Keagle, Chuck wrote:
The 2.3 Admin Guide indicates in Section 12.2.1.2 that the TLSCACertificateFile directive can be used instead of the hash links.
Yes, and that is the preferred usage.
(In fact you can use both at once, but there's no reason to.)
If I switch to using hash links, is it OK to just cat the crt and key file together to create a pem file?
Your CA's key should pretty much never be accessible anywhere except on the machine that's used to sign certificates. Certificate files are meant to be publicly readable, while secret keys are (duh) meant to be kept secret.
Not all who wander are lost.
| ---- ___o | chuck.keagle@boeing.com
Chuck Keagle | ------- \ <, | Work: (425) 865-1488 Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
-----Original Message----- From: Keagle, Chuck Sent: Monday, November 19, 2007 10:37 AM To: Quanah Gibson-Mount; openldap-software@openldap.org Subject: RE: Enabling TLS problem on openldap2-2.3.39
Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:
TLSCACertificatePath /etc/ssl/certs
That directory has lots of pem files in it with x509 symbolic links:
ls -C /etc/ssl/certs Password: 052eae11.0 6f5d9899.0 d4e39186.0 ICE-root.pem timCA.pem 18d46017.0 73912336.0 ddc328ff.0 ICE-user.pem tjhCA.pem 1e49180d.0 7651b327.0 dsa-ca.pem ICP-Brasil.pem vsign1.pem 1ef89214.0 8c401b31.0 dsa-pca.pem nortelCA.pem vsign2.pem 1f6c59cd.0 8caad35e.0 Equifax-root1.pem pca-cert.pem vsign3.pem 24867d38.0 91b8190d.0 expired RegTP-4R.pem vsignss.pem 2edf7016.0 a99c5886.0 f3e90025.0 RegTP-5R.pem vsigntca.pem 3ecf89a3.0 adbec561.0 f73e89fd.0 RegTP-6R.pem YaST-CA.pem 594f1775.0 b5f329fa.0 factory.pem rsa-cca.pem 69ea794f.0 c33a80d4.0 ICE-CA.pem thawteCb.pem 6bee6be3.0 ca-cert.pem ICE.crl thawteCp.pem
I think CA certs is set up correctly. Am I wrong about that?
Do I have to move /etc/openldap/server.{crt,key} to
/etc/ssl/certs?
Do I have to create turn /etc/openldap/server.{crt,key}
into a .pem file?
Do I have to create x509 symbolic links from
/etc/openldap/server.{crt,key} to /etc/ssl/certs?