Difference between revisions of "SUSE/SLES/Yast Common Server Cert"
Line 1: | Line 1: | ||
− | |||
In case you want to change the Yast Common Server Certificate to a Novell eDirectory signed one, follow this steps: | In case you want to change the Yast Common Server Certificate to a Novell eDirectory signed one, follow this steps: | ||
Line 15: | Line 14: | ||
4. Next create a new cert.pem file containing the following: | 4. Next create a new cert.pem file containing the following: | ||
− | + | <nowiki>-----BEGIN CERTIFICATE----- | |
− | + | ... this is the block from the eDirectory CA public key ... | |
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
-----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | ||
− | + | ... this is the server certificate signed by the eDirectory ... | |
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
-----BEGIN RSA PRIVATE KEY----- | -----BEGIN RSA PRIVATE KEY----- | ||
− | + | ... this is the content of the server.key ... | |
− | -----END RSA PRIVATE KEY----- | + | -----END RSA PRIVATE KEY-----</nowiki> |
5. Now use openssl to create the pkcs12 file | 5. Now use openssl to create the pkcs12 file |
Revision as of 20:05, 11 January 2009
In case you want to change the Yast Common Server Certificate to a Novell eDirectory signed one, follow this steps:
1. On the SLES server create the signing request without setting a pasword on it:
- openssl rand -out /tmp/random.txt 1024
- openssl genrsa -out server.key -rand /tmp/random.txt 1024
- openssl req -new -key server.key -out server.csr
2. Next use iManager to issue a certificate using the signing request server.csr and export the certificate in base64 encoding.
3. Now export the public key of the eDirectory CA in base64 format
4. Next create a new cert.pem file containing the following:
-----BEGIN CERTIFICATE----- ... this is the block from the eDirectory CA public key ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... this is the server certificate signed by the eDirectory ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ... this is the content of the server.key ... -----END RSA PRIVATE KEY-----
5. Now use openssl to create the pkcs12 file
- openssl pkcs12 -export -in cert.pem -out cert.p12
6. Now start yast / security and users / common server certificate and import that new pkcs12 file cert.p12 and everything is done.
One side note: After the first tests I got always the message in yast that the certificate was imported, but the screen hasn't shown it. In the /var/log/YaST2/y2log I found the error "... invalid serial number ...". That serial number is from the eDirectory CA and I found no way to change it there. I think it was simply to long. I used a different eDirextory to sign it and then it worked.