[389-users] Re: SSL on console

Thu, 22 Aug 2019 10:14:27 -0700 

So I finally got it to take by doing the following:
[root@hypersouth ~]# openssl pkcs12 -export -out hypersouth-net.p12 -inkey /etc/pki/tls/private/hypersouth_auth-2019.key -in /etc/pki/tls/certs/hypersouth.aasteel.net.pem -certfile /etc/pki/ca-trust/source/anchors/RapidSSLCA.crt 
Enter pass phrase for /etc/pki/tls/private/hypersouth_auth-2019.key:
Enter Export Password:
Verifying - Enter Export Password:

[root@hypersouth ~]# ls
anaconda-ks.cfg  hypersouth-net.p12 SSL
[root@hypersouth ~]# certutil -A -n hypersouthCert -i /etc/pki/tls/certs/hypersouth.aasteel.net.pem -t "TCu,Cu,Tuw" -d /etc/dirsrv/slapd-hypersouth/ 
Notice: Trust flag u is set automatically if the private key is present.
[root@hypersouth ~]# certutil -A -n RapidSSLCA -i /etc/pki/ca-trust/source/anchors/RapidSSLCA.crt -t "TCu,Cu,Tuw" -d /etc/dirsrv/slapd-hypersouth/ 
Notice: Trust flag u is set automatically if the private key is present.
[root@hypersouth ~]# pk12util -i hypersouth-net.p12 -d /etc/dirsrv/slapd-hypersouth/ 
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL


Fernando Fuentes
Supervisor & Senior Systems Administrator
Email: ffuen...@aasteel.com
American Alloy Steel, Inc. 
Houston, Texas
Website: http://www.aasteel.com
Phone: 713-744-4222 
Fax:   713-300-5688

On 8/22/19 11:25 AM, Fernando Fuentes wrote:

I caught my mistake and corrected but now I get:
[root@hypersouth SSL]# pk12util -i hypersouth-net.p12 -d /etc/dirsrv/slapd-hypersouth/ -W password 
Enter Password or Pin for "NSS Certificate DB":
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. 
[root@hypersouth SSL]#

Fernando Fuentes
Supervisor & Senior Systems Administrator
Email: ffuen...@aasteel.com

American Alloy Steel, Inc.
Houston, Texas
Website: http://www.aasteel.com

Phone: 713-744-4222
Fax:   713-300-5688

On 8/22/19 11:13 AM, Fernando Fuentes wrote:

Marc,

Here is what I get:
[root@hypersouth SSL]# pk12util -i hypersouth-net.p12 /etc/dirsrv/slapd-hypersouth/ -W password pk12util: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. 
[root@hypersouth SSL]#

Regards,

Fernando Fuentes
Supervisor & Senior Systems Administrator
Email: ffuen...@aasteel.com

American Alloy Steel, Inc.
Houston, Texas
Website: http://www.aasteel.com

Phone: 713-744-4222
Fax:   713-300-5688

On 8/22/19 2:31 AM, Marc Muehlfeld wrote:

Hi Fernando,

On 8/22/19 5:21 AM, Fernando Fuentes wrote:

Is there a how to for this procedure?


## Convert to PKCS#12:
# openssl pkcs12 -export -out demo.p12 -inkey pki/private/demo.example.com.key -in pki/issued/demo.example.com.crt 
Enter pass phrase for pki/private/demo.example.com.key:
Enter Export Password:
Verifying - Enter Export Password:

# Import to DS NSS DB:
# pk12util -i demo.p12 -d /etc/dirsrv/slapd-instance_name/ -W password
Enter Password or Pin for "NSS Certificate DB":
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: demo.example.com
pk12util: PKCS12 IMPORT SUCCESSFUL


## Display the imported cert:
# certutil -d /etc/dirsrv/slapd-instance_name/ -L

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

demo.example.com u,u,u


## Display the imported private key:
# certutil -d /etc/dirsrv/slapd-instance_name/ -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" 
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      ec30598b2107c71dd69494d51d7de6ef0e57ffbe demo.example.com
Please let me know if it works, and DS does not complain about it when you use the key/cert. 


Regards,
Marc




_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org 
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org 
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Reply via email to