Went back to the docs again and this resolved that issue: certutil -A -i /var/tmp/wrlc.org.crt -t "u,u,u" -d /etc/dirsrv/slapd-ldap -n "server-cert"
However, I now get this error: [19/Oct/2011:10:34:36 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) I am guessing that there are other certutil commands? BTW, this all came about because the gui does not support 2048 bit csr's. - Thanks From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Chris Cawley Sent: Wednesday, October 19, 2011 10:24 AM To: Rich Megginson; General discussion list for the 389 Directory server project. Subject: Re: [389-users] SSL Question Thanks, I am now getting the same error as one of the earlier posts: http://osdir.com/ml/linux.redhat.fedora.directory.user/2006-08/msg00161.html [19/Oct/2011:10:23:44 -0400] - SSL alert: Security Initialization: Can't find certificate (server-cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [19/Oct/2011:10:23:44 -0400] - SSL alert: Security Initialization: Unable to retrieve private key for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [19/Oct/2011:10:23:44 -0400] - SSL failure: None of the cipher are valid [19/Oct/2011:10:23:44 -0400] - ERROR: SSL Initialization phase 2 Failed. I am trying to use a wildcard for the cert. However, I did not see the answer. - Thanks - Chris From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, October 19, 2011 9:09 AM To: General discussion list for the 389 Directory server project. Cc: Chris Cawley Subject: Re: [389-users] SSL Question On 10/19/2011 06:59 AM, Chris Cawley wrote: When I look in the console/manage cert/etc. See http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_built-in_CA_certs Chris From: 389-users-boun...@lists.fedoraproject.org<mailto:389-users-boun...@lists.fedoraproject.org> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Gerhardus Geldenhuis Sent: Wednesday, October 19, 2011 8:58 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] SSL Question When do you get that? When you start 389ds or when you run certutil scripts? Regards 2011/10/19 Chris Cawley <caw...@wrlc.org<mailto:caw...@wrlc.org>> Sorry, the error that I get is "Broken Certificate Chain" - Chris From: 389-users-boun...@lists.fedoraproject.org<mailto:389-users-boun...@lists.fedoraproject.org> [mailto:389-users-boun...@lists.fedoraproject.org<mailto:389-users-boun...@lists.fedoraproject.org>] On Behalf Of Gerhardus Geldenhuis Sent: Wednesday, October 19, 2011 8:49 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] SSL Question Hi Chris, Not seen that before could you detail the steps you have taken thus far to get to the point you at now. Regards 2011/10/19 Chris Cawley <caw...@wrlc.org<mailto:caw...@wrlc.org>> Hello - We are in the process of setting up SSL on 389 ds; however, it appears that the CA cert db is empty. The builtin tokens are not even loaded. Any ideas why? - Thanks Chris Cawley System Administrator Washington Research Library Consortium 301-390-2049<tel:301-390-2049> caw...@wrlc.org<mailto:caw...@wrlc.org> -- 389 users mailing list 389-us...@lists.fedoraproject.org<mailto:389-us...@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- Gerhardus Geldenhuis -- 389 users mailing list 389-us...@lists.fedoraproject.org<mailto:389-us...@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- Gerhardus Geldenhuis -- 389 users mailing list 389-us...@lists.fedoraproject.org<mailto:389-us...@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
