[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Fwd: tls problem.]



We recently discussed tls ...
and there is a FAQ http://www.openldap.org/faq/data/cache/185.html
--- Begin Message ---
yes this works fine ...
maybe it helps if i put a sample conffile as well.
------------------------------
Nipsi# cat openldap.cnf
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=DE
ST=Hamburg
L=Hamburg
O=Nipsi
OU=Nipsi
CN=ldap.nipsi.de
emailAddress=postmaster@nipsi.de

[ cert_type ]
nsCertType = server
---------------------------------------
Tarjei Huse schrieb:

> Hmm. Ok. it seems that certificates do not load as expected.
>
> What are the changes from .13 to .14 in regard of how certs must be
> produced?
>
> If someone knows the differences I'd be very happy to be told them.
>
> Tarjei
>
> Today I use the following commands to create the .pem and .key files:
> #! /bin/sh
> #
> # mkopenldapcert -- hacked together by Joe Little <jlittle@open-it.org>
>
> # This script generates a self-signed X.509 key for SSL use with OpenLDAP.
> # It should be called by an package installation subroutine and provides
> # a cert w/o a valid Certificate Authority
>
> dd if=/dev/urandom of=/etc/ldap/openldap.rand count=1 2>/dev/null
> /usr/bin/openssl req -new -x509 -days 365 -nodes \
>          -config /etc/ldap/openldap.cnf -out /etc/ldap/certs/ldap.pem
> -keyout /etc/ldap/certs/openldap.pem
> /usr/bin/openssl gendh -rand /etc/ldap/openldap.rand 512
>  >>/etc/ldap/certs/openldap.pem
> /usr/bin/openssl x509 -subject -dates -trustout -fingerprint -noout -in
> /etc/ldap/certs/openldap.pem
> rm -f /etc/ldap/openldap.rand
> /usr/bin/openssl rsa -in /etc/ldap/certs/openldap.pem -out
> /etc/ldap/certs/openldap.key
>
> The corresponding entries in slapd.conf are:
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCertificateFile     /usr/local/openldap/etc/openldap/certs/openldap.pem
> TLSCertificateKeyFile  /usr/local/openldap/etc/openldap/certs/openldap.key

--- End Message ---