FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-07-2012, 06:12 PM
Addison Laurent
 
Default How to change certificate options using 389-console ?

I'm trying to add a new server, and will need to use SSL, of course.
But all the instructions tell how to generate a self-signed CA, but
we've got real signed certs on the other servers, and so I'm trying to
generate a CSR for the new one.


Generating one from the 389-console is only giving me a 1024-bit key,
and 2048 is required.


I see that running the cert request from the command line is not the
preferred option, but how else can I change the parameters for the cert
request?


Thanks,
Addison


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-07-2012, 06:15 PM
Addison Laurent
 
Default How to change certificate options using 389-console ?

[root@ds4 admin-serv]# rpm -qa |grep 389
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.15-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-admin-1.1.29-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-1.2.10.7-1.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.10.7-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch

Running on RH 6.2.

On Mon, 2012-05-07 at 14:12 -0400, Addison Laurent wrote:
> I'm trying to add a new server, and will need to use SSL, of course.
> But all the instructions tell how to generate a self-signed CA, but
> we've got real signed certs on the other servers, and so I'm trying to
> generate a CSR for the new one.
>
>
> Generating one from the 389-console is only giving me a 1024-bit key,
> and 2048 is required.
>
>
> I see that running the cert request from the command line is not the
> preferred option, but how else can I change the parameters for the cert
> request?
>
>
> Thanks,
> Addison
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-07-2012, 06:26 PM
"Groten, Ryan"
 
Default How to change certificate options using 389-console ?

Never knew command line is frowned upon. I used command line to generate my cert requests as well since the gui can't do things like SAN. Haven't had any issues generating my certreqs that way. Once the certificate comes back I use the gui to import.

-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Addison Laurent
Sent: Monday, May 07, 2012 12:13 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] How to change certificate options using 389-console ?

I'm trying to add a new server, and will need to use SSL, of course.
But all the instructions tell how to generate a self-signed CA, but we've got real signed certs on the other servers, and so I'm trying to generate a CSR for the new one.


Generating one from the 389-console is only giving me a 1024-bit key, and 2048 is required.


I see that running the cert request from the command line is not the preferred option, but how else can I change the parameters for the cert request?


Thanks,
Addison


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-07-2012, 10:02 PM
Addison Laurent
 
Default How to change certificate options using 389-console ?

Now I can't find the old posting from 389-users from 2009, IIRC, where
Rich said "Don't do that".

But I'm trying it command line now - thanks a bunch, Ryan - and we'll
see.

But as far as I can tell, the 389-console is only going to try and
generate a 1024 bit key, and that's no longer acceptable to Verisign and
others - we can't get a key with less than 2048 bits now.

Is this configurable? It seems it should be?

Thanks,
Addison


On Mon, 2012-05-07 at 12:26 -0600, Groten, Ryan wrote:
> Never knew command line is frowned upon. I used command line to generate my cert requests as well since the gui can't do things like SAN. Haven't had any issues generating my certreqs that way. Once the certificate comes back I use the gui to import.
>
> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Addison Laurent
> Sent: Monday, May 07, 2012 12:13 PM
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] How to change certificate options using 389-console ?
>
> I'm trying to add a new server, and will need to use SSL, of course.
> But all the instructions tell how to generate a self-signed CA, but we've got real signed certs on the other servers, and so I'm trying to generate a CSR for the new one.
>
>
> Generating one from the 389-console is only giving me a 1024-bit key, and 2048 is required.
>
>
> I see that running the cert request from the command line is not the preferred option, but how else can I change the parameters for the cert request?
>
>
> Thanks,
> Addison
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply.
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-08-2012, 03:50 AM
 
Default How to change certificate options using 389-console ?

> Hie
>
> On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
> <alaurent@cise.ufl.edu>wrote:
>> Generating one from the 389-console is only giving me a 1024-bit key,
>> and 2048 is required.
>>
>> In order to generate a 2048-bit ASCII certificate request, certain
> options must be specified as seen in the example below:
>
> # certutil -R -d /database/directory/ -s
> "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048

Right. So 389-console cannot generate the keys that are required today
for non-self-signed?

In researching this, I found where Rich had replied to a prior poster a
year or so ago not to use the command line (but I might have been missing
some required context.)

If the case is that 389-console cannot be used to get CSRs that are
non-self-signable, then I think that's problematic.

Thanks,
Addison


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-08-2012, 11:50 AM
 
Default How to change certificate options using 389-console ?

> On Tue, May 8, 2012 at 9:20 AM, <alaurent@cise.ufl.edu> wrote:
>> > On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
>> > <alaurent@cise.ufl.edu>wrote:
>> >> Generating one from the 389-console is only giving me a 1024-bit key,
>> >> and 2048 is required.
>> >>
>> >> In order to generate a 2048-bit ASCII certificate request, certain
>> > options must be specified as seen in the example below:
>> >
>> > # certutil -R -d /database/directory/ -s
>> > "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048
>>
>> Right. So 389-console cannot generate the keys that are required today
>> for non-self-signed?
>>
>>
> It can, but you cant give the key size in console, It will stick to
> default
> 1024.

Then it cannot.
Or is there a way to change that? Is that a default (implying there are
other values), or hard-coded?

If it's hard-coded, I think we need to call that a "bug" in today's world,
if we can't use 389 Console as per the documentation to generate the CSR.

Or at least change the hard-coding to a worldy-usable number.

Thanks,
Addison


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-08-2012, 01:06 PM
Rich Megginson
 
Default How to change certificate options using 389-console ?

On 05/08/2012 05:50 AM, alaurent@cise.ufl.edu wrote:

On Tue, May 8, 2012 at 9:20 AM,<alaurent@cise.ufl.edu> wrote:

On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
<alaurent@cise.ufl.edu>wrote:

Generating one from the 389-console is only giving me a 1024-bit key,
and 2048 is required.

In order to generate a 2048-bit ASCII certificate request, certain

options must be specified as seen in the example below:

# certutil -R -d /database/directory/ -s
"cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048

Right. So 389-console cannot generate the keys that are required today
for non-self-signed?



It can, but you cant give the key size in console, It will stick to
default
1024.

Then it cannot.
Or is there a way to change that? Is that a default (implying there are
other values), or hard-coded?

If it's hard-coded, I think we need to call that a "bug" in today's world,
if we can't use 389 Console as per the documentation to generate the CSR.

Sure. Please file a ticket at https://fedorahosted.org/389


Or at least change the hard-coding to a worldy-usable number.

Thanks,
Addison


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 02:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org