The document also references port 636 instead of STARTTLS.  Considering someone's already tagged it as "obsolete", I vote for removal.

On Thu, Jul 2, 2009 at 4:54 AM, Howard Chu <> wrote:
We need to either remove this document from the web site, or remove the part that tells how to create a self-signed server cert. Anyone deploying TLS with their own certs should be creating their own CA separately from their server certs. And telling folks to create cert files where the private key is included in the same file is utterly irresponsible.

-------- Original Message --------
Subject:        TLS init def ctx failed: -1
Date:   Thu, 2 Jul 2009 12:39:21 +0200
From:   François Mehault <>
To: <>

Hi all

I contact you because I don’t succeed to configure my OpenLDAP with TLS.

First I create self signed certificate server.pem like I read on this
page in

|*openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
server.pem -days 365*|

|* *|

Then I add this line in slapd.conf :

TLSCertificateFile /usr/local/etc/openldap/tls/server.pem

TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.pem

TLSCACertificateFile /usr/local/etc/opendldap/tls/server.pem

TLSVerifyClient never

Then I restart slapd. /usr/local/etc/rc.d/slapd stop , start.

And in my /var/log/debug.log I have

Jul  2 12:18:39 labobe2 slapd[97816]: main: TLS init def ctx failed: -1

Jul  2 12:18:39 labobe2 slapd[97816]: slapd destroy: freeing system

Jul  2 12:18:39 labobe2 slapd[97816]: syncinfo_free: rid=001

Jul  2 12:18:39 labobe2 slapd[97816]: slapd stopped.

I use FreeBSD 7.

If someone can help me, I appreciate, thanks in advance