[389-users] HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS
Rich Megginson
rmeggins at redhat.com
Wed Jan 26 01:10:02 UTC 2011
On 01/25/2011 06:08 PM, Tim Weichel wrote:
>
> All,
>
> I have installed 389 servers and in the process of requesting new 4
> year SSL certificates for my servers. To do so Verisign is only
> accepting 2048-bit and higher CSR's only for 3 year certificates.
>
> No problem I manually created a new CSR with 2048 bits using openssl,
> received my new cert from verisign and have installed it successfully.
>
> Now that I have the new cert installed and SSL configured and my
> pin.txt file in place I find that upon start-up of the directory
> service the certificate will not properly verify and the startup fails.
>
> Based on the VeriSign advisory AD220
> (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220
> <https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220>)
>
>
> It appears that I need to update the directory servers VeriSign
> intermediate certificates in order to properly validate my new 2048
> cert upon startup.
>
> My new certificate came with the notice also as follows: In order for
> your VeriSign SSL Certificate to function properly, NEW Primary and
> Secondary VeriSign Intermediate CA Certificates must be installed.
>
> So has anyone actually updated or installed the new primary and
> secondary intermediate CA certificates.
>
> The usual methods of certutil command and the Management Console
> wizard have all failed to install the provided intermediate CA bundle
> provided by VeriSign.
>
What exactly did you try and how exactly did it fail? Please provide
the exact certutil command line arguments.
>
> Also I am not running Apache, I only have the 389 Management Console
> serving web for the servers.
>
> Thanks appreciate your assistance. Love the list server you guys
> ROCK!.........................Tim
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110125/39783f6d/attachment.html>
More information about the 389-users
mailing list