I followed the below OpenLDAP guide to create CA issued certificate using OpenSSL and was able to enable SSL in the ldap server and applications can connect via ldaps:// port 636.
Now I have some questions from the management where this certificate is as safe as the commercial certificates out there. Can someone clarify this? I would appreciate it.
I followed the same procedures mentioned in the guide.
If you have access to a trusted Certificate Authority (CA), then step through the CA process to get a CA certificate, server certificate and server private key. See section 5.0 for info on how to configure your server with these items.However, if a trusted CA is not available, OpenSSL makes the same process quick and easy.
The steps:
1. Create any directory for creating and signing your certificates.
For example, /var/myca.
2. Change to /var/myca and run the OpenSSL CA script (in /usr/share/ssl/misc/ on my box):
% cd /var/myca/
% /usr/share/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) <enter>
Making CA certificate ...
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..........................++++++
.........................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: <ca pass>
Verifying password - Enter PEM pass phrase: <ca pass again>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
Organizational Unit Name (eg, section) []:Example Unit
Common Name (eg, YOUR name) []:example.com
Email Address []:.
% |
This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).
3. Make your server certificate signing request (CSR):
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..............++++++
..........................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
Organizational Unit Name (eg, section) []:Example Org Unit
Common Name (eg, YOUR name) []:myserver.com
Email Address []:ldap@myserver.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <pass>
An optional company name []:.
% |
The result is newreq.pem.
4. Have the CA sign the CSR:
% /usr/share/ssl/misc/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase: <ca pass>
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Texas'
localityName :PRINTABLE:'Austin'
organizationName :PRINTABLE:'Example Org'
organizationalUnitName:PRINTABLE:'Example Org Unit'
commonName :PRINTABLE:'myserver.com'
emailAddress :IA5STRING:'ldap@myserver.com'
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.com
Validity
Not Before: Apr 11 18:58:58 2003 GMT
Not After : Apr 10 18:58:58 2004 GMT
Subject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit, CN=myserver.com/Email=ldap@myserver.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
< ... >
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61
X509v3 Authority Key Identifier:
keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1
DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.com
serial:00
Signature Algorithm: md5WithRSAEncryption
< ... >
-----BEGIN CERTIFICATE-----
< ... >
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
% |
This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.
5. Now the certificates can be moved to the desired certificate repository and renamed.
I prefer /usr/var/openldap-data as my certificate directory.
% cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem
% mv newcert.pem /usr/var/openldap-data/servercrt.pem
% mv newreq.pem /usr/var/openldap-data/serverkey.pem
% chmod 400 /usr/var/openldap-data/serverkey.pem
|