[Date Prev][Date Next]
Re: question about TLS
jacob walcik wrote:
i'm trying to enable support for TLS by following the instructions
listed in the openldap faq, located here:
it took a few minutes to find the CA shell script (/usr/share/ssl/misc
on redhat), and now that i've found it, i'm having some trouble with it.
i created /etc/ssl/certs to store my certificates in. cd'd into it,
and i've run "CA -newca". it prompts me for a filename to create as
the certificate, and then tells me it can't stat the file, and creates
a directory called demoCA w/ a bunch of empty files and directories in
it. however, if i just hit enter when prompted, it asks me for the
certificate information, and then creates the demoCA directory with
populated files (the certificate and private key).
You got ./demoCA/cacert.pem which is the Certificate authority
certificate and matching key in ./demoCA/private/cakey.pem.
This is used to sign other certificates that you will generate.
Now you use cacert.pem in slapd.conf directive TLSCACertificateFile on
the server side and TLS_CACERT directive in ldap.conf for the clients.
Next step is to generate request (CA.pl -newreq) for new certificate for
the server machine, sign it (CA.pl -sign) with the above cacert.pem and
add new certificate and key to your server TLSCertificateFile and
TLSCertificateKeyFile in slapd.conf. Clients don't need their own
certificates in minimum TLS configuration. Remember to remove the pass
phrase from the server key or you will have to type password on every start.
okay, so i have the cert and the private key, my question is, what do
i do next? when i run the openssl command listed in the doc to create
the certificate request:
openssl req -new -nodes -keyout newreq.pem -out newreq.pem
am i supposed to be pointing it at the public certificate created
above? or at a new, empty file?
Peter Ziobrzynski, mailto:firstname.lastname@example.org