[389-users] Want to change the hostname of my 389-box. Is there an easy way to fix the cert?
Alberto Suárez
asuapaz at gobiernodecanarias.org
Wed Sep 19 08:34:43 UTC 2012
Hi Ray,
Ys, those are strings you choose to name the certificates. I should have
written "CA_cert_label" instead of "AC_cert_label", sorry about that...
All those lables are chosen by you when generating each certificate. If
you followed the setupssl2.sh script, it should be "CA certificate" for
the CA (see line 114 in
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
generated with certutil yourself, it should be the string used after
"-n". If you are generating new certs for DS and Admin server you could
use the string you wish (in the script "Server-Cert" is used for DS, see
line 131, and "server-cert" for Admin server, see line 137).
Alberto
Ray wrote:
> Hi Alberto,
>
> thanks for the instructions. I have two more questions:
>
> 1) The labels DS_Server_cert_label and Admin_Server_cert_label are
> completely my choice, right?
>
> 2) How about the AC_cert_label though? Where does that come from?
>
> Cheers,
> Ray
>
> Am 18.09.2012 11:56, schrieb Alberto Suárez:
>> If you have toruble with the script, try this:
>>
>> 1. Produce the new DS server certificate:
>>
>> certutil -S -n "DS_Server_cert_label"
>> -s "cn=myhost.myorg.example.com” -c “AC_cert_label”
>> -t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
>> /etc/dirsrv/slapd-myhost/pwdfile.txt
>>
>> 2. Export it to p12 format:
>>
>> pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
>> -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
>> /etc/dirsrv/slapd-myhost/pwdfile.txt
>>
>> 3. Produce the new Admin server certificate:
>>
>> certutil -S -n "Admin_Server_cert_label"
>> -s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
>> “AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
>> -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt
>>
>> 4. Export it to p12 format:
>>
>> pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
>> -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
>> /etc/dirsrv/slapd-myhost/pwdfile.txt
>>
>> 5. Import into Admin server database:
>>
>> pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
>> “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
>> /etc/dirsrv/slapd-myhost/pwdfile.txt
>>
>> 6. Now import DS cert into Admin server's database
>>
>> pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
>> “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
>> /etc/dirsrv/slapd-myhost/pwdfile.txt
>>
>> 7. In "Manage certificates" window, replace the old DS cert by the new
>> one.
>>
>> Hope this helps,
>>
>> Alberto
>>
>> Ray wrote:
>>> Hi,
>>>
>>> I am running a 389 box with TLS enabled. Now I would like to change the
>>> hostname, which would render the current certificate invalid. Is there
>>> an easy way to create a new certificate with the new hostname?
>>>
>>> Cheers,
>>> Ray
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> .
>
More information about the 389-users
mailing list