On 01/26/2011 10:50 AM, Tim Weichel wrote:
I have successfully installed the intermediate CA certificates into
the cert database and no longer having an issue.
The ldap server is up and running with SSL now.
To summarize my issues and resolution:
The First issue I found was that I was not utilizing the proper
intermediate certificates from VeriSign, this is based on the flavor
of certificates you own.
Please be sure you are utilizing the correct intermediate certs from
your CA, this can be confusing and since LDAP servers are not the main
consumers
Of certificates they are not really listed. Mostly guidance for WWW
servers are provided. Here is the certs I has to utilize.
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-inte...
I was using the bundled certificates and not the individual Primary
and Secondary certs individually.
But even after that change I was still having issues installing the
certificates, here is an example error:
[root@ldap1 slapd-ldap1]# certutil -A -n VeriSign_Intermediate -t
"CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
/etc/dirsrv/slapd-ldap1
certutil: could not obtain certificate from file: security library:
improperly formatted DER-encoded message.
Give the -a flag - -a means the cert is ascii, not binary DER. Looking
at the web site above, the certificates encoded with -----BEGIN
CERTIFICATE----- are ascii encoded DER. The ascii format is the same as
PEM.
The Second issue is that I suspected that I needed to recreate the
database (cert8.db), I assumed it must have been corrupted in some manner.
This is a different issue than the issue above?
[root@ldap1 slapd-ldap1]#certutil -N -d /etc/dirsrv/slapd-ldap1
Once I recreated the database I was able to successfully reinstall all
of the certs with no issues using the following commands:
[root@ldap1 slapd-ldap1]#pk12util -i
/etc/dirsrv/slapd-ldap1/ldap1cert.p12 -d .
[root@ldap1 slapd-ldap1]#certutil -A -n VeriSign_Intermediate -t
"CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
/etc/dirsrv/slapd-ldap1
[root@ldap1 slapd-ldap1]#certutil -A -n VeriSign_Secondary -t "CT,,"
-i /etc/dirsrv/slapd-ldap1/secondary.crt -d /etc/dirsrv/slapd-ldap1
Very strange. I would not expect it to work if the .crt files are ascii
encoded, without using the -a flag, unless the certutil has some sort of
automatic detection.
The ldap server now starts with no certificate issues and binds over
port 636. Hooray!!
Appreciate the response and anyone else who was contemplating my issue.
I hope this helps someone else from making the same mistake I
did.................Tim
*From:*Tim Weichel
*Sent:* Tuesday, January 25, 2011 5:08 PM
*To:* '389-users(a)lists.fedoraproject.org'
*Cc:* Identitysupport
*Subject:* HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS
All,
I have installed 389 servers and in the process of requesting new 4
year SSL certificates for my servers. To do so Verisign is only
accepting 2048-bit and higher CSR's only for 3 year certificates.
No problem I manually created a new CSR with 2048 bits using openssl,
received my new cert from verisign and have installed it successfully.
Now that I have the new cert installed and SSL configured and my
pin.txt file in place I find that upon start-up of the directory
service the certificate will not properly verify and the startup fails.
Based on the VeriSign advisory AD220
(
https://knowledge.verisign.com/support/ssl-certificates-support/index?pag...
<
https://knowledge.verisign.com/support/ssl-certificates-support/index?pag...>)
It appears that I need to update the directory servers VeriSign
intermediate certificates in order to properly validate my new 2048
cert upon startup.
My new certificate came with the notice also as follows: In order for
your VeriSign SSL Certificate to function properly, NEW Primary and
Secondary VeriSign Intermediate CA Certificates must be installed.
So has anyone actually updated or installed the new primary and
secondary intermediate CA certificates.
The usual methods of certutil command and the Management Console
wizard have all failed to install the provided intermediate CA bundle
provided by VeriSign.
Also I am not running Apache, I only have the 389 Management Console
serving web for the servers.
Thanks appreciate your assistance. Love the list server you guys
ROCK!.........................Tim
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users