[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling TLS problem on openldap2-2.3.39

Keagle, Chuck wrote:
The 2.3 Admin Guide indicates in Section that the
TLSCACertificateFile directive can be used instead of the hash links.

Yes, and that is the preferred usage.

(In fact you can use both at once, but there's no reason to.)

If I switch to using hash links, is it OK to just cat the crt and key
file together to create a pem file?

Your CA's key should pretty much never be accessible anywhere except on the machine that's used to sign certificates. Certificate files are meant to be publicly readable, while secret keys are (duh) meant to be kept secret.

Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle@boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434

-----Original Message-----
From: Keagle, Chuck
Sent: Monday, November 19, 2007 10:37 AM
To: Quanah Gibson-Mount; openldap-software@openldap.org
Subject: RE: Enabling TLS problem on openldap2-2.3.39

Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:

    TLSCACertificatePath /etc/ssl/certs

That directory has lots of pem files in it with x509 symbolic links:

ls -C /etc/ssl/certs
052eae11.0  6f5d9899.0   d4e39186.0         ICE-root.pem    timCA.pem
18d46017.0  73912336.0   ddc328ff.0         ICE-user.pem    tjhCA.pem
1e49180d.0  7651b327.0   dsa-ca.pem         ICP-Brasil.pem  vsign1.pem
1ef89214.0  8c401b31.0   dsa-pca.pem        nortelCA.pem    vsign2.pem
1f6c59cd.0  8caad35e.0   Equifax-root1.pem  pca-cert.pem    vsign3.pem
24867d38.0  91b8190d.0   expired            RegTP-4R.pem
2edf7016.0  a99c5886.0   f3e90025.0         RegTP-5R.pem
3ecf89a3.0  adbec561.0   f73e89fd.0         RegTP-6R.pem
594f1775.0  b5f329fa.0   factory.pem        rsa-cca.pem
69ea794f.0  c33a80d4.0   ICE-CA.pem         thawteCb.pem
6bee6be3.0  ca-cert.pem  ICE.crl            thawteCp.pem

I think CA certs is set up correctly.  Am I wrong about that?

    Do I have to move /etc/openldap/server.{crt,key} to

    Do I have to create turn /etc/openldap/server.{crt,key}
into a .pem file?

    Do I have to create x509 symbolic links from
/etc/openldap/server.{crt,key} to /etc/ssl/certs?

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/