[deployment-guide: 54/185] updated SSSD chapter, regarding 653881
Jaromir Hradilek
jhradile at fedoraproject.org
Sun May 15 21:14:37 UTC 2011
commit 8ec67d24d7cc25e29db464300469f4123f70aff5
Author: Martin Prpic <mprpic at redhat.com>
Date: Fri Jan 28 15:02:44 2011 +0100
updated SSSD chapter, regarding 653881
en-US/SSSD.xml | 37 +++++++++++++++++++++++++++++++------
1 files changed, 31 insertions(+), 6 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 92c37b8..92e22ae 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -930,14 +930,29 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
<itemizedlist>
<listitem>
<para>
- Using your command line, execute the following command to create a file (called, for example, <filename>extfile</filename>) that specifies your desired IP address (in this case <systemitem class="ipaddress">10.0.0.10</systemitem>):</para>
- <screen>echo "subjectAltName=IP:10.0.0.10" > extfile</screen>
+ Using your command line, execute the following command to convert an existing certificate (previously signed by the <parameter>key.pem</parameter> key) into a certificate request:
+ </para>
+ <screen>openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem</screen>
+ <para>
+ Alternatively, if you are using a self-signed certificate(for example, one created by the Fedora OpenLDAP package in <filename>/etc/pki/tls/certs/slapd.pem</filename>), execute the following command:
+ </para>
+ <screen>openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem</screen>
+ </listitem>
+ <listitem>
+ <para>
+ Edit your <filename>/etc/pki/tls/openssl.cnf</filename> configuration file to include the following line under the
+ <parameter>[ v3_ca ]</parameter> section:
+ </para>
+ <screen>subjectAltName = IP:10.0.0.10</screen>
+ <para>
+ Replace the IP address with one of your choice.
+ </para>
</listitem>
<listitem>
<para>
- While in the same directory, execute the following command:
+ By executing the following command, use the previously generated certificate request to generate a new self-signed certificate that will contain your desired IP address:
</para>
- <screen>openssl x509 -req -in "req.pem" -out "cert.pem" -extfile "extfile" -CA "cacert.pem" -CAkey "cakey.pem" -CAserial "ca.srl" -CAcreateserial</screen>
+ <screen>openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem</screen>
<para>
where:
</para>
@@ -949,7 +964,7 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
</listitem>
<listitem>
<para>
- The <option>-req</option> option tells the command to expect a certificate as an input.
+ The <option>-req</option> option tells the command to expect a certificate request as an input.
</para>
</listitem>
<listitem>
@@ -964,7 +979,12 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
</listitem>
<listitem>
<para>
- The <option>-CA</option>, <option>-CAkey</option>, <option>-CAserial</option>, and <option>-CAcreateserial</option> options specify different attributes of the CA certificate signing process.
+ The <option>-extensions</option> option specifies the section of the <filename>openssl.cnf</filename> file to add certificate extensions from (in this case, the <parameter>[ v3_ca ]</parameter> section).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <option>-signkey</option> option tells the command to self-sign the input file using the supplied private key.
</para>
</listitem>
</itemizedlist>
@@ -972,6 +992,11 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
For more information on the <application>x509</application> utility and it's parameters, refer to <command>man x509</command>.
</para>
</listitem>
+ <listitem>
+ <para>
+ Lastly, copy the private key block from the <filename>old_cert.pem</filename> file into the new_<filename>cert.pem</filename> file to keep all relevant information in one file.
+ </para>
+ </listitem>
</itemizedlist>
</note>
More information about the docs-commits
mailing list