FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-08-2012, 12:56 AM
Arpit Tolani
 
Default How to change certificate options using 389-console ?

Hie

On Mon, May 7, 2012 at 11:42 PM, Addison Laurent <alaurent@cise.ufl.edu> wrote:

I'm trying to add a new server, and will need to use SSL, of course.

But all the instructions tell how to generate a self-signed CA, but

we've got real signed certs on the other servers, and so I'm trying to

generate a CSR for the new one.





Generating one from the 389-console is only giving me a 1024-bit key,

and 2048 is required.





I see that running the cert request from the command line is not the

preferred option, but how else can I change the parameters for the cert

request?





In order to generate a 2048-bit ASCII certificate request, certain options must be specified as seen in the example below:

# certutil -R -d /database/directory/ -s "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048

Where:


-R - Specifies that a certificate request file be generated

-d - Specifies the database directory

-s - Specifies the subject

-a - Specifies the use of ASCII format

-g - Specifies the keysize



After successful creation, the request can be sent to the certificate authority for signing.

Arpit Tolani

*

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-08-2012, 10:16 AM
Arpit Tolani
 
Default How to change certificate options using 389-console ?

Hie

On Tue, May 8, 2012 at 9:20 AM, <alaurent@cise.ufl.edu> wrote:

> Hie

>

> On Mon, May 7, 2012 at 11:42 PM, Addison Laurent

> <alaurent@cise.ufl.edu>wrote:

>> Generating one from the 389-console is only giving me a 1024-bit key,

>> and 2048 is required.

>>

>> *In order to generate a 2048-bit ASCII certificate request, certain

> options must be specified as seen in the example below:

>

> # certutil -R -d /database/directory/ -s

> "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048



Right. *So 389-console cannot generate the keys that are required today

for non-self-signed?



It can, but you cant give the key size in console, It will stick to default 1024.
*


In researching this, I found where Rich had replied to a prior poster a

year or so ago not to use the command line (but I might have been missing

some required context.)



If the case is that 389-console cannot be used to get CSRs that are

non-self-signable, then I think that's problematic.



Thanks,

Addison





--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
Regards
Arpit Tolani

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org