[deployment-guide: 127/185] rewrote olist to procedure ;)
Jaromir Hradilek
jhradile at fedoraproject.org
Sun May 15 21:21:52 UTC 2011
commit d52d9c9feb83e98e177ed550b380898beb635277
Author: Martin Prpic <mprpic at redhat.com>
Date: Wed Mar 16 18:41:34 2011 +0100
rewrote olist to procedure ;)
en-US/SSSD.xml | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 4b8345e..632d845 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -932,8 +932,8 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
<para>If you wish to use an IP address in the <option>ldap_uri</option> option instead of the server name, for example, if <systemitem class="protocol">GSSAPI</systemitem> is used to avoid time consuming <systemitem class="protocol">DNS</systemitem> lookups, the <systemitem class="protocol">TSL</systemitem>/<systemitem class="protocol">SSL</systemitem> setup might fail. This is due to the fact that <systemitem class="protocol">TSL</systemitem>/<systemitem class="protocol">SSL</systemitem> certificates contain the server name only. However, a special field in the certificate, called <emphasis>Subject Alternative Name</emphasis> (<option>subjectAltName</option>), can be used to additionally set the IP address of the server.</para>
<para>The following steps show how to create a certificate with a Subject Alternative Name being the IP address of your server:</para>
- <orderedlist>
- <listitem>
+ <procedure>
+ <step>
<para>
Using your command line, execute the following command to convert an existing certificate (previously signed by the <parameter>key.pem</parameter> key) into a certificate request:
</para>
@@ -942,8 +942,8 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
Alternatively, if you are using a self-signed certificate(for example, one created by the Fedora OpenLDAP package in <filename>/etc/pki/tls/certs/slapd.pem</filename>), execute the following command:
</para>
<screen>openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
Edit your <filename>/etc/pki/tls/openssl.cnf</filename> configuration file to include the following line under the
<parameter>[ v3_ca ]</parameter> section:
@@ -952,8 +952,8 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
<para>
Replace the IP address with one of your choice.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
By executing the following command, use the previously generated certificate request to generate a new self-signed certificate that will contain your desired IP address:
</para>
@@ -996,13 +996,13 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
<para>
For more information on the <application>x509</application> utility and its parameters, refer to <command>man x509</command>.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
Lastly, copy the private key block from the <filename>old_cert.pem</filename> file into the <filename>new_cert.pem</filename> file to keep all relevant information in one file.
</para>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
<para>
When creating a certificate through the <application>certutil</application> utility provided by the <package>nss-utils</package> package, note that <application>certutil</application> supports <systemitem class="protocol">DNS</systemitem> subject alternative names for certificate creation only.
</para>
More information about the docs-commits
mailing list