[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: question about TLS

jacob walcik wrote:

i'm trying to enable support for TLS by following the instructions listed in the openldap faq, located here:

it took a few minutes to find the CA shell script (/usr/share/ssl/misc on redhat), and now that i've found it, i'm having some trouble with it.

i created /etc/ssl/certs to store my certificates in. cd'd into it, and i've run "CA -newca". it prompts me for a filename to create as the certificate, and then tells me it can't stat the file, and creates a directory called demoCA w/ a bunch of empty files and directories in it. however, if i just hit enter when prompted, it asks me for the certificate information, and then creates the demoCA directory with populated files (the certificate and private key).

You got ./demoCA/cacert.pem which is the Certificate authority certificate and matching key in ./demoCA/private/cakey.pem.
This is used to sign other certificates that you will generate.
Now you use cacert.pem in slapd.conf directive TLSCACertificateFile on the server side and TLS_CACERT directive in ldap.conf for the clients.
Next step is to generate request (CA.pl -newreq) for new certificate for the server machine, sign it (CA.pl -sign) with the above cacert.pem and add new certificate and key to your server TLSCertificateFile and TLSCertificateKeyFile in slapd.conf. Clients don't need their own certificates in minimum TLS configuration. Remember to remove the pass phrase from the server key or you will have to type password on every start.

okay, so i have the cert and the private key, my question is, what do i do next? when i run the openssl command listed in the doc to create the certificate request:
openssl req -new -nodes -keyout newreq.pem -out newreq.pem

am i supposed to be pointing it at the public certificate created above? or at a new, empty file?

jacob walcik

Peter Ziobrzynski, mailto:pzi@pzi.net