[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?



----- "Alberto GD" <darkxer0x@esdebian.org> wrote:

> I'm newbie in mailman list, so I don't know if I'm sending this email
> correctly.
> 
> Tranks for your reply, and what I've understood, I have to do the
> following:
> % cd /var/myca/
> % /usr/share/ssl/misc/CA.sh -newca
> This creates cacert.pem and private/cakey.pem (these files are common
> for all the server and clients). In The field of Common Name I have to
> write the ldap master server name host (i.e. ldap.dominio.com ).
> 
> Now, I make a singing request for master server, slave server
> (replica) and clients. I execute all these command for each one
> changing the Common Name for the specific host name (for master
> server: ldap.dominio.com , for slave server (replica):
> replica.ldap.dominio.com , for clients: pc1.dominio.com....).
> % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out
> newreq.pem
> % /usr/share/ssl/misc/CA.sh -sign
> 
> Are all OK?
> Thank you very much, and if this is correct, you could add this to a
> FAQ of the openldap guide, because I haven't seen anything about slave
> servers.

http://www.openldap.org/faq/data/cache/185.html

Simply:

/usr/share/ssl/misc/CA.sh -newca
/usr/share/ssl/misc/CA.sh -newreq
/usr/share/ssl/misc/CA.sh -sign

then for all other servers/slave, only do the last two of above.

See that faq for more into.


-- 
Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/