[389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

[Mark Reynolds]

On 8/27/20 2:18 PM, PGNet Dev wrote:
I'm no expert but it looks to me like it is expecting a certificate, not
a PKCS#12 file. The man page isn't exactly clear on what types are
acceptable but based on the certutil error it looks like it only accepts
PEM files. It isn't at all clear to me how one passes in the private key
or a chain of trust.
this
        
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl-archive.html#importing-an-existing-self-sign-keycert-or-3rd-party-cacert

This is the old "archived" link - it is definitely outdated. Here's a 
newer one:

https://www.port389.org/docs/389ds/howto/howto-ssl.html

Or better yet check out the official docs which tells you how to use 
dsconf and set all of this up:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server

HTH,
Mark



flops back-n-forth 'tween 'pk12util' & 'certutil usage, and manages to 
completely avoid any mention of dsconf (which appears to use certutil), so ...

... i'll join the confusion!

that said, it _seems_ clear that the .p12 _is_ needed, since there's no other 
key input mechanism.

it'd certainly be easier it dsconf simply allowed spec'n of

        ca_cert
        cert
        key

in pem formats without the p12 'hoops' ...

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org