[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL configuration steps required



Dear All,

I took following steps for enabling SSL. It didn't work. Please guide.
Note: IM using CDS symas binaries. do I require special settings considering
this?

Steps:
1) create a self-signed CA certificate:
/opt/symas/bin/openssl req -new -x509 -nodes -keyout
/usr/local/ssl/private/cakey.pem -out /usr/local/ssl/private/cacert.pem
Note: when it asks for Common name I supply my server name as:
Common Name (e.g., YOUR name) []:test3.test2.mydomain.com
Is this proper?

Also, for attributes country, state, city and email I give actual values
within given length limit (like country two chars).

2) create a certificate request:
/opt/symas/bin/openssl req -new -nodes -keyout newkey.pem -out newreq.pem
-days 360
Note: when it asks for Common name I supply my server name as:
Common Name (e.g., YOUR name) []:test3.test2.mydomain.com
Is this proper?

Also, for attributes country, state, city and email I give actual values
within given length limit (like country two chars).

3) sign certificate request
Operation fails here.
# /opt/symas/bin/openssl ca -policy policy_anything -out newcert.pem
-infiles newreq.pem
Using configuration from /opt/symas/ssl/openssl.cnf
CA certificate and CA private key do not match
18322:error:0B080074:x509 certificate routines:X509_check_private_key:key
values
 mismatch:x509_cmp.c:279:

IM stucked here. Please guide.

I plan followings steps, once steps till above starts working.
4) update TLS options in slapd.conf:
TLSCertificateFile      /usr/local/ssl/certs/newcert.pem
TLSCertificateKeyFile   /usr/local/ssl/certs/newcertkey.pem
TLSCACertificateFile    /usr/local/ssl/private/cacert.pem
Note: I will ensure to keep the files in above said path.

5) startup slapd
5.1 configure slapd.args as:
/opt/symas/lib/slapd -h "ldap:/// ldaps:///" -d -1

6) execute ldapsearch with -Z option:
/opt/symas/bin/ldapsearch -b 'dc=test3,dc=test2,dc=mydomain,dc=com' -Z
uid=myuid

7) Besides this I have updated the BASE option in ldap.conf file. Anything
else needs to be updated in this file?

8) What is netscape complient certificates and otherwise? Any good link for
this information?


Please guide. Thanks.

Regards
Pravin Joshi