389ds with external ca_cert.pem

Question

389ds with external ca_cert.pem

Opened this issue 8 years ago · 4 comments

Hi,

Thanks for the script. Saves a hell of a lot of time. I'm having trouble configuring with an external CA certificate ca_crt.pem. I've tried adding this certificate to cert8.db using certutil but somehow the script still does not like it.

Command:
certutil -A -n "CA certificate" -t "Tcu,Cu,Tu" -d '/etc/dirsrv/${hostname}' -a -i '/etc/dirsrv/${hostname}/ca_crt.pem'

..
..
..
Valid CA
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
Object Signing Flags:
Valid CA

Using existing CA certificate
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Notice: Trust flag u is set automatically if the private key is present.
Generating server certificate for 389 Directory Server on host cbg-corp-dir-04.cambridge.netbanx.com
Using fully qualified hostname cbg-corp-dir-04.cambridge.netbanx.com for the server name in the server cert subject DN
Note: If you do not want to use this hostname, export MYHOST=host1 host2 ... script.sh ...

Generating key. This may take a few moments...

certutil: could not find certificate named "CA certificate": SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: unable to create cert (security library: bad database.)
Creating the admin server certificate

Generating key. This may take a few moments...

certutil: could not find certificate named "CA certificate": SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: unable to create cert (security library: bad database.)
Exporting the admin server certificate pk12 file
pk12util: find user certs from nickname failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
chown: cannot access /etc/dirsrv/slapd-cbg-corp-dir-04/adminserver.p12': No such file or directory chmod: cannot access /etc/dirsrv/slapd-cbg-corp-dir-04/adminserver.p12': No such file or directory
Creating pin file for directory server
Importing the admin server key and cert (created above)
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
.......................................

Has anyone got an updated script/method that is compatible with an external CA cert?

Answer 1 · 2016-11-01T12:52:35.000Z

You need the CA key as well if you are going to use it to create/sign server certs. Create a pkcs12 file containing the key and cert, and use pk12util to import.

Answer 2 · 2016-11-01T12:57:29.000Z

Thanks.
Which file would be the CA key amongst these:
ca_crl.pem ca_crt.pem ca_key.pem ca_pub.pem inventory.txt private requests serial signed
Guess - ca_key.pem

if using pk12util, would it still import it into the same cert8.db as certutil? Any command syntax reference much appreciated!

Answer 3 · 2016-11-01T13:05:01.000Z

I am assuming the file is ca_key.pem. pk12util will import into both cert8.db and key3.db.

Answer 4 · 2016-11-01T13:06:36.000Z

Thanks! This has been driving me crazy for days. I will report back once I have success!

Command: certutil -A -n "CA certificate" -t "Tcu,Cu,Tu" -d '/etc/dirsrv/${hostname}' -a -i '/etc/dirsrv/${hostname}/ca_crt.pem'

Command:
certutil -A -n "CA certificate" -t "Tcu,Cu,Tu" -d '/etc/dirsrv/${hostname}' -a -i '/etc/dirsrv/${hostname}/ca_crt.pem'