FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 01-26-2011, 12:08 AM
Tim Weichel
 
Default HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS

All,
I have installed 389 servers and in the process of requesting new 4 year SSL certificates for my servers. To do so Verisign is only accepting 2048-bit and higher CSR’s only for 3 year certificates.
No problem I manually created a new CSR with 2048 bits using openssl, received my new cert from verisign and have installed it successfully.
*
Now that I have the new cert installed and SSL configured and my pin.txt file in place I find that upon start-up of the directory service the certificate will not properly verify and the startup fails.
*
Based on the VeriSign advisory AD220 (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220)
It appears that I need to update the directory servers VeriSign intermediate certificates in order to properly validate my new 2048 cert upon startup.
My new certificate came with the notice also as follows: In order for your VeriSign SSL Certificate to function properly, NEW Primary and Secondary VeriSign Intermediate CA Certificates must be installed.
*
So has anyone actually updated or installed the new primary and secondary intermediate CA certificates.
The usual methods of certutil command and the Management Console wizard have all failed to install the provided intermediate CA bundle provided by VeriSign.
Also I am not running Apache, I only have the 389 Management Console serving web for the servers.
*
Thanks appreciate your assistance. Love the list server you guys ROCK!.........................Tim
*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-26-2011, 12:10 AM
Rich Megginson
 
Default HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS

On 01/25/2011 06:08 PM, Tim Weichel wrote:





All,

I have installed 389 servers and in the
process of requesting new 4 year SSL certificates for my
servers. To do so Verisign is only accepting 2048-bit and
higher CSR’s only for 3 year certificates.

No problem I manually created a new CSR
with 2048 bits using openssl, received my new cert from
verisign and have installed it successfully.

*

Now that I have the new cert installed and
SSL configured and my pin.txt file in place I find that upon
start-up of the directory service the certificate will not
properly verify and the startup fails.

*

Based on the VeriSign advisory AD220 (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220)


It appears that I need to update the
directory servers VeriSign intermediate certificates in order
to properly validate my new 2048 cert upon startup.

My new certificate came with the notice
also as follows: In order for your VeriSign SSL Certificate to
function properly, NEW Primary and Secondary VeriSign
Intermediate CA Certificates must be installed.

*

So has anyone actually updated or installed
the new primary and secondary intermediate CA certificates.

The usual methods of certutil command and
the Management Console wizard have all failed to install the
provided intermediate CA bundle provided by VeriSign.



What exactly did you try and how exactly did it fail?* Please
provide the exact certutil command line arguments.





Also I am not running Apache, I only have
the 389 Management Console serving web for the servers.

*

Thanks appreciate your assistance. Love the
list server you guys ROCK!.........................Tim

*




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-26-2011, 04:50 PM
Tim Weichel
 
Default HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS

I have successfully installed the intermediate CA certificates into the cert database and no longer having an issue.
The ldap server is up and running with SSL now.
*
To summarize my issues and resolution:
*
The First issue I found was that I was not utilizing the proper intermediate certificates from VeriSign, this is based on the flavor of certificates you own.
Please be sure you are utilizing the correct intermediate certs from your CA, this can be confusing and since LDAP servers are not the main consumers
Of certificates they are not really listed. Mostly guidance for WWW servers are provided. Here is the certs I has to utilize.
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
I was using the bundled certificates and not the individual Primary and Secondary certs individually.
But even after that change I was still having issues installing the certificates, here is an example error:
*
[root@ldap1 slapd-ldap1]# certutil -A -n VeriSign_Intermediate -t "CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d /etc/dirsrv/slapd-ldap1
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
*
*
The Second issue is that I suspected that I needed to recreate the database (cert8.db), I assumed it must have been corrupted in some manner.
*
[root@ldap1 slapd-ldap1]#certutil *-N -d /etc/dirsrv/slapd-ldap1
*
Once I recreated the database I was able to successfully reinstall all of the certs with no issues using the following commands:
*
[root@ldap1 slapd-ldap1]#pk12util -i /etc/dirsrv/slapd-ldap1/ldap1cert.p12 -d .
[root@ldap1 slapd-ldap1]#certutil -A -n VeriSign_Intermediate -t "CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d /etc/dirsrv/slapd-ldap1
[root@ldap1 slapd-ldap1]#certutil -A -n VeriSign_Secondary -t "CT,," -i /etc/dirsrv/slapd-ldap1/secondary.crt -d /etc/dirsrv/slapd-ldap1
*
The ldap server now starts with no certificate issues and binds over port 636. Hooray!!
*
Appreciate the response and anyone else who was contemplating my issue.
I hope this helps someone else from making the same mistake I did……………..Tim
*
*
*
*
*
From: Tim Weichel
Sent: Tuesday, January 25, 2011 5:08 PM
To: '389-users@lists.fedoraproject.org'
Cc: Identitysupport
Subject: HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS
*
All,
I have installed 389 servers and in the process of requesting new 4 year SSL certificates for my servers. To do so Verisign is only accepting 2048-bit and higher CSR’s only for 3 year certificates.
No problem I manually created a new CSR with 2048 bits using openssl, received my new cert from verisign and have installed it successfully.
*
Now that I have the new cert installed and SSL configured and my pin.txt file in place I find that upon start-up of the directory service the certificate will not properly verify and the startup fails.
*
Based on the VeriSign advisory AD220 (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220)
It appears that I need to update the directory servers VeriSign intermediate certificates in order to properly validate my new 2048 cert upon startup.
My new certificate came with the notice also as follows: In order for your VeriSign SSL Certificate to function properly, NEW Primary and Secondary VeriSign Intermediate CA Certificates must be installed.
*
So has anyone actually updated or installed the new primary and secondary intermediate CA certificates.
The usual methods of certutil command and the Management Console wizard have all failed to install the provided intermediate CA bundle provided by VeriSign.
Also I am not running Apache, I only have the 389 Management Console serving web for the servers.
*
Thanks appreciate your assistance. Love the list server you guys ROCK!.........................Tim
*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-26-2011, 06:26 PM
Rich Megginson
 
Default HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS

On 01/26/2011 10:50 AM, Tim Weichel wrote:





I
have successfully installed the intermediate CA certificates
into the cert database and no longer having an issue.

The
ldap server is up and running with SSL now.

*

To
summarize my issues and resolution:

*

The
First issue I found was that I was not utilizing the proper
intermediate certificates from VeriSign, this is based on
the flavor of certificates you own.

Please
be sure you are utilizing the correct intermediate certs
from your CA, this can be confusing and since LDAP servers
are not the main consumers

Of
certificates they are not really listed. Mostly guidance for
WWW servers are provided. Here is the certs I has to
utilize.

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

I
was using the bundled certificates and not the individual
Primary and Secondary certs individually.

But
even after that change I was still having issues installing
the certificates, here is an example error:

*

[root@ldap1
slapd-ldap1]# certutil -A -n VeriSign_Intermediate -t "CT,,"
-i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
/etc/dirsrv/slapd-ldap1

certutil:
could not obtain certificate from file: security library:
improperly formatted DER-encoded message.



Give the -a flag - -a means the cert is ascii, not binary DER.*
Looking at the web site above, the certificates encoded with
-----BEGIN CERTIFICATE----- are ascii encoded DER.* The ascii format
is the same as PEM.





*

*

The
Second issue is that I suspected that I needed to recreate
the database (cert8.db), I assumed it must have been
corrupted in some manner.



This is a different issue than the issue above?





*

[root@ldap1
slapd-ldap1]#certutil *-N -d /etc/dirsrv/slapd-ldap1

*

Once
I recreated the database I was able to successfully
reinstall all of the certs with no issues using the
following commands:

*

[root@ldap1
slapd-ldap1]#pk12util -i
/etc/dirsrv/slapd-ldap1/ldap1cert.p12 -d .

[root@ldap1
slapd-ldap1]#certutil -A -n VeriSign_Intermediate -t "CT,,"
-i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
/etc/dirsrv/slapd-ldap1

[root@ldap1
slapd-ldap1]#certutil -A -n VeriSign_Secondary -t "CT,," -i
/etc/dirsrv/slapd-ldap1/secondary.crt -d
/etc/dirsrv/slapd-ldap1



Very strange.* I would not expect it to work if the .crt files are
ascii encoded, without using the -a flag, unless the certutil has
some sort of automatic detection.





*

The
ldap server now starts with no certificate issues and binds
over port 636. Hooray!!

*

Appreciate
the response and anyone else who was contemplating my issue.

I
hope this helps someone else from making the same mistake I
did……………..Tim

*

*

*


*


*



From: Tim Weichel


Sent: Tuesday, January 25, 2011 5:08 PM

To: '389-users@lists.fedoraproject.org'

Cc: Identitysupport

Subject: HOW TO INSTALL NEW INTERMEDIATE CA
CERTIFICATES ON 389 DS



*

All,

I have installed 389 servers and in the
process of requesting new 4 year SSL certificates for my
servers. To do so Verisign is only accepting 2048-bit and
higher CSR’s only for 3 year certificates.

No problem I manually created a new CSR
with 2048 bits using openssl, received my new cert from
verisign and have installed it successfully.

*

Now that I have the new cert installed and
SSL configured and my pin.txt file in place I find that upon
start-up of the directory service the certificate will not
properly verify and the startup fails.

*

Based on the VeriSign advisory AD220 (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220)


It appears that I need to update the
directory servers VeriSign intermediate certificates in order
to properly validate my new 2048 cert upon startup.

My new certificate came with the notice
also as follows: In order for your VeriSign SSL Certificate to
function properly, NEW Primary and Secondary VeriSign
Intermediate CA Certificates must be installed.

*

So has anyone actually updated or installed
the new primary and secondary intermediate CA certificates.

The usual methods of certutil command and
the Management Console wizard have all failed to install the
provided intermediate CA bundle provided by VeriSign.

Also I am not running Apache, I only have
the 389 Management Console serving web for the servers.

*

Thanks appreciate your assistance. Love the
list server you guys ROCK!.........................Tim

*




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org