[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS SSL overload



In message <3DBFEAFC.2020307@emtex.com> on Wed, 30 Oct 2002 14:21:48 +0000, billd <bd@emtex.com> said:

bd> Created a private key with 3des encryption
bd> 
bd> openssl genrsa -des3 -out ncc1701a.key 1024

I think you're doing a mistake here.  To open that key, you will need
to feed slapd the pass phrase, and if I understand correctly, it
didn't ask you for one.  Also, in my man page, I find this:

       TLSCertificateKeyFile <filename>
              Specifies  the  file  that contains the slapd server private key
              that matches the certificate stored  in  the  TLSCertificateFile
              file.   Currently,  the private key must not be protected with a
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              password, so it is of critical importance that it  is  protected
              ^^^^^^^^
              carefully.

I believe that could be at least part of your problem.

However, it's really simply to take away the protection:

openssl rsa -in ncc1701a.key -out ncc1701a-noprot.key

Then you just have to configure slapd to use ncc1701a-noprot.key
instead of ncc1701a.key.

bd> openssl req -new -key ncc1701a -x509 -out ncc1701a.crt

This might give you another problem: creating a self-signed
certificate will make it a CA certificate, at least with the main
distribution of OpenSSL (the basicConstraints extension will have the
critical value TRUE for the CA choice).  Such certificates can't
generally be used as server certificates, and it's possible that's yet
another reason why things don't work right for you.  I'd chek this
last, however, as this is pure guesswork on my part.

bd> This asked me for some input, I think the important
bd> one is the common name, so I put emtex.com... not sure
bd> about this, should it be ncc1701a.emtex.com or emtex.com or
bd> dn=emtex,dn=com...

On server certificates, the common name should be the servers name,
i.e. ncc1701a.emtex.com.

I currently run 2.0.23, and the man page for it doesn't mention
TLSCACertificateFile, so I'm not sure about the semantics for that
one.  *Usually*, the CA certificate file is a collection of CA
certificates against which client certificates should be verified.

-- 
Richard Levitte   \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.