Monday, August 24, 2020

[389-users] Re: Trying to renew a certificate - nss error 8168

Not sure what the problem is, but if you create a second test DS
instance, can you import it there?

Maybe remove the old cert first?  If you try that though please make a
backup of these files under /etc/dirsrv/slapd-INST: cert8.db, key3.db,
and secmod.db in case it doesn't work.

HTH,

Mark

On 8/24/20 3:24 AM, rainer@ultra-secure.de wrote:
> Hi,
>
> I'm trying to renew a certificate in 389 server.
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/administration_guide/index#renewing_a_certificate
>
>
> I've created a new private key and CSR with
>
> certutil -d /etc/dirsrv/slapd-instance/ -R -g 4096 -a \
>      -o /root/slapd-name.csr -8 name.fqdn \
>      -s "CN=name.fqdn,O=org,ST=State,C=CH"
>
>
> I try to import it with
>
> certutil -d /etc/dirsrv/slapd-instance/ -A \
>      -n "Server Cert" -t ",," -a -i /root/slapd-name.crt
>
> But this results in
> "certutil: could not add certificate to token or database:
> SEC_ERROR_ADDING_CERT: Error adding certificate to database."
>
> If I try this using the GUI, I also get the NSS error code 8168
>
>
>
> What exactly is the problem?
> It seems there is no "verbose" switch for certutil - or at least it's
> not documented.
>
>
> 389-admin-1.1.46-1.el7.x86_64
> 389-admin-console-1.1.12-1.el7.noarch
> 389-admin-console-doc-1.1.12-1.el7.noarch
> 389-adminutil-1.1.22-2.el7.x86_64
> 389-console-1.1.19-6.el7.noarch
> 389-ds-base-1.3.10.1-9.el7_8.x86_64
> 389-ds-base-libs-1.3.10.1-9.el7_8.x86_64
> 389-ds-base-snmp-1.3.10.1-9.el7_8.x86_64
> 389-ds-console-1.2.16-1.el7.noarch
> 389-ds-console-doc-1.2.16-1.el7.noarch
>
> CentOS 7, 64bit.
>
>
> Now, I tried to list the private keys with -K, I get
>
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
>
>
> Is there documentation on how to upgrade the database?
>
>
>
>
> Rainer
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)