Hi,<br><br> I am trying to integrate RHDS 8.0 with windows 2003 ads on centos 5.1 as per the centos documentation for user/group and password sync from windows ADS.<br><br> I am using windows sync and Passsync . But i am facing problem with the certificate creation.<br>
<br><b>##########################################################################<br>Followed the below step in centos box runing rhds to setup ssl.</b><br>###########################################################################<br>
<ul><li>vi pin.txt
</li></ul>
<pre> secretpw <br></pre>
<ul><li>Create a noise file for the encryption
</li></ul>
<pre> vi noise.txt<br> dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk<br></pre>
<ul><li>Create the key and certificate databases database
</li></ul>
<pre> certutil -N -d . -f pin.txt (results, makes 3 files with db extension)<br></pre>
<ul><li>Generate the encryption key
</li></ul>
<pre> certutil -G -d . -z noise.txt -f pin.txt<br></pre>
<ul><li>Generate the self-signed CA certificate
</li></ul>
<pre> certutil -S -n "CA Certificate" -s "cn=CAcert" -x -t "CT,,"<br> -m 1000 -v 9999 -d . -z noise.txt -f pin.txt<br> <br>(generates CA certificate and puts into db stores, can be verified with: <br>
certutil –L –d . –n "Certificate Name", where Certificate Name is CA Certificate)<br></pre>
<ul><li>Generate the Directory Server Client Certificate
</li></ul>
<pre> certutil -S -n "server-cert" -s "cn=FQDN,cn=Directory Server" -c "CA Certificate" -t "u,u,u" -m 1001 -v 9999 -d . <br> -z noise.txt -f pin.txt <br> </pre><ul><li>Convert to pkcs12 format (note these files will be used within
the AD system, and the prompted password for the commands below will
need to match password in pin.txt file)
</li></ul>
<pre> pk12util -d . -o cacert.pk12 -n "CA Certificate"<br> pk12util -d . -o dscert.pk12 -n "server-cert"<br><br>###############################################################################################################################<br>
<br> <b>After that when i executed ldapsearch -x -ZZ it showing all the entries properly on rhds centos box,<br> so its indicates ssl was perfectly configured on RHDS</b><br>##################################################################################################################################<br>
<br><b>STEPS FOLLOWED ON WINDOWS 2003 ADS BOX to </b><b><b>Set up SSL on the Active Directory Server</b></b><br><b><br></b></pre><ul><li>Install a certificate authority in the Windows Components section in Add/Remove Programs .
</li><li>Select the Enterprise Root CA option.
</li><li>Make sure to use the hostname as the DN serverX and then for
the domain dc=example,dc=com (note, this should resemble your FQDN)
</li><li>Reboot Windows Machine
</li><li>Log back in to the box...give it a little while, it's windows :-)
</li><li>Got to Start>>Run>>mmc
</li><li>Under File>>Add/Remove Snap-in
</li><li>Click Add, Click Certificates, Click Add, Click Computer Account, Click Next and finish
</li><li>Go to Trusted Root Certificates>>Certificates>>Right Click>>All Tasks>>Import
</li><li>Go to where you copied the pk12 files from earlier and import the cacert.pk12 [CREATED IN RHDS RUNNING ON CENTOS ]<br>
</li></ul><b>Create DB Stores For PassSync in windows 2003 ads server</b><br><br>
<h3>
</h3><ul><li>Copy .pk12 files that were put on Windows system to C:\Program Files\Red Hat Directory Password Synchronization\
</li><li>In this directory run certutil -d . -N (from dos command)
</li><li>This creates empty db stores, next run the following to import your dscert.pk12 into the key store
</li></ul>
<pre> pk12util -d . -i dscert.pk12 <br></pre>
<ul><li>Then give trusted peer status to the server
</li></ul>
<pre> certutil -d . -M -n server-cert -t "P,P,P"<br><br><br style="color: rgb(255, 255, 255);"><b><span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">ERROR</span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">When i executed the above command on windows 2003 ads box it giving me following error</span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">certutil.exe unable to decode trust strings error 0</span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">Also the certificate created from centos box using certutil </span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">is showing validation date and expiration date as current date and time in both CA Cert and Server-cert </span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">i checked the certificate content by using </span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">certutil –L –d . –n "Certificate Name"</span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);"><span style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">certutil –L –d . –n "Server-cert"</span><br style="background-color: rgb(153, 0, 0); color: rgb(255, 255, 255);">
<br style="color: rgb(255, 255, 255);"><br style="color: rgb(255, 255, 255);"><br> Plz help me how to troubleshoot this error.<br><br>Regards<br>lingu<br><br><br></b></pre><br><br>