-----Original Message----- From: owner-openldap-bugs@OpenLDAP.org [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of quanah@stanford.edu Sent: Tuesday, August 27, 2002 2:45 PM
2 new questions, thought I'd run this by you before I create ITS's on it to =
see if I'm just missing something. Note that none of these were problems=20 under 2.1.3.
Issue 1) Since we don't particularly want to spend several hundred dollars=20 buying certs for our test systems, we've opted to use self-signed certs.=20 This has worked fine until upgrading to OpenLDAP-2.1.4. Our primary=20 machine (ldap4), however, does have a verisign cert. Now that we are on 2.1.4, slurpd complains that the certificates on our=20 replicants (the self-signed ones) are expired. I checked the certs on the=20 replicants, and they are good until the year 2012. Any clue why I'm seeing this?
Note that slapd starts just fine on them and does not complain of any TLS=20 issues.
No clue. There are no TLS changes between OpenLDAP 2.1.3 and 2.1.4 that would affect this certificate behavior. (The changes are mainly in the debug/error messages; also disabling the TLS_CACERTDIR support if the platform doesn't provide opendir().) Perhaps your OpenSSL library has changed, or your clocks are wrong.
As for the issue of self-signed certs - you're fooling yourself if you think you've gained any security with this approach. It doesn't cost any more money to create proper server certificates either: just use OpenSSL to create a single self-signed CA certificate and then use that certificate to create and sign all your other server certificates. Put your CA's private key on removable media (I used to recommend floppy disks, but these days they're rare enough that a CDR might be easier) and remove it from your machine when you aren't using it to sign certs. Copy the single CA cert to all of your servers and clients. It's really not hard to do this right.
I'll iterate self-signed a little more.
I created a CA key & cert. I created a CSR. I signed the CSR. I added the CA cert into the list of known CA's for OpenSSL.
--Quanah
-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Attachment:
pgpPPnwZTZe0S.pgp
Description: PGP signature