[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: Re: [389-users] HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON
From: Rich Megginson <rmeggins () redhat ! com>
Date: 2011-01-26 19:26:39
Message-ID: 4D40756F.2010604 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 01/26/2011 10:50 AM, Tim Weichel wrote:
>
> I have successfully installed the intermediate CA certificates into
> the cert database and no longer having an issue.
>
> The ldap server is up and running with SSL now.
>
> To summarize my issues and resolution:
>
> The First issue I found was that I was not utilizing the proper
> intermediate certificates from VeriSign, this is based on the flavor
> of certificates you own.
>
> Please be sure you are utilizing the correct intermediate certs from
> your CA, this can be confusing and since LDAP servers are not the main
> consumers
>
> Of certificates they are not really listed. Mostly guidance for WWW
> servers are provided. Here is the certs I has to utilize.
>
> http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
>
> I was using the bundled certificates and not the individual Primary
> and Secondary certs individually.
>
> But even after that change I was still having issues installing the
> certificates, here is an example error:
>
> [root@ldap1 slapd-ldap1]# certutil -A -n VeriSign_Intermediate -t
> "CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
> /etc/dirsrv/slapd-ldap1
>
> certutil: could not obtain certificate from file: security library:
> improperly formatted DER-encoded message.
>
Give the -a flag - -a means the cert is ascii, not binary DER. Looking
at the web site above, the certificates encoded with -----BEGIN
CERTIFICATE----- are ascii encoded DER. The ascii format is the same as
PEM.
>
> The Second issue is that I suspected that I needed to recreate the
> database (cert8.db), I assumed it must have been corrupted in some manner.
>
This is a different issue than the issue above?
>
> [root@ldap1 slapd-ldap1]#certutil -N -d /etc/dirsrv/slapd-ldap1
>
> Once I recreated the database I was able to successfully reinstall all
> of the certs with no issues using the following commands:
>
> [root@ldap1 slapd-ldap1]#pk12util -i
> /etc/dirsrv/slapd-ldap1/ldap1cert.p12 -d .
>
> [root@ldap1 slapd-ldap1]#certutil -A -n VeriSign_Intermediate -t
> "CT,," -i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
> /etc/dirsrv/slapd-ldap1
>
> [root@ldap1 slapd-ldap1]#certutil -A -n VeriSign_Secondary -t "CT,,"
> -i /etc/dirsrv/slapd-ldap1/secondary.crt -d /etc/dirsrv/slapd-ldap1
>
Very strange. I would not expect it to work if the .crt files are ascii
encoded, without using the -a flag, unless the certutil has some sort of
automatic detection.
>
> The ldap server now starts with no certificate issues and binds over
> port 636. Hooray!!
>
> Appreciate the response and anyone else who was contemplating my issue.
>
> I hope this helps someone else from making the same mistake I
> did.................Tim
>
> *From:*Tim Weichel
> *Sent:* Tuesday, January 25, 2011 5:08 PM
> *To:* '389-users@lists.fedoraproject.org'
> *Cc:* Identitysupport
> *Subject:* HOW TO INSTALL NEW INTERMEDIATE CA CERTIFICATES ON 389 DS
>
> All,
>
> I have installed 389 servers and in the process of requesting new 4
> year SSL certificates for my servers. To do so Verisign is only
> accepting 2048-bit and higher CSR's only for 3 year certificates.
>
> No problem I manually created a new CSR with 2048 bits using openssl,
> received my new cert from verisign and have installed it successfully.
>
> Now that I have the new cert installed and SSL configured and my
> pin.txt file in place I find that upon start-up of the directory
> service the certificate will not properly verify and the startup fails.
>
> Based on the VeriSign advisory AD220
> (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220
> <https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220>)
>
>
> It appears that I need to update the directory servers VeriSign
> intermediate certificates in order to properly validate my new 2048
> cert upon startup.
>
> My new certificate came with the notice also as follows: In order for
> your VeriSign SSL Certificate to function properly, NEW Primary and
> Secondary VeriSign Intermediate CA Certificates must be installed.
>
> So has anyone actually updated or installed the new primary and
> secondary intermediate CA certificates.
>
> The usual methods of certutil command and the Management Console
> wizard have all failed to install the provided intermediate CA bundle
> provided by VeriSign.
>
> Also I am not running Apache, I only have the 389 Management Console
> serving web for the servers.
>
> Thanks appreciate your assistance. Love the list server you guys
> ROCK!.........................Tim
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/26/2011 10:50 AM, Tim Weichel wrote:
<blockquote
cite="mid:A0E778F0A6F8494EB0A864713409FBEA0180830A@EXCLUSMBX.ad.sandiego.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">I
have successfully installed the intermediate CA certificates
into the cert database and no longer having an issue. \
<o:p></o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, 73, \
125);">The
ldap server is up and running with SSL now.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, \
73, 125);">To summarize my issues and resolution:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, \
73, 125);">The First issue I found was that I was not utilizing the proper
intermediate certificates from VeriSign, this is based on
the flavor of certificates you own.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Please
be sure you are utilizing the correct intermediate certs
from your CA, this can be confusing and since LDAP servers
are not the main consumers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Of
certificates they are not really listed. Mostly guidance for
WWW servers are provided. Here is the certs I has to
utilize.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><a
moz-do-not-send="true"
href="http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediat \
e/index.html">http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">I
was using the bundled certificates and not the individual
Primary and Secondary certs individually.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">But
even after that change I was still having issues installing
the certificates, here is an example error:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">[root@ldap1
slapd-ldap1]# certutil -A -n VeriSign_Intermediate -t "CT,,"
-i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
/etc/dirsrv/slapd-ldap1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">certutil:
could not obtain certificate from file: security library:
improperly formatted DER-encoded message.</span></p>
</div>
</blockquote>
Give the -a flag - -a means the cert is ascii, not binary DER.
Looking at the web site above, the certificates encoded with
-----BEGIN CERTIFICATE----- are ascii encoded DER. The ascii format
is the same as PEM.<br>
<blockquote
cite="mid:A0E778F0A6F8494EB0A864713409FBEA0180830A@EXCLUSMBX.ad.sandiego.edu"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, \
73, 125);">The Second issue is that I suspected that I needed to recreate
the database (cert8.db), I assumed it must have been
corrupted in some manner.</span></p>
</div>
</blockquote>
This is a different issue than the issue above?<br>
<blockquote
cite="mid:A0E778F0A6F8494EB0A864713409FBEA0180830A@EXCLUSMBX.ad.sandiego.edu"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true" name="1037925"><span
style="color: rgb(31, 73, 125);">[root@ldap1
slapd-ldap1]#certutil -N -d </span></a><span
style="color: rgb(31, 73, \
125);">/etc/dirsrv/slapd-ldap1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, \
73, 125);">Once I recreated the database I was able to successfully
reinstall all of the certs with no issues using the
following commands:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">[root@ldap1
slapd-ldap1]#pk12util -i
/etc/dirsrv/slapd-ldap1/ldap1cert.p12 -d .<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">[root@ldap1
slapd-ldap1]#certutil -A -n VeriSign_Intermediate -t "CT,,"
-i /etc/dirsrv/slapd-ldap1/intermediate.crt -d
/etc/dirsrv/slapd-ldap1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">[root@ldap1
slapd-ldap1]#certutil -A -n VeriSign_Secondary -t "CT,," -i
/etc/dirsrv/slapd-ldap1/secondary.crt -d
/etc/dirsrv/slapd-ldap1</span></p>
</div>
</blockquote>
Very strange. I would not expect it to work if the .crt files are
ascii encoded, without using the -a flag, unless the certutil has
some sort of automatic detection.<br>
<blockquote
cite="mid:A0E778F0A6F8494EB0A864713409FBEA0180830A@EXCLUSMBX.ad.sandiego.edu"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, \
73, 125);">The ldap server now starts with no certificate issues and binds
over port 636. Hooray!!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Appreciate
the response and anyone else who was contemplating my \
issue.<o:p></o:p></span></p> <p class="MsoNormal"><span style="color: rgb(31, 73, \
125);">I hope this helps someone else from making the same mistake I
did……………..Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <div>
<p class="MsoNormal" style=""><span style="font-size: 10pt;
font-family: "Arial","sans-serif";
color: navy;"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="color: rgb(31, 73, \
125);"><o:p> </o:p></span></p> <div>
<div style="border-right: medium none; border-width: 1pt
medium medium; border-style: solid none none; border-color:
rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color;
padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif";"> Tim Weichel
<br>
<b>Sent:</b> Tuesday, January 25, 2011 5:08 PM<br>
<b>To:</b> '<a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>'<br>
<b>Cc:</b> Identitysupport<br>
<b>Subject:</b> HOW TO INSTALL NEW INTERMEDIATE CA
CERTIFICATES ON 389 DS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All,<o:p></o:p></p>
<p class="MsoNormal">I have installed 389 servers and in the
process of requesting new 4 year SSL certificates for my
servers. To do so Verisign is only accepting 2048-bit and
higher CSR’s only for 3 year certificates.<o:p></o:p></p>
<p class="MsoNormal">No problem I manually created a new CSR
with 2048 bits using openssl, received my new cert from
verisign and have installed it successfully.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Now that I have the new cert installed and
SSL configured and my pin.txt file in place I find that upon
start-up of the directory service the certificate will not
properly verify and the startup fails.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Based on the VeriSign advisory AD220 (<a
moz-do-not-send="true"
href="https://knowledge.verisign.com/support/ssl-certificates-support/index?page=conte \
nt&id=AD220">https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220</a>)
<o:p></o:p></p>
<p class="MsoNormal">It appears that I need to update the
directory servers VeriSign intermediate certificates in order
to properly validate my new 2048 cert upon startup.<o:p></o:p></p>
<p class="MsoNormal">My new certificate came with the notice
also as follows: In order for your VeriSign SSL Certificate to
function properly, NEW Primary and Secondary VeriSign
Intermediate CA Certificates must be installed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So has anyone actually updated or installed
the new primary and secondary intermediate CA certificates. <o:p></o:p></p>
<p class="MsoNormal">The usual methods of certutil command and
the Management Console wizard have all failed to install the
provided intermediate CA bundle provided by VeriSign.<o:p></o:p></p>
<p class="MsoNormal">Also I am not running Apache, I only have
the 389 Management Console serving web for the servers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks appreciate your assistance. Love the
list server you guys ROCK!.........................Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
389 users mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
<a class="moz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic