James Chavez wrote:
Thank you for the reply.
OK so the Root CA is self signed on the Directory server box.
The setupSSL script already exported the cacert.asc file I believe.
So my next step is to import it on each client that I want to use
TLS:simple on if I am understanding.
Yes.
So I believe on each client I need to use certutil to create a cert
database with ...
certutil -N -d <directory> -f /passfile
Does it matter where I create this?
Yes.
The details are specific to the client OS and its bundled SSL and LDAP
libraries.
For Solaris, you're on the right track with certutil.
This Sun forum thread may be helpful:
http://forums.sun.com/thread.jspa?threadID=5330016
For Linux, check your distribution's documentation.
If you're using a RedHat variant, tls_cacertfile in /etc/ldap.conf is probably
what you'll be most interested in.
After this I just import the cacert.asc, is that accurate?
Thank you
James
On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
But what about creating a client certificate for each of my
Linux and Solaris clients?
If all you want is TLS with simple auth, you don't need these.
Each client just needs to trust the CA which signed your directory
server's certificate; sounds like you're already on top of this part.
James Chavez wrote:
Hello,
I am having a bit of difficulty creating SSL client certificates for my
Solaris boxes or client boxes in general.
What I am trying to accomplish is to use TLS with simple authentication
i believe. I want to log into my Solaris boxes authenticating to FDS but
have it done over a secure TLS/SSL connection so the passwords cannot be
intercepted. I successfully created ther root CA certificate and Server
cert on the FDS box using the beautiful setupSSL script.
However I am new to SSL and I am having a difficult time understanding
what needs to be done on the client side machines to get SSL working
correctly. I know I need to import and trust the Root CA certificate on
each client. But what about creating a client certificate for each of my
Linux and Solaris clients? Can the client certificates be created and
exported on the server that I created the Root CA cert on? And from
there can I just import them into the clients? I have read the NSS tools
links regarding PKI and SSL but I am still having a bit of difficulty.
On the FDS wiki documentation site there are some good links but I am
not sure how to go about this to use TLS:simple authentication.
Thank you
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or
copying of this e-mail message, and any attachments thereto, is strictly
prohibited. If you have received this e-mail message in error, please
immediately notify the sender and permanently delete the original and any
copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or
any other person or entity.
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or
copying of this e-mail message, and any attachments thereto, is strictly
prohibited. If you have received this e-mail message in error, please
immediately notify the sender and permanently delete the original and any
copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or
any other person or entity.
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
