[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL configuration steps required



I'd seriously think about installing a

TLS_CACERT      /usr/local/ssl/private/cacert.pem

in your ldap.conf ON THE CLIENT if you are using a 2.1.x version of
openldap...  (there is also a different way, to name a DIRECTORY of certs)

=====

In step 1 a root certificate is produced, for 2.1.x versions this needs
to be available to the client, via the above.

In step 1 a root key is produced, this needs to be available for
the certificate signing in step 3.  It looks like step 1 is producing
this in  /usr/local/ssl/private/cakey.pem  but since you didn't send
your version of  /opt/symas/ssl/openssl.cnf  and you didn't explicitly
mention a key on the  openssl ca  line it is difficult to see where it
might be trying to find the signing key.  Have you customized the
openssl.cnf file at all from the distributed version?

=====

I don't personally have a great deal of experience with  openssl ca  since
I'm basically doing my stuff one level deeper using  openssl x509  instead.

=====

Yes, you are correct, the CN needs to be the full Internet domain name
of the server (in most cases).  For special cases like a certificate that
covers multiple servers there are certificate extension fields, but this
is getting pretty arcane for a beginner...

For more information on certificate stuff I'd read the Internet RFC
documents on PKIX (I think the number is 2459) and take a look at the
stuff the HEPKI group is doing in higher education, for example.

For more information on openldap SSL stuff I'd check the FAQ a matic
section of the openldap web site -- there is, in particular, one very
good document on this stuff.

http://www.openldap.org/faq/data/cache/185.html

=====

Pravin Joshi wrote:
> 
> Dear All,
> 
> I took following steps for enabling SSL. It didn't work. Please guide.
> Note: IM using CDS symas binaries. do I require special settings considering
> this?
> 
> Steps:
> 1) create a self-signed CA certificate:
> /opt/symas/bin/openssl req -new -x509 -nodes -keyout
> /usr/local/ssl/private/cakey.pem -out /usr/local/ssl/private/cacert.pem
> Note: when it asks for Common name I supply my server name as:
> Common Name (e.g., YOUR name) []:test3.test2.mydomain.com
> Is this proper?
> 
> Also, for attributes country, state, city and email I give actual values
> within given length limit (like country two chars).
> 
> 2) create a certificate request:
> /opt/symas/bin/openssl req -new -nodes -keyout newkey.pem -out newreq.pem
> -days 360
> Note: when it asks for Common name I supply my server name as:
> Common Name (e.g., YOUR name) []:test3.test2.mydomain.com
> Is this proper?
> 
> Also, for attributes country, state, city and email I give actual values
> within given length limit (like country two chars).
> 
> 3) sign certificate request
> Operation fails here.
> # /opt/symas/bin/openssl ca -policy policy_anything -out newcert.pem
> -infiles newreq.pem
> Using configuration from /opt/symas/ssl/openssl.cnf
> CA certificate and CA private key do not match
> 18322:error:0B080074:x509 certificate routines:X509_check_private_key:key
> values
>  mismatch:x509_cmp.c:279:
> 
> IM stucked here. Please guide.
> 
> I plan followings steps, once steps till above starts working.
> 4) update TLS options in slapd.conf:
> TLSCertificateFile      /usr/local/ssl/certs/newcert.pem
> TLSCertificateKeyFile   /usr/local/ssl/certs/newcertkey.pem
> TLSCACertificateFile    /usr/local/ssl/private/cacert.pem
> Note: I will ensure to keep the files in above said path.
> 
> 5) startup slapd
> 5.1 configure slapd.args as:
> /opt/symas/lib/slapd -h "ldap:/// ldaps:///" -d -1
> 
> 6) execute ldapsearch with -Z option:
> /opt/symas/bin/ldapsearch -b 'dc=test3,dc=test2,dc=mydomain,dc=com' -Z
> uid=myuid
> 
> 7) Besides this I have updated the BASE option in ldap.conf file. Anything
> else needs to be updated in this file?
> 
> 8) What is netscape complient certificates and otherwise? Any good link for
> this information?
> 
> Please guide. Thanks.
> 
> Regards
> Pravin Joshi

-- 

Charles B. (Ben) Cranston
mailto:zben@umd.edu
http://www.wam.umd.edu/~zben