[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: tls problem.
yes this works fine ...
maybe it helps if i put a sample conffile as well.
------------------------------
Nipsi# cat openldap.cnf
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=DE
ST=Hamburg
L=Hamburg
O=Nipsi
OU=Nipsi
CN=ldap.nipsi.de
emailAddress=postmaster@nipsi.de
[ cert_type ]
nsCertType = server
---------------------------------------
Tarjei Huse schrieb:
> Hmm. Ok. it seems that certificates do not load as expected.
>
> What are the changes from .13 to .14 in regard of how certs must be
> produced?
>
> If someone knows the differences I'd be very happy to be told them.
>
> Tarjei
>
> Today I use the following commands to create the .pem and .key files:
> #! /bin/sh
> #
> # mkopenldapcert -- hacked together by Joe Little <jlittle@open-it.org>
>
> # This script generates a self-signed X.509 key for SSL use with OpenLDAP.
> # It should be called by an package installation subroutine and provides
> # a cert w/o a valid Certificate Authority
>
> dd if=/dev/urandom of=/etc/ldap/openldap.rand count=1 2>/dev/null
> /usr/bin/openssl req -new -x509 -days 365 -nodes \
> -config /etc/ldap/openldap.cnf -out /etc/ldap/certs/ldap.pem
> -keyout /etc/ldap/certs/openldap.pem
> /usr/bin/openssl gendh -rand /etc/ldap/openldap.rand 512
> >>/etc/ldap/certs/openldap.pem
> /usr/bin/openssl x509 -subject -dates -trustout -fingerprint -noout -in
> /etc/ldap/certs/openldap.pem
> rm -f /etc/ldap/openldap.rand
> /usr/bin/openssl rsa -in /etc/ldap/certs/openldap.pem -out
> /etc/ldap/certs/openldap.key
>
> The corresponding entries in slapd.conf are:
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCertificateFile /usr/local/openldap/etc/openldap/certs/openldap.pem
> TLSCertificateKeyFile /usr/local/openldap/etc/openldap/certs/openldap.key