[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?

----- "Alberto GD" <darkxer0x@esdebian.org> wrote:

> Hi!
> I've followed openldap.org 's guide and ldap works great with TLS/SSL
> with authentication in server and clients. Now I have added a LDAP
> replica (ldap slave server), and I have some questions:
> - In the clients I had to make the certs with the server certificate
> (cacer.pem) of the master, because I check the server certificate, and
> also check the clients in the server. Now that I have a replica, I
> have to make others certs with the server certificate of the slave
> server (and how can I show two certificates to ldap.conf)?? (I
> followed this (
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3 ) Or with the
> certificates made from server certificates its sufficient??
> >Step 1 and 2: Do nothing ... the CA does not need to be created
> again. The plan is to use the same CA certificate to sign the client
> certificate.

For all server and clients certs you have created or will create, just sign them
all with the CA cert you created and make sure all servers and clients get a copy
of the CA cert. That's all you need to do.


Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.