Howard Chu wrote:
Furthermore it is also *not* recommended to have the certificate and private key stored in a single file. The certificate still needs to be distributed to client machines that need to make secure connections to the OpenLDAP server. Keeping the two separate allows you to distribute the server certificate while still keeping the server key secret.Peter Marschall wrote:
On Saturday 02 July 2005 01:41, Alvaro Poole wrote:
Hi, I´m having problems configuring Openldap with TLS/SSL. First of all, I´m trying to put a server certificate, so I create a certificate with OpenSSL with the next line:
openssl req -newkey rsa:1024 -x509 -nodes -out ldapcert.pem -keyout ldapcert.pem -days 365
After this, I configured my slapd.conf with the next lines (but before, I copied ldapcert.pem to slapd.conf directory):
Apart from the typo that Samuel Tra already reported, it may be a problem that you use the CA certificate as the server certificate.
IIRC OpenLDPA requires the server certificate to be different from the CA certificate.
We *recommend* it, as that is how X.509 is intended to be used. But it is not a *requirement* - there's nothing preventing you from using the CA cert as the server cert, as long as you create the certificate correctly and configure the server and clients correctly. However, in most cases doing so is foolish; it also makes certificate management much harder as soon as you have more than one server.