Difference between revisions of "SUSE/SLES/Yast Common Server Cert"

From MicroFocusInternationalWiki
Jump to: navigation, search
Line 1: Line 1:
 
In case you want to change the Yast Common Server Certificate to a Novell eDirectory signed one, follow this steps:
 
In case you want to change the Yast Common Server Certificate to a Novell eDirectory signed one, follow this steps:
  
1. On the SLES server create the signing request without setting a pasword on it:
+
# On the SLES server create the signing request without setting a pasword on it:
  
# openssl rand -out /tmp/random.txt 1024
+
<pre># openssl rand -out /tmp/random.txt 1024
 
# openssl genrsa -out server.key -rand /tmp/random.txt 1024
 
# openssl genrsa -out server.key -rand /tmp/random.txt 1024
# openssl req -new -key server.key -out server.csr
+
# openssl req -new -key server.key -out server.csr</pre>
  
2. Next use iManager to issue a certificate using the signing request server.csr and export the certificate in base64 encoding.
+
# Next use iManager to issue a certificate using the signing request server.csr and export the certificate in base64 encoding.
  
3. Now export the public key of the eDirectory CA in base64 format
+
# Now export the public key of the eDirectory CA in base64 format
  
4. Next create a new cert.pem file containing the following:
+
# Next create a new cert.pem file containing the following:
  
 
<pre>
 
<pre>
Line 27: Line 27:
 
</pre>
 
</pre>
  
5. Now use openssl to create the pkcs12 file
+
# Now use openssl to create the pkcs12 file
  
# openssl pkcs12 -export -in cert.pem -out cert.p12
+
<pre># openssl pkcs12 -export -in cert.pem -out cert.p12</pre>
  
6. Now start yast / security and users / common server certificate and import that new pkcs12 file cert.p12 and everything is done.
+
# Now start yast / security and users / common server certificate and import that new pkcs12 file cert.p12 and everything is done.
  
  
 
One side note: After the first tests I got always the message in yast that the certificate was imported, but the screen hasn't shown it. In the /var/log/YaST2/y2log I found the error "... invalid serial number ...". That serial number is from the eDirectory CA and I found no way to change it there. I think it was simply to long. I used a different eDirextory to sign it and then it worked.
 
One side note: After the first tests I got always the message in yast that the certificate was imported, but the screen hasn't shown it. In the /var/log/YaST2/y2log I found the error "... invalid serial number ...". That serial number is from the eDirectory CA and I found no way to change it there. I think it was simply to long. I used a different eDirextory to sign it and then it worked.

Revision as of 20:09, 11 January 2009

In case you want to change the Yast Common Server Certificate to a Novell eDirectory signed one, follow this steps:

  1. On the SLES server create the signing request without setting a pasword on it:
# openssl rand -out /tmp/random.txt 1024
# openssl genrsa -out server.key -rand /tmp/random.txt 1024
# openssl req -new -key server.key -out server.csr
  1. Next use iManager to issue a certificate using the signing request server.csr and export the certificate in base64 encoding.
  1. Now export the public key of the eDirectory CA in base64 format
  1. Next create a new cert.pem file containing the following:
-----BEGIN CERTIFICATE-----
... this is the block from the eDirectory CA public key ...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
... this is the server certificate signed by the eDirectory ...
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
... this is the content of the server.key ...
-----END RSA PRIVATE KEY-----
  1. Now use openssl to create the pkcs12 file
# openssl pkcs12 -export -in cert.pem -out cert.p12
  1. Now start yast / security and users / common server certificate and import that new pkcs12 file cert.p12 and everything is done.


One side note: After the first tests I got always the message in yast that the certificate was imported, but the screen hasn't shown it. In the /var/log/YaST2/y2log I found the error "... invalid serial number ...". That serial number is from the eDirectory CA and I found no way to change it there. I think it was simply to long. I used a different eDirextory to sign it and then it worked.