hi,
some time ago I asked for a scriptable way of creating a certificate request, here's the thread:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
I didn't have the time to write anything and I would like to invest some time now.
the goal is to create an unattended script for node creation INCLUDING certification with an external CA.
I'm thinking about having several precreated certificate databases and download them to nodes. something like:
openssl rand -base64 16 > pwfile.txt && certutil -N -d . -f pwfile.txt
in several nodes and then scp/wget them to each node. also, do all CSR beforehand and already signed with our CA so I will have a repo of cert databases like:
nss/ca_root.crt nss/ldap10 nss/ldap10/cert9.db nss/ldap10/key4.db nss/ldap10/ldap10.example.com.crt nss/ldap10/pkcs11.txt nss/ldap10/pwfile.txt nss/ldap11 nss/ldap11/cert9.db nss/ldap11/key4.db nss/ldap11/ldap11.example.com.crt nss/ldap11/pkcs11.txt nss/ldap11/pwfile.txt nss/ldap12 nss/ldap12/cert9.db nss/ldap12/key4.db nss/ldap12/ldap12.example.com.crt nss/ldap12/pkcs11.txt nss/ldap12/pwfile.txt nss/ldap13 nss/ldap13/cert9.db nss/ldap13/key4.db nss/ldap13/ldap13.example.com.crt nss/ldap13/pkcs11.txt nss/ldap13/pwfile.txt nss/ldap14 nss/ldap14/cert9.db nss/ldap14/key4.db nss/ldap14/ldap14.example.com.crt nss/ldap14/pkcs11.txt nss/ldap14/pwfile.txt nss/ldap15 nss/ldap15/cert9.db nss/ldap15/key4.db nss/ldap15/ldap15.example.com.crt nss/ldap15/pkcs11.txt nss/ldap15/pwfile.txt
this step is the only one remaining on my recipe of unattended container creation, so any help will be really appreciated.
best regards,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
depending on your version of 389, look at "dsctl <instance name> tls import-ca"
{william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca --help usage: dsctl [instance] tls import-ca [-h] cert_path nickname
positional arguments: cert_path The path to the x509 cert to import as a server CA nickname The name of the certificate once imported
optional arguments: -h, --help show this help message and exit
This allows you to import a PEM CA file. There are a number of other helpers under the tls subcommand to make cert management easier.
On 1 Dec 2020, at 18:55, Angel Bosch Mora abosch@imasmallorca.net wrote:
hi,
some time ago I asked for a scriptable way of creating a certificate request, here's the thread:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
I didn't have the time to write anything and I would like to invest some time now.
the goal is to create an unattended script for node creation INCLUDING certification with an external CA.
I'm thinking about having several precreated certificate databases and download them to nodes. something like:
openssl rand -base64 16 > pwfile.txt && certutil -N -d . -f pwfile.txt
in several nodes and then scp/wget them to each node. also, do all CSR beforehand and already signed with our CA so I will have a repo of cert databases like:
nss/ca_root.crt nss/ldap10 nss/ldap10/cert9.db nss/ldap10/key4.db nss/ldap10/ldap10.example.com.crt nss/ldap10/pkcs11.txt nss/ldap10/pwfile.txt nss/ldap11 nss/ldap11/cert9.db nss/ldap11/key4.db nss/ldap11/ldap11.example.com.crt nss/ldap11/pkcs11.txt nss/ldap11/pwfile.txt nss/ldap12 nss/ldap12/cert9.db nss/ldap12/key4.db nss/ldap12/ldap12.example.com.crt nss/ldap12/pkcs11.txt nss/ldap12/pwfile.txt nss/ldap13 nss/ldap13/cert9.db nss/ldap13/key4.db nss/ldap13/ldap13.example.com.crt nss/ldap13/pkcs11.txt nss/ldap13/pwfile.txt nss/ldap14 nss/ldap14/cert9.db nss/ldap14/key4.db nss/ldap14/ldap14.example.com.crt nss/ldap14/pkcs11.txt nss/ldap14/pwfile.txt nss/ldap15 nss/ldap15/cert9.db nss/ldap15/key4.db nss/ldap15/ldap15.example.com.crt nss/ldap15/pkcs11.txt nss/ldap15/pwfile.txt
this step is the only one remaining on my recipe of unattended container creation, so any help will be really appreciated.
best regards,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia
depending on your version of 389, look at "dsctl <instance name> tls import-ca"
{william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca --help usage: dsctl [instance] tls import-ca [-h] cert_path nickname
positional arguments: cert_path The path to the x509 cert to import as a server CA nickname The name of the certificate once imported
optional arguments: -h, --help show this help message and exit
This allows you to import a PEM CA file. There are a number of other helpers under the tls subcommand to make cert management easier.
all this is pretty new, right?
I can't recall reading this last time I checked docs.
anyway, my main problem is that to deploy a node in a truly unattended mode It shouldn't pause at CSR request and continue when CA sign certificates, so I'm trying to have some preconfigured cert databases and signed certs.
If there's no way to do that, I can't dynamically create and destroy nodes.
the other option is letting the loadbalancer handle encryption, but official docs are very aggressive against that option, but I wonder if I should ignore that recommendation and encrypt at LB level. any hints?
abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
On 2 Dec 2020, at 19:04, Angel Bosch Mora abosch@imasmallorca.net wrote:
depending on your version of 389, look at "dsctl <instance name> tls import-ca"
{william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca --help usage: dsctl [instance] tls import-ca [-h] cert_path nickname
positional arguments: cert_path The path to the x509 cert to import as a server CA nickname The name of the certificate once imported
optional arguments: -h, --help show this help message and exit
This allows you to import a PEM CA file. There are a number of other helpers under the tls subcommand to make cert management easier.
all this is pretty new, right?
I can't recall reading this last time I checked docs.
I don't remember what version it was landed in, but certainly one 1.4.x somewhere.
anyway, my main problem is that to deploy a node in a truly unattended mode It shouldn't pause at CSR request and continue when CA sign certificates, so I'm trying to have some preconfigured cert databases and signed certs.
If there's no way to do that, I can't dynamically create and destroy nodes.
the other option is letting the loadbalancer handle encryption, but official docs are very aggressive against that option, but I wonder if I should ignore that recommendation and encrypt at LB level. any hints?
You can setup an instance with *no* TLS setup with self_signed = false in the setup.inf, then you can later add the nssdb + enable encryption. That's probably what you want here.
abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia
389-users@lists.fedoraproject.org