1:12 p.m.
I'm trying to add a new server, and will need to use SSL, of course.
But all the instructions tell how to generate a self-signed CA, but
we've got real signed certs on the other servers, and so I'm trying to
generate a CSR for the new one.
Generating one from the 389-console is only giving me a 1024-bit key,
and 2048 is required.
I see that running the cert request from the command line is not the
preferred option, but how else can I change the parameters for the cert
request?
Thanks,
Addison
1:15 p.m.
[root@ds4 admin-serv]# rpm -qa |grep 389
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.15-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-admin-1.1.29-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-1.2.10.7-1.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.10.7-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
Running on RH 6.2.
On Mon, 2012-05-07 at 14:12 -0400, Addison Laurent wrote:
I'm trying to add a new server, and will need to use SSL, of
course.
But all the instructions tell how to generate a self-signed CA, but
we've got real signed certs on the other servers, and so I'm trying to
generate a CSR for the new one.
Generating one from the 389-console is only giving me a 1024-bit key,
and 2048 is required.
I see that running the cert request from the command line is not the
preferred option, but how else can I change the parameters for the cert
request?
Thanks,
Addison
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
1:26 p.m.
Never knew command line is frowned upon. I used command line to generate my cert requests
as well since the gui can't do things like SAN. Haven't had any issues generating
my certreqs that way. Once the certificate comes back I use the gui to import.
-----Original Message-----
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Addison Laurent
Sent: Monday, May 07, 2012 12:13 PM
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] How to change certificate options using 389-console ?
I'm trying to add a new server, and will need to use SSL, of course.
But all the instructions tell how to generate a self-signed CA, but we've got real
signed certs on the other servers, and so I'm trying to generate a CSR for the new
one.
Generating one from the 389-console is only giving me a 1024-bit key, and 2048 is
required.
I see that running the cert request from the command line is not the preferred option, but
how else can I change the parameters for the cert request?
Thanks,
Addison
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
This communication, including any attached documentation, is intended only for the person
or entity to which it is addressed, and may contain confidential, personal and/or
privileged information. Any unauthorized disclosure, copying, or taking action on the
contents is strictly prohibited. If you have received this message in error, please
contact us immediately so we may correct our records. Please then delete or destroy the
original transmission and any subsequent reply.
5:02 p.m.
Now I can't find the old posting from 389-users from 2009, IIRC, where
Rich said "Don't do that".
But I'm trying it command line now - thanks a bunch, Ryan - and we'll
see.
But as far as I can tell, the 389-console is only going to try and
generate a 1024 bit key, and that's no longer acceptable to Verisign and
others - we can't get a key with less than 2048 bits now.
Is this configurable? It seems it should be?
Thanks,
Addison
On Mon, 2012-05-07 at 12:26 -0600, Groten, Ryan wrote:
Never knew command line is frowned upon. I used command line to
generate my cert requests as well since the gui can't do things like SAN. Haven't
had any issues generating my certreqs that way. Once the certificate comes back I use the
gui to import.
-----Original Message-----
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Addison Laurent
Sent: Monday, May 07, 2012 12:13 PM
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] How to change certificate options using 389-console ?
I'm trying to add a new server, and will need to use SSL, of course.
But all the instructions tell how to generate a self-signed CA, but we've got real
signed certs on the other servers, and so I'm trying to generate a CSR for the new
one.
Generating one from the 389-console is only giving me a 1024-bit key, and 2048 is
required.
I see that running the cert request from the command line is not the preferred option,
but how else can I change the parameters for the cert request?
Thanks,
Addison
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
This communication, including any attached documentation, is intended only for the person
or entity to which it is addressed, and may contain confidential, personal and/or
privileged information. Any unauthorized disclosure, copying, or taking action on the
contents is strictly prohibited. If you have received this message in error, please
contact us immediately so we may correct our records. Please then delete or destroy the
original transmission and any subsequent reply.
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
7:56 p.m.
Hie
On Mon, May 7, 2012 at 11:42 PM, Addison Laurent <alaurent(a)cise.ufl.edu>wrote:
I'm trying to add a new server, and will need to use SSL, of
course.
But all the instructions tell how to generate a self-signed CA, but
we've got real signed certs on the other servers, and so I'm trying to
generate a CSR for the new one.
Generating one from the 389-console is only giving me a 1024-bit key,
and 2048 is required.
I see that running the cert request from the command line is not the
preferred option, but how else can I change the parameters for the cert
request?
In order to generate a 2048-bit ASCII certificate request, certain
options must be
specified as seen in the example below:
# certutil -R -d /database/directory/ -s
"cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048
Where:
-R - Specifies that a certificate request file be generated
-d - Specifies the database directory
-s - Specifies the subject
-a - Specifies the use of ASCII format
-g - Specifies the keysize
After successful creation, the request can be sent to the certificate
authority for signing.
Arpit Tolani
10:50 p.m.
Hie
On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
<alaurent(a)cise.ufl.edu>wrote:
> Generating one from the 389-console is only giving me a 1024-bit key,
> and 2048 is required.
>
> In order to generate a 2048-bit ASCII certificate request, certain
options must be specified as seen in the example below:
# certutil -R -d /database/directory/ -s
"cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048
Right. So 389-console cannot generate the keys that are required today
for non-self-signed?
In researching this, I found where Rich had replied to a prior poster a
year or so ago not to use the command line (but I might have been missing
some required context.)
If the case is that 389-console cannot be used to get CSRs that are
non-self-signable, then I think that's problematic.
Thanks,
Addison
5:16 a.m.
Hie
On Tue, May 8, 2012 at 9:20 AM, <alaurent(a)cise.ufl.edu> wrote:
> Hie
>
> On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
> <alaurent(a)cise.ufl.edu>wrote:
>> Generating one from the 389-console is only giving me a 1024-bit key,
>> and 2048 is required.
>>
>> In order to generate a 2048-bit ASCII certificate request, certain
> options must be specified as seen in the example below:
>
> # certutil -R -d /database/directory/ -s
> "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048
Right. So 389-console cannot generate the keys that are required today
for non-self-signed?
It can, but you cant give the key size in console, It will stick to default
1024.
In researching this, I found where Rich had replied to a prior poster
a
year or so ago not to use the command line (but I might have been missing
some required context.)
If the case is that 389-console cannot be used to get CSRs that are
non-self-signable, then I think that's problematic.
Thanks,
Addison
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Regards
Arpit Tolani
6:50 a.m.
On Tue, May 8, 2012 at 9:20 AM, <alaurent(a)cise.ufl.edu> wrote:
> > On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
> > <alaurent(a)cise.ufl.edu>wrote:
> >> Generating one from the 389-console is only giving me a 1024-bit key,
> >> and 2048 is required.
> >>
> >> In order to generate a 2048-bit ASCII certificate request, certain
> > options must be specified as seen in the example below:
> >
> > # certutil -R -d /database/directory/ -s
> > "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048
>
> Right. So 389-console cannot generate the keys that are required today
> for non-self-signed?
>
>
It can, but you cant give the key size in console, It will stick to
default
1024.
Then it cannot.
Or is there a way to change that? Is that a default (implying there are
other values), or hard-coded?
If it's hard-coded, I think we need to call that a "bug" in today's
world,
if we can't use 389 Console as per the documentation to generate the CSR.
Or at least change the hard-coding to a worldy-usable number.
Thanks,
Addison
8:06 a.m.
On 05/08/2012 05:50 AM, alaurent(a)cise.ufl.edu wrote:
> On Tue, May 8, 2012 at 9:20 AM,<alaurent(a)cise.ufl.edu>
wrote:
>>> On Mon, May 7, 2012 at 11:42 PM, Addison Laurent
>>> <alaurent(a)cise.ufl.edu>wrote:
>>>> Generating one from the 389-console is only giving me a 1024-bit key,
>>>> and 2048 is required.
>>>>
>>>> In order to generate a 2048-bit ASCII certificate request, certain
>>> options must be specified as seen in the example below:
>>>
>>> # certutil -R -d /database/directory/ -s
>>> "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048
>> Right. So 389-console cannot generate the keys that are required today
>> for non-self-signed?
>>
>>
> It can, but you cant give the key size in console, It will stick to
> default
> 1024.
Then it cannot.
Or is there a way to change that? Is that a default (implying there are
other values), or hard-coded?
If it's hard-coded, I think we need to call that a "bug" in today's
world,
if we can't use 389 Console as per the documentation to generate the CSR.
Sure.
Please file a ticket at https://fedorahosted.org/389
Or at least change the hard-coding to a worldy-usable number.
Thanks,
Addison
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
4364
days inactive
4365
days old
389-users@lists.fedoraproject.org
8 comments
4 participants
participants (4)
-
Addison Laurent -
Arpit Tolani -
Groten, Ryan -
Rich Megginson