[389-users] configuring SSL for windows replication

[David Baird]

On 4/06/2011 8:00 a.m., Rich Megginson wrote:
> On 06/03/2011 01:38 PM, solarflow99 wrote:
>> For self signed certs, as I understand it, the 389 supplier that has the CA
>> must create a server cert for the windows host? How can this cert be
>> exported/imported since windows doesn't use pk12util? Has anyone set this up,
>> and can say the steps on windows 2008? I see there are many options for
>> installing IIS and Microsoft CA.
> That's the easiest way to generate an SSL server cert for MS AD - Install MS CA
> as an Enterprise Root CA - it will automatically issue the AD server cert.
>
> Otherwise, look here http://directory.fedoraproject.org/wiki/Howto:WindowsSync -
> you can use mmc with the Certificates snap-in to import/export certs and pkcs12
> files.

The procedure to generate the certificate request is outlined here 
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 which is 
referenced from the howto Rich mentions.

Here's something that may catch you out.  When you use certreq on the Windows 
server to generate a certificate request, it generates a corresponding key for 
that request (storing it in the Documents and Settings hierarchy).  If for any 
reason, you need to generate another certificate, do NOT re-use the request file 
(the .req file) you already have, you have to generate a new request.

If, and only if, your windows domain is running at 2008 Functional level, the 
best place to put the CA certificate is in the NTDS service's certificate store 
(as outlined at the bottom of the Knowledge Base article above). Otherwise 
import it into the local computer account's personal store

David.
>>
>> Thanks,
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users