be server cert anyway.

Any ideas on how to properly import this base 64 signed cert?
Perhaps certutil or openssl commands?

Thank You
James

Openssl 
-----Original Message-----
From: Rich Megginson [mailto:rmeggins at redhat.com] 
Sent: Wednesday, January 28, 2009 1:48 PM
To: Chavez, James R.; General discussion list for the Fedora Directory
server project.
Subject: Re: [Fedora-directory-users] Proper way to generate a server
certificate.

James Chavez wrote:
> Hello List,
>
> I am trying to setup SSL between an AD or edir box and my FDS box. 
> I want to generate a server cert for the AD or edir box and import it 
> into edir/AD and import the CA cert into AD/edir as well.
>
> What commands do i use to accomplish this.
> Also what format does the cert need to be to successfully import into 
> AD or edir.
>
> I have generated a self signed CA cert named "FDS CA"
> exported with 
> certutil -L -d . -n "FDS CA" -a > ca.asc   and
> certutil -L -d . -n "FDS CA" -r > ca.der
>
>
>
> I have generated a server cert for the AD/edir box with
>
>  certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t 
> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt
>
> And exported it with..
> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert"
>
> I then send the CA cert in ascii and .der format along with the
> server-cert.p12 to the admin but he gets errors below trying to import

> into edir.
> Need help on this one please. 
> ..
>
> -1240 FFFFFB28 PKI E PARSE CERTIFICATE
>   
I'm not sure, but why not just use Novell Certificate Server to generate
all of your server certs?
> Source
>
> Novell(r) Certificate Server
>
> Explanation
>
> Novell Certificate Server was unable to parse a certificate that has 
> been stored or is being stored.
>
> Possible Cause
>
> The user attempted to store a certificate or a certificate chain with 
> an invalid encoding into a Server Certificate object. The certificate 
> or certificate chain obtained from the Certificate Authority is
invalid.
>
> Action
>
> Perform the following operations:
>
>     * Contact the Certificate Authority that issued the server 
> certificate to obtain the Certificate Authority's certificate.
>     * Using ConsoleOne(r), view the Server Certificate object. Click 
> Import.
>     * Import the Certificate Authority's certificate as the trusted 
> root.
>     * Import the server's certificate as the object certificate.
>
> If the problem persists, contact the Certificate Authority.
>
>
> Any body out there can help out please.
>
> Thanks
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail message, you are hereby notified that any dissemination,
distribution or copying of this e-mail message, and any attachments
thereto, is strictly prohibited.  If you have received this e-mail
message in error, please immediately notify the sender and permanently
delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
Uniform Electronic Transactions Act or the applicability of any other
law of similar substance and effect, absent an express statement to the
contrary hereinabove, this e-mail message its contents, and any
attachments hereto are not intended to represent an offer or acceptance
to enter into a contract and are not otherwise intended to bind the
sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.