[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL client certificate question and bdb_dn2id_matched question



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Simon Liebold

> > The procedure for making a certificate signed by your own CA is:
> >
> > 1: Make the CA cert. This you will use for signing;
>
> I have found this
> http://www.linux-mag.com/2002-03/guru_02.html and this
> http://www.openldap.org/lists/openldap-software/200109/msg00745.html
> They are using self-signed certificates. I have created them
> this way.

The Linux-Mag article appears to be a direct copy of the message from the
OpenLDAP archive. Unfortunately the given procedure is wrong. You'd think a
responsible journalist would (a) check their information first and (b) credit
their sources.

> I
> also have choosen the right "cn" for the certificate. But nothing
> changed. :-(
> Do self-signed certificates just work on hosts they were issued for? I
> will try the CA-signature tomorrow. Where does the client (ldapsearch)
> expect the CA-Cert?

Self-signed certs can be made to work, but should not be used. They are a
security liability. Please read the admin guide:
http://www.openldap.org/doc/admin21/tls.html

The topic of how to actually create certificates has been discussed to death
on this mailing list, but it is not properly an OpenLDAP issue; it is
typically an OpenSSL issue and you should use the OpenSSL support channels to
get the answers. If you're using some other crypto library (e.g. Microsoft
SSI or Netscape) you should use the appropriate docs/support for that library
instead.

The FAQ-o-Matic has been updated with the correct steps for creating a server
certificate:  http://www.openldap.org/faq/index.cgi?file=185

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support