FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-02-2011, 03:00 AM
Christopher Wood
 
Default advice on ssl cert rotation

You can use certutil to manually modify the cert stores. If you installed via rpm this will already be on your systems.

Not at my work systems so I don't recall which package it's in.

On Tue, Mar 01, 2011 at 07:27:53PM -0800, jon heise wrote:
> Recently i had ssl certs expire on my directory servers, currently i have
> one running without using an ssl cert, the secondary server is still set
> to use the old cert and as such it is not functioning.� On the primary
> server the admin server has been set to use a new self signed cert but we
> are locked out of that.� Is there a way to change what cert the ldap
> server will load without the use of the admin server ?

> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-02-2011, 03:47 AM
Rob Crittenden
 
Default advice on ssl cert rotation

Christopher Wood wrote:
> You can use certutil to manually modify the cert stores. If you installed via rpm this will already be on your systems.
>
> Not at my work systems so I don't recall which package it's in.

nss-tools.

Do you already have the new certificate? If you have it in PKCS#12
format then you can use pk12util to load it into the appropriate NSS
database (I'm not sure where the admin server db is, you should be able
to find it in the admin server configuration).

If you have an updated certificate in the 389-ds NSS database under a
different nickname and you just need to tell it to use the new one you
can edit /etc/dirsrv/slapd-INSTANCE/dse.ldif and tell it the nickname to
use. Look for nsSSLPersonalitySSL

rob

> On Tue, Mar 01, 2011 at 07:27:53PM -0800, jon heise wrote:
>> Recently i had ssl certs expire on my directory servers, currently i have
>> one running without using an ssl cert, the secondary server is still set
>> to use the old cert and as such it is not functioning.� On the primary
>> server the admin server has been set to use a new self signed cert but we
>> are locked out of that.� Is there a way to change what cert the ldap
>> server will load without the use of the admin server ?
>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-02-2011, 08:10 AM
Gerrard Geldenhuis
 
Default advice on ssl cert rotation

I use the following command.

certutil -A -n 'certname' -t 'u,,' -d . -i certfile.pem

If you change the cert database it has been my expierence that you need to restart the admin or dir server depending on which db you changed as the changes don't get re-read after startup.

Regards


> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-
> bounces@lists.fedoraproject.org] On Behalf Of Rob Crittenden
> Sent: 02 March 2011 04:48
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] advice on ssl cert rotation
>
> Christopher Wood wrote:
> > You can use certutil to manually modify the cert stores. If you installed via
> rpm this will already be on your systems.
> >
> > Not at my work systems so I don't recall which package it's in.
>
> nss-tools.
>
> Do you already have the new certificate? If you have it in PKCS#12 format
> then you can use pk12util to load it into the appropriate NSS database (I'm
> not sure where the admin server db is, you should be able to find it in the
> admin server configuration).
>
> If you have an updated certificate in the 389-ds NSS database under a
> different nickname and you just need to tell it to use the new one you can
> edit /etc/dirsrv/slapd-INSTANCE/dse.ldif and tell it the nickname to use.
> Look for nsSSLPersonalitySSL
>
> rob
>
> > On Tue, Mar 01, 2011 at 07:27:53PM -0800, jon heise wrote:
> >> Recently i had ssl certs expire on my directory servers, currently i have
> >> one running without using an ssl cert, the secondary server is still set
> >> to use the old cert and as such it is not functioning. On the primary
> >> server the admin server has been set to use a new self signed cert but
> we
> >> are locked out of that. Is there a way to change what cert the ldap
> >> server will load without the use of the admin server ?
> >
> >> --
> >> 389 users mailing list
> >> 389-users@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> > --
> > 389 users mailing list
> > 389-users@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org