[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL client certificate question and bdb_dn2id_matched question

tir, 2003-01-14 kl. 00:19 skrev Simon Liebold:

> I've read the folloing advisory. You might tell if this is right. If it
> is, this is the answer for Bradley, if it is not, there might be a
> answer for me:
> I have created the key and the certificate (in one file) with:
> openssl -req -new -x509 -nodes -days 730 -out ldap.pem -keyout ldap.pem
> And i am using this file in slapd.conf as "TLSCertificateFile",
> "TLSCertificateKeyFile" and "TLSCACertifikateFile".

Even if you spell "certificate" right, this won't work ;-) as Bradley

Depending ('spose you are using Openssl) how you installed Openssl (rpm
or source code) you'll have /usr/share/ssl or /usr/local/ssl.

Your openssl binary will know where to look for it.

In a misc subdirectory, you'll have a shell CA or CA.sh and a perl
CA.pl. If you look at the code, you'll see what it can do.

The openssl binary uses the info in openssl.cnf in the respective ssl
directory. By editing this, you can change your certificate details
(also CA) and directory in which certs are put as standard. But you can
later put them wherever you like.

The procedure for making a certificate signed by your own CA is:

1: Make the CA cert. This you will use for signing;
2: Make a certificate private key and cert signing request;
3: Sign the signing request with the CA cert and obtain a public key and
a certificate revoke list (crl.pem/.der) by signing with your CA cert.
Make sure the subject of the cert ("your name" or whatever stupid
wording you have in openssl.cnf) agrees with what you have if you do
'hostname -f' (Linux!!!).
4: Use only the .pem certs, raw, do not make hashes for Openldap.
5: Make sure that the path  to the CA cert is readable for all clients.

That's all there is to it. If you make a mistake and want to use the
same name for the certificate, you'll have to rm the contents of the
cert dir and start again (not the CA cert).




> And what's the problem:
> I can query the LDAP-Server (ldapsearch) from the same host slapd is
> running on. I also can reach it with Java-client "LDAP browser/editor"
> from another host. However i cannot reach it from another host, using
> "ldapsearch". The connection is beeing cancelled right after it is
> established.
> The commandline i am using to query (on both hosts):
> ldapsearch -H ldaps://soma.loge-23.ilm/ -x -b "" -s base -d 255
> There is a more complete description of the problem in a message i
> postet earlier.
> Greetings,
> Simon

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl