Linux Archive - Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

Linux Archive (http://www.linux-archive.org/)

- Fedora Directory (http://www.linux-archive.org/fedora-directory/)

- - Want to change the hostname of my 389-box. Is there an easy way to fix the cert? (http://www.linux-archive.org/fedora-directory/705014-want-change-hostname-my-389-box-there-easy-way-fix-cert.html)

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

Hi,

I am running a 389 box with TLS enabled. Now I would like to change the
hostname, which would render the current certificate invalid. Is there
an easy way to create a new certificate with the new hostname?

Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

I guess you used script on fedora site to create certs? I am not sure about CA cert. This may require changing too becuse it may have your old fqdn in cn field. Base on this it seems that easiest way may be using th script again.

Greg.

18 wrz 2012 11:09, "Ray" <ray@renegade.zapto.org> napisał(a):
Hi,

I am running a 389 box with TLS enabled. Now I would like to change the hostname, which would render the current certificate invalid. Is there an easy way to create a new certificate with the new hostname?

Cheers,

Ray

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

If you have toruble with the script, try this:

1. Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost -k
rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

4. Export it to p12 format:

pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

7. In "Manage certificates" window, replace the old DS cert by the new one.

Hope this helps,

Alberto

Ray wrote:

Hi,

I am running a 389 box with TLS enabled. Now I would like to change the
hostname, which would render the current certificate invalid. Is there
an easy way to create a new certificate with the new hostname?

Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

Hi Alberto,

thanks for the instructions. I have two more questions:

1) The labels DS_Server_cert_label and Admin_Server_cert_label are
completely my choice, right?

2) How about the AC_cert_label though? Where does that come from?

Cheers,
Ray

Am 18.09.2012 11:56, schrieb Alberto Suárez:

If you have toruble with the script, try this:

1. Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

4. Export it to p12 format:

pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

7. In "Manage certificates" window, replace the old DS cert by the
new one.

Hope this helps,

Alberto

Ray wrote:

Hi,

I am running a 389 box with TLS enabled. Now I would like to change
the
hostname, which would render the current certificate invalid. Is
there

an easy way to create a new certificate with the new hostname?

Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

Hi Ray,

Ys, those are strings you choose to name the certificates. I should have
written "CA_cert_label" instead of "AC_cert_label", sorry about that...

All those lables are chosen by you when generating each certificate. If
you followed the setupssl2.sh script, it should be "CA certificate" for
the CA (see line 114 in
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
generated with certutil yourself, it should be the string used after
"-n". If you are generating new certs for DS and Admin server you could
use the string you wish (in the script "Server-Cert" is used for DS, see
line 131, and "server-cert" for Admin server, see line 137).

Alberto

Ray wrote:

Hi Alberto,

thanks for the instructions. I have two more questions:

1) The labels DS_Server_cert_label and Admin_Server_cert_label are
completely my choice, right?

2) How about the AC_cert_label though? Where does that come from?

Cheers,
Ray

Am 18.09.2012 11:56, schrieb Alberto Suárez:

If you have toruble with the script, try this:

1. Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

4. Export it to p12 format:

pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

7. In "Manage certificates" window, replace the old DS cert by the new
one.

Hope this helps,

Alberto

Ray wrote:

Hi,

I am running a 389 box with TLS enabled. Now I would like to change the
hostname, which would render the current certificate invalid. Is there
an easy way to create a new certificate with the new hostname?

Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

Hi Alberto & 389ers,

I've put this issue on the side for three weeks, now I have holidays
and want to get to it…

There are still dome open questions:

1) The -d . option: Where is "."? I ran the commands below with
.=/etc/dirsrv/slapd-<mydirsrvname>

When I do that, steps 5 and 6 fail, because
/etc/dirsrv/admin-serv/adminserver.p12 does not exist. So I simply left
the P12 files in /etc/dirsrv/slapd-<mydirsrvname> and switched
directories with "cd ../admin-serv" and imported there like this:

pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/Admin_Server.p12 -n
"Admin_Server_cert_label" -w
/etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt -k
/etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt (Admin server)

and

pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/DS_Server.p12 -n
"DS_Server_cert_label" -w /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt
-k /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt

(Could it be that Step 6 below is wrong?: You're simply importing the
admin cert again instead of the DS cert)

That appears to have worked. But: were my assumptions with switching
"." correct?

2) Where do I find the certificate that I need to distribute to all my
client machines? Or do I first need to generate it resp. extract it? If
so: how would I do that?

Sorry if I'm appear a bit picky here but dealing with certificates is
like open heart surgery for me. I'm far away from being as relaxed as
you certificate expert superheros ;)

Cheers,
Ray

Am 19.09.2012 10:34, schrieb Alberto Suárez:

Hi Ray,

Ys, those are strings you choose to name the certificates. I should
have written "CA_cert_label" instead of "AC_cert_label", sorry about
that...

All those lables are chosen by you when generating each certificate.
If you followed the setupssl2.sh script, it should be "CA
certificate"

for the CA (see line 114 in
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
generated with certutil yourself, it should be the string used after
"-n". If you are generating new certs for DS and Admin server you
could use the string you wish (in the script "Server-Cert" is used
for

DS, see line 131, and "server-cert" for Admin server, see line 137).

Alberto

Ray wrote:

Hi Alberto,

thanks for the instructions. I have two more questions:

1) The labels DS_Server_cert_label and Admin_Server_cert_label are
completely my choice, right?

2) How about the AC_cert_label though? Where does that come from?

Cheers,
Ray

Am 18.09.2012 11:56, schrieb Alberto Suárez:

If you have toruble with the script, try this:

1. Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d
/etc/dirsrv/slapd-myhost

-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

4. Export it to p12 format:

pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k

/etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k

/etc/dirsrv/slapd-myhost/pwdfile.txt

7. In "Manage certificates" window, replace the old DS cert by the
new

one.

Hope this helps,

Alberto

Ray wrote:

Hi,

I am running a 389 box with TLS enabled. Now I would like to
change the
hostname, which would render the current certificate invalid. Is
there

an easy way to create a new certificate with the new hostname?

Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Want to change the hostname of my 389-box. Is there an easy way to fix the cert?

Hi! Please, excuse me for confusing you. I'll try to give you the right
instructions now.

For details about using certutil, please see
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
For details about using pk12util, please see
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html

These should be the right steps:

1.Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label" -s "cn=myhost.myorg.example.com”
-c “CA_cert_label” -t “u,u,u” -m 1001 -v 120

-d /etc/dirsrv/slapd-myhost -k rsa
-f /etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d /etc/dirsrv/slapd-myhost
-o /etc/dirsrv/slapd-myhost/directoryserver.p12
-n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server”
-c “CA_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

Note that the Admin Server's certificate is stored in the Directory
Server's certs database (/etc/dirsrv/slapd-myhost/cert8.db)

4. Export it to p12 format:

pk12util -d /etc/dirsrv/slapd-myhost
-o /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d /etc/dirsrv/admin-serv
-i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database:

pk12util -d /etc/dirsrv/admin-serv -i
/etc/dirsrv/slapd-myhost/directoryserver.p12 -n “DS_Server_cert_label"

-w /etc/dirsrv/slapd-myhost/pwdfile.txt
-k /etc/dirsrv/slapd-myhost/pwdfile.txt

I did not need to distribute any cert (in my case i am using 389 as a
backend to samba, both sitting on the same machine). I think that the
protocol takes care of whatever is needed. If using start_tls, the
connection is first established over a non secured channel and then
negotiations start in order to change to a secured one.

Cheers,

Alberto

Ray wrote:

Hi Alberto & 389ers,

I've put this issue on the side for three weeks, now I have holidays and
want to get to it…

There are still dome open questions:

1) The -d . option: Where is "."? I ran the commands below with
.=/etc/dirsrv/slapd-<mydirsrvname>

"-d" stands for the path to the directory containing the certificate and
key database files (cert8.db and key3.db). You should replace "." for
whatever that path is in your environment. The substitution you have
done seems correct.

When I do that, steps 5 and 6 fail, because
/etc/dirsrv/admin-serv/adminserver.p12 does not exist. So I simply left
the P12 files in /etc/dirsrv/slapd-<mydirsrvname> and switched
directories with "cd ../admin-serv" and imported there like this:

pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/Admin_Server.p12 -n
"Admin_Server_cert_label" -w
/etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt -k
/etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt (Admin server)

and

pk12util -d . -i /etc/dirsrv/slapd-<mydirsrvname>/DS_Server.p12 -n
"DS_Server_cert_label" -w /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt
-k /etc/dirsrv/slapd-<mydirsrvname>/pwdfile.txt

(Could it be that Step 6 below is wrong?: You're simply importing the
admin cert again instead of the DS cert)

Adminserver.p12 and

That appears to have worked. But: were my assumptions with switching "."
correct?

2) Where do I find the certificate that I need to distribute to all my
client machines? Or do I first need to generate it resp. extract it? If
so: how would I do that?

Sorry if I'm appear a bit picky here but dealing with certificates is
like open heart surgery for me. I'm far away from being as relaxed as
you certificate expert superheros ;)

Cheers,
Ray

Am 19.09.2012 10:34, schrieb Alberto Suárez:

Hi Ray,

Ys, those are strings you choose to name the certificates. I should
have written "CA_cert_label" instead of "AC_cert_label", sorry about
that...

All those lables are chosen by you when generating each certificate.
If you followed the setupssl2.sh script, it should be "CA certificate"
for the CA (see line 114 in
https://github.com/richm/scripts/blob/master/setupssl2.sh). If you
generated with certutil yourself, it should be the string used after
"-n". If you are generating new certs for DS and Admin server you
could use the string you wish (in the script "Server-Cert" is used for
DS, see line 131, and "server-cert" for Admin server, see line 137).

Alberto

Ray wrote:

Hi Alberto,

thanks for the instructions. I have two more questions:

1) The labels DS_Server_cert_label and Admin_Server_cert_label are
completely my choice, right?

2) How about the AC_cert_label though? Where does that come from?

Cheers,
Ray

Am 18.09.2012 11:56, schrieb Alberto Suárez:

If you have toruble with the script, try this:

1. Produce the new DS server certificate:

certutil -S -n "DS_Server_cert_label"
-s "cn=myhost.myorg.example.com” -c “AC_cert_label”
-t “u,u,u” -m 1001 -v 120 -d . -k rsa -f
/etc/dirsrv/slapd-myhost/pwdfile.txt

2. Export it to p12 format:

pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

3. Produce the new Admin server certificate:

certutil -S -n "Admin_Server_cert_label"
-s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c
“AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost
-k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt

4. Export it to p12 format:

pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label"
-w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

5. Import into Admin server database:

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

6. Now import DS cert into Admin server's database

pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n
“Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k
/etc/dirsrv/slapd-myhost/pwdfile.txt

7. In "Manage certificates" window, replace the old DS cert by the new
one.

Hope this helps,

Alberto

Ray wrote:

Hi,

I am running a 389 box with TLS enabled. Now I would like to change
the
hostname, which would render the current certificate invalid. Is there
an easy way to create a new certificate with the new hostname?

Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

.

.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users