Hi,
I am trying to integrate RHDS 8.0 with windows 2003 ads on centos 5.1 as per the centos documentation for user/group and password sync from windows ADS.
I am using windows sync and Passsync . But i am facing problem with the certificate creation.
*########################################################################## Followed the below step in centos box runing rhds to setup ssl.* ###########################################################################
- vi pin.txt
secretpw
- Create a noise file for the encryption
vi noise.txt dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk
- Create the key and certificate databases database
certutil -N -d . -f pin.txt (results, makes 3 files with db extension)
- Generate the encryption key
certutil -G -d . -z noise.txt -f pin.txt
- Generate the self-signed CA certificate
certutil -S -n "CA Certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 9999 -d . -z noise.txt -f pin.txt
(generates CA certificate and puts into db stores, can be verified with:
certutil –L –d . –n "Certificate Name", where Certificate Name is CA Certificate)
- Generate the Directory Server Client Certificate
certutil -S -n "server-cert" -s "cn=FQDN,cn=Directory Server" -c "CA Certificate" -t "u,u,u" -m 1001 -v 9999 -d . -z noise.txt -f pin.txt
- Convert to pkcs12 format (note these files will be used within the AD system, and the prompted password for the commands below will need to match password in pin.txt file)
pk12util -d . -o cacert.pk12 -n "CA Certificate" pk12util -d . -o dscert.pk12 -n "server-cert"
###############################################################################################################################
*After that when i executed ldapsearch -x -ZZ it showing all the entries properly on rhds centos box, so its indicates ssl was perfectly configured on RHDS* ##################################################################################################################################
*STEPS FOLLOWED ON WINDOWS 2003 ADS BOX to **Set up SSL on the Active Directory Server* * *
- Install a certificate authority in the Windows Components section in Add/Remove Programs . - Select the Enterprise Root CA option. - Make sure to use the hostname as the DN serverX and then for the domain dc=example,dc=com (note, this should resemble your FQDN) - Reboot Windows Machine - Log back in to the box...give it a little while, it's windows :-) - Got to Start>>Run>>mmc - Under File>>Add/Remove Snap-in - Click Add, Click Certificates, Click Add, Click Computer Account, Click Next and finish - Go to Trusted Root Certificates>>Certificates>>Right Click>>All Tasks>>Import - Go to where you copied the pk12 files from earlier and import the cacert.pk12 [CREATED IN RHDS RUNNING ON CENTOS ]
*Create DB Stores For PassSync in windows 2003 ads server*
- Copy .pk12 files that were put on Windows system to C:\Program Files\Red Hat Directory Password Synchronization\ - In this directory run certutil -d . -N (from dos command) - This creates empty db stores, next run the following to import your dscert.pk12 into the key store
pk12util -d . -i dscert.pk12
- Then give trusted peer status to the server
certutil -d . -M -n server-cert -t "P,P,P"
*ERROR
When i executed the above command on windows 2003 ads box it giving me following error
certutil.exe unable to decode trust strings error 0
Also the certificate created from centos box using certutil is showing validation date and expiration date as current date and time in both CA Cert and Server-cert
i checked the certificate content by using certutil –L –d . –n "Certificate Name" certutil –L –d . –n "Server-cert"
Plz help me how to troubleshoot this error.
Regards lingu
*