Re: [389-users] Certificate between 389DS and Active Directory

[Rich Megginson]

On 03/27/2013 08:46 AM, Grzegorz Dwornicki wrote:

I had missunderstood you im this case. No you don't need to create 
second CA. But you must generate cert for DS on AD CA. Then you need 
to import this cert with AD CA cert on DS


You don't have to use AD CA to generate the 389DS server cert.  You can, 
and it may be the best way to do it.

Greg.

27 mar 2013 15:41, "alexandre" <axel0fe...@gmail.com 
<mailto:axel0fe...@gmail.com>> napisał(a):

    I'm really impressed by the reactivity of this list !!!

    Sorry my understanding is not perfect because i'm french, so I
    don't have any CA in my DS, I have one CA (installed on my domain
    controller).

    Do I need to install a CA in my DS ? (when I write CA for me it
    means a Authority).


    Alex


    2013/3/27 Grzegorz Dwornicki <gd1...@gmail.com
    <mailto:gd1...@gmail.com>>

        If you have diferent CA in AD vs DS then you need to do this
        import.

        AD by default don't use LDAPS or STARTSSL soo you need to
        install ms cert CA stuff.

        Greg.

        27 mar 2013 15:07, "alexandre" <axel0fe...@gmail.com
        <mailto:axel0fe...@gmail.com>> napisał(a):

            Hello,

            I try to follow this procedure :

            
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html

            Everything works fine, except I don't understand right
            this line:

            "Import the CA certificate from Directory Server into
            Active Directory. Click *Trusted Root CA*, then *Import*,
            and browse for the Directory Server CA certificate."

            For me CA certificate, it's a certificate from the
            Authority, so in my Active Directory the certificate from
            the authority is already know in the Trusted Root CA.

            So, do I need to import 389DS server certificate in my
            active directory ?

            And finally, there is no indication to do that, someone
            can help me to pass through ?

            Thanks in advance.

            Best regards,
            Alex

            --
            389 users mailing list
            389-us...@lists.fedoraproject.org
            <mailto:389-us...@lists.fedoraproject.org>
            https://admin.fedoraproject.org/mailman/listinfo/389-users


        --
        389 users mailing list
        389-us...@lists.fedoraproject.org
        <mailto:389-us...@lists.fedoraproject.org>
        https://admin.fedoraproject.org/mailman/listinfo/389-users



    --
    389 users mailing list
    389-us...@lists.fedoraproject.org
    <mailto:389-us...@lists.fedoraproject.org>
    https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users