[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling TLS problem on openldap2-2.3.39

To: "Keagle, Chuck" <chuck.keagle@boeing.com>
Subject: Re: Enabling TLS problem on openldap2-2.3.39
From: Howard Chu <hyc@symas.com>
Date: Tue, 20 Nov 2007 06:21:43 -0800
Cc: openldap-software@openldap.org
In-reply-to: <0E9A8FE5719275499AA143D64E0C0FF604990A00@XCH-NW-1V2.nw.nos.boeing.com>
References: <0E9A8FE5719275499AA143D64E0C0FF6049909FE@XCH-NW-1V2.nw.nos.boeing.com><090BE73AF1A87957DAF7DCF3@[192.168.0.198]> <0E9A8FE5719275499AA143D64E0C0FF6049909FF@XCH-NW-1V2.nw.nos.boeing.com> <0E9A8FE5719275499AA143D64E0C0FF604990A00@XCH-NW-1V2.nw.nos.boeing.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b2pre) Gecko/2007111122 SeaMonkey/2.0a1pre

Keagle, Chuck wrote:

The 2.3 Admin Guide indicates in Section 12.2.1.2 that the
TLSCACertificateFile directive can be used instead of the hash links.


Yes, and that is the preferred usage.

(In fact you can use both at once, but there's no reason to.)

If I switch to using hash links, is it OK to just cat the crt and key
file together to create a pem file?

Your CA's key should pretty much never be accessible anywhere except on the machine that's used to sign certificates. Certificate files are meant to be publicly readable, while secret keys are (duh) meant to be kept secret.

----
Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle@boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434

-----Original Message-----
From: Keagle, Chuck
Sent: Monday, November 19, 2007 10:37 AM
To: Quanah Gibson-Mount; openldap-software@openldap.org
Subject: RE: Enabling TLS problem on openldap2-2.3.39

Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:

    TLSCACertificatePath /etc/ssl/certs

That directory has lots of pem files in it with x509 symbolic links:

ls -C /etc/ssl/certs
Password:
052eae11.0  6f5d9899.0   d4e39186.0         ICE-root.pem    timCA.pem
18d46017.0  73912336.0   ddc328ff.0         ICE-user.pem    tjhCA.pem
1e49180d.0  7651b327.0   dsa-ca.pem         ICP-Brasil.pem  vsign1.pem
1ef89214.0  8c401b31.0   dsa-pca.pem        nortelCA.pem    vsign2.pem
1f6c59cd.0  8caad35e.0   Equifax-root1.pem  pca-cert.pem    vsign3.pem
24867d38.0  91b8190d.0   expired            RegTP-4R.pem
vsignss.pem
2edf7016.0  a99c5886.0   f3e90025.0         RegTP-5R.pem
vsigntca.pem
3ecf89a3.0  adbec561.0   f73e89fd.0         RegTP-6R.pem
YaST-CA.pem
594f1775.0  b5f329fa.0   factory.pem        rsa-cca.pem
69ea794f.0  c33a80d4.0   ICE-CA.pem         thawteCb.pem
6bee6be3.0  ca-cert.pem  ICE.crl            thawteCp.pem

I think CA certs is set up correctly.  Am I wrong about that?

    Do I have to move /etc/openldap/server.{crt,key} to
/etc/ssl/certs?

    Do I have to create turn /etc/openldap/server.{crt,key}
into a .pem file?

    Do I have to create x509 symbolic links from
/etc/openldap/server.{crt,key} to /etc/ssl/certs?

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>

References:
- Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>

Prev by Date: Re: syncrepl LDIF kickstart file
Next by Date: Re: pcache configuration
Index(es):
- Chronological
- Thread