Re: LDAP + RADIUS + SSL

["Dieter Kluenter" <dieter@dkluenter.de>]

Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes:

>   I am listing my steps....
>
> - I am doing this steps:
> % openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 
>
> % mkdir /var/myca
> % cd /var/myca/ 
> % /usr/share/ssl/misc/CA.sh -newca
>
> % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 
>
> % /usr/share/ssl/misc/CA.sh -sign 
>
> % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem 
> % mv newcert.pem /usr/var/openldap-data/servercrt.pem 
> % mv newreq.pem /usr/var/openldap-data/serverkey.pem 
> % chmod 400 /usr/var/openldap-data/serverkey.pem 

[...]

It seems that you have not signed your request with the cacert but
created a selfsigned servercert. Test with
openssl x509 -in servercrt.pem -text

Run testwise slapd -h ldaps:///
and connect with openssl
openssl s_client -connect your.server:636 -showcerts

I would recommend following procedure to create certificates
- edit openssl.cnf to your requirements
- ./CA.pl -newca
- ./CA.pl -newreq
- ./CA.pl -signreq (which is different from -sign)
- openssl rsa -in  newcert.pem -out newkey.pem
- mv newcert.pem servercert.pem
- mv newkey.pem serverkey.pem

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53