[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP + RADIUS + SSL
Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes:
> I am listing my steps....
>
> - I am doing this steps:
> % openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
>
> % mkdir /var/myca
> % cd /var/myca/
> % /usr/share/ssl/misc/CA.sh -newca
>
> % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
>
> % /usr/share/ssl/misc/CA.sh -sign
>
> % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem
> % mv newcert.pem /usr/var/openldap-data/servercrt.pem
> % mv newreq.pem /usr/var/openldap-data/serverkey.pem
> % chmod 400 /usr/var/openldap-data/serverkey.pem
[...]
It seems that you have not signed your request with the cacert but
created a selfsigned servercert. Test with
openssl x509 -in servercrt.pem -text
Run testwise slapd -h ldaps:///
and connect with openssl
openssl s_client -connect your.server:636 -showcerts
I would recommend following procedure to create certificates
- edit openssl.cnf to your requirements
- ./CA.pl -newca
- ./CA.pl -newreq
- ./CA.pl -signreq (which is different from -sign)
- openssl rsa -in newcert.pem -out newkey.pem
- mv newcert.pem servercert.pem
- mv newkey.pem serverkey.pem
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53