Fedora Info: [389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

Thursday, August 27, 2020

[389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

On 8/27/20 2:18 PM, PGNet Dev wrote:
>> I'm no expert but it looks to me like it is expecting a certificate, not
>> a PKCS#12 file. The man page isn't exactly clear on what types are
>> acceptable but based on the certutil error it looks like it only accepts
>> PEM files. It isn't at all clear to me how one passes in the private key
>> or a chain of trust.
> this
>
> https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl-archive.html#importing-an-existing-self-sign-keycert-or-3rd-party-cacert

This is the old "archived" link - it is definitely outdated. Here's a
newer one:

https://www.port389.org/docs/389ds/howto/howto-ssl.html

Or better yet check out the official docs which tells you how to use
dsconf and set all of this up:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server

HTH,
Mark

>
> flops back-n-forth 'tween 'pk12util' & 'certutil usage, and manages to completely avoid any mention of dsconf (which appears to use certutil), so ...
>
> ... i'll join the confusion!
>
> that said, it _seems_ clear that the .p12 _is_ needed, since there's no other key input mechanism.
>
> it'd certainly be easier it dsconf simply allowed spec'n of
>
> ca_cert
> cert
> key
>
> in pem formats without the p12 'hoops' ...
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)