Red Hat Directory Server 8.0 Administrator's Guide
tar -cf /tmp/db-backup.tar *
3. Create a password file for the security token password.
vi /tmp/pwdfile
secretpw
This password locks the server's private key in the key database and is used when the keys
and certificates are first created. The password in this file is also the default password to
encrypt PK12 files used by pk12util. Because this password is stored in plaintext, the
password file should be owned by the user as which Directory Server runs, by default
nobody, and it must be set as read-only for the Directory Server user and allow no access to
anyone else (mode 0400). It's a good idea to have a secure backup of this file.
4. Set the environment variable for the shell to include the certutil directory path. For
example:
export PATH=/usr/bin/:$PATH
The command varies depending on the shell.
5. Create the key and certificate databases databases.
certutil -N -d . -f /tmp/pwdfile
6. Generate the self-signed CA certificate. certutil creates the required key pairs and the
certificate. This certificate is used to generate the other server certificates and can be
exported for use with other servers and clients.
certutil -S -n "CA certificate" -s "cn=My Org CA cert, dc=example,dc=com" -x
-t "CT,,"
-m 1000 -v 120 -d . -k ec -q c2pnb163v2 -f /tmp/pwdfile
7. Generate the Directory Server client certificate.
certutil -S -n "Server-Cert" -s "cn=FQDN,cn=Directory Server" -c "CA
certificate"
-t "u,u,u" -m 1001 -v 120 -d . -k ec -q c2pnb163v2 -f /tmp/pwdfile
The value of the -s argument is very important. The leftmost RDN must be cn=FQDN (where
FQDN is the fully-qualified host and domain name of the Directory Server). For example, to
issue a certificate for a server with the name ldap.example.com, specifiy at least -s
Creating Directory Server Certificates
403