[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls problem.



Hmm. Ok. it seems that certificates do not load as expected.

What are the changes from .13 to .14 in regard of how certs must be produced?

If someone knows the differences I'd be very happy to be told them.

Tarjei



Today I use the following commands to create the .pem and .key files:
#! /bin/sh
#
# mkopenldapcert -- hacked together by Joe Little <jlittle@open-it.org>

# This script generates a self-signed X.509 key for SSL use with OpenLDAP.
# It should be called by an package installation subroutine and provides
# a cert w/o a valid Certificate Authority

dd if=/dev/urandom of=/etc/ldap/openldap.rand count=1 2>/dev/null
/usr/bin/openssl req -new -x509 -days 365 -nodes \
-config /etc/ldap/openldap.cnf -out /etc/ldap/certs/ldap.pem -keyout /etc/ldap/certs/openldap.pem
/usr/bin/openssl gendh -rand /etc/ldap/openldap.rand 512 >>/etc/ldap/certs/openldap.pem
/usr/bin/openssl x509 -subject -dates -trustout -fingerprint -noout -in /etc/ldap/certs/openldap.pem
rm -f /etc/ldap/openldap.rand
/usr/bin/openssl rsa -in /etc/ldap/certs/openldap.pem -out /etc/ldap/certs/openldap.key




The corresponding entries in slapd.conf are:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile     /usr/local/openldap/etc/openldap/certs/openldap.pem
TLSCertificateKeyFile  /usr/local/openldap/etc/openldap/certs/openldap.key