[389-users] SSL certificate issue
Rich Megginson
rmeggins at redhat.com
Thu Jul 14 14:57:07 UTC 2011
On 07/14/2011 01:29 AM, s.varadha rajan wrote:
> Hi,
>
> Thanks for the reply.but i have a problem with my system for enabling
> ssl,then only i go for consumer and then replication e.t.c.
>
> my system name is varad.india.xxx.com <http://varad.india.xxx.com> and
> i have to use "star_dot_india_xxx_cert.crt" certificate, which is used
> for apache and other web related applications.so first i need to
> install certificate and enable secure 389-ds that is ldaps.then only i
> need to go for other system then i can proceed replication process
>
> In such a case, what is the solution
You need the CA cert - do you have the CA cert in a PEM file? If so,
you can add it using certutil -A
http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_389_DS
>
> Regards,
> Varad
>
> 2011/7/13 solarflow99 <solarflow99 at gmail.com
> <mailto:solarflow99 at gmail.com>>
>
> I had this error, and it was the CA not being imported correctly
> as you mentioned. I used the certutil and pk12util commands to
> import and export all the certs:
> http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replication_Consumer_cert
>
>
>
> 2011/7/13 s.varadha rajan <rajanvaradhu at gmail.com
> <mailto:rajanvaradhu at gmail.com>>
>
> Hi,
>
> I am trying to implement, two 389-ds with ssl
> replication.Replication is working without ssl. when i try to
> configure ssl enabled 389-ds, i am getting the error as,
>
> "[13/Jul/2011:17:38:37 +051800] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8179 - Peer's Certificate issuer is
> not recognized.)
> [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the
> cipher are valid"
>
> _I did the following as per my environment;_
> _
> _
> 1.my system name is varad.india.xxx.com
> <http://varad.india.xxx.com>. we have a certificate
> star.india.xxx.com <http://star.india.xxx.com> and .pem
> files,which is used commonly for Apache and other related
> services.so i am planning to import that certificate to my
> fedora-ds system,
>
> A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem
> -in star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name
> 'Server-Cert' ==> command went fine
>
> B).pk12util -i <location>/crt.p12 -d . ==> command went fine
>
> C).As per the fedora doc, they specified as "certutil -d
> /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i
> /path/to/ca.pem".so tried this option as ,
>
>
> #root at varad:/home/sslforldap# certutil -d
> /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i
> star_dot_india_xxx_cert.crt
> got an error ==>certutil: function failed: security library:
> bad database.
>
>
>
> and then tried as
>
>
> #certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t
> u,u,u -a -i star_dot_india_xxx_cert.crt ==> went fine
>
> D).Added the relevant details in the dse.ldif and restarted
> the dirsrv.but i got the above error.
>
> E).For your information,
>
>
> root at varad:/home/sslforldap# certutil -L -d .
>
> Certificate Nickname
> Trust Attributes
>
>
>
>
> SSL,S/MIME,JAR/XPI
>
>
> XXX XXX CA u,u,u
>
>
>
>
>
> How can i proceed further ?
>
> Regards,
> Varad
>
>
>
>
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110714/302b6c90/attachment.html>
More information about the 389-users
mailing list