Went back to the docs again and this resolved that issue:

certutil -A -i /var/tmp/wrlc.org.crt  -t "u,u,u" -d /etc/dirsrv/slapd-ldap -n "server-cert"

 

However, I now get this error:

[19/Oct/2011:10:34:36 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)

 

I am guessing that there are other certutil commands?

 

BTW, this all came about because the gui does not support 2048 bit csr’s.

 

-          Thanks

 

From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Chris Cawley
Sent: Wednesday, October 19, 2011 10:24 AM
To: Rich Megginson; General discussion list for the 389 Directory server project.
Subject: Re: [389-users] SSL Question

 

Thanks, I am now getting the same error as one of the earlier posts:

 

http://osdir.com/ml/linux.redhat.fedora.directory.user/2006-08/msg00161.html

[19/Oct/2011:10:23:44 -0400] - SSL alert: Security Initialization: Can't find certificate (server-cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)

[19/Oct/2011:10:23:44 -0400] - SSL alert: Security Initialization: Unable to retrieve private key for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)

[19/Oct/2011:10:23:44 -0400] - SSL failure: None of the cipher are valid

[19/Oct/2011:10:23:44 -0400] - ERROR: SSL Initialization phase 2 Failed.

 

I am trying to use a wildcard for the cert.

 

However, I did not see the answer.

 

-          Thanks

-          Chris

From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: Wednesday, October 19, 2011 9:09 AM
To: General discussion list for the 389 Directory server project.
Cc: Chris Cawley
Subject: Re: [389-users] SSL Question

 

On 10/19/2011 06:59 AM, Chris Cawley wrote:

When I look in the console/manage cert/etc.

See http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_built-in_CA_certs

 

Chris

 

From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Gerhardus Geldenhuis
Sent: Wednesday, October 19, 2011 8:58 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] SSL Question

 

When do you get that? When you start 389ds or when you run certutil scripts?

 

Regards

2011/10/19 Chris Cawley <cawley@wrlc.org>

Sorry, the error that I get is

“Broken Certificate Chain”

 

-          Chris

 

From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Gerhardus Geldenhuis
Sent: Wednesday, October 19, 2011 8:49 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] SSL Question

 

Hi Chris,

Not seen that before could you detail the steps you have taken thus far to get to the point you at now.

 

Regards

2011/10/19 Chris Cawley <cawley@wrlc.org>

Hello –

 

We are in the process of setting up SSL on 389 ds; however,

it appears that the CA cert db is empty.  The builtin tokens

are not even loaded.  Any ideas why?

 

-          Thanks

 

 

Chris Cawley

System Administrator

Washington Research Library Consortium

301-390-2049

cawley@wrlc.org

 

 


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



 

--
Gerhardus Geldenhuis


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



 

--
Gerhardus Geldenhuis

 
 
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users