Hi Ray,
Ys, those are strings you choose to name the certificates. I should have
written "CA_cert_label" instead of "AC_cert_label", sorry about that...
All those lables are chosen by you when generating each certificate. If
you followed the setupssl2.sh script, it should be "CA certificate" for
the CA (see line 114 in
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
generated with certutil yourself, it should be the string used after
"-n". If you are generating new certs for DS and Admin server you could
use the string you wish (in the script "Server-Cert" is used for DS, see
line 131, and "server-cert" for Admin server, see line 137).
Alberto
Ray wrote:
Hi Alberto,
thanks for the instructions. I have two more questions:
1) The labels DS_Server_cert_label and Admin_Server_cert_label are
completely my choice, right?
2) How about the AC_cert_label though? Where does that come from?
Cheers,
Ray
Am 18.09.2012 11:56, schrieb Alberto Suárez:
If you have toruble with the script, try this:
1. Produce the new DS server certificate:
certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt
2. Export it to p12 format:
pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt
3. Produce the new Admin server certificate:
certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt
4. Export it to p12 format:
pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt
5. Import into Admin server database:
pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt
6. Now import DS cert into Admin server's database
pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt
7. In "Manage certificates" window, replace the old DS cert by the new
one.
Hope this helps,
Alberto
Ray wrote:
Hi,
I am running a 389 box with TLS enabled. Now I would like to change the
hostname, which would render the current certificate invalid. Is there
an easy way to create a new certificate with the new hostname?
Cheers,
Ray
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
.
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
