The 2.3 Admin Guide indicates in Section 12.2.1.2 that the TLSCACertificateFile directive can be used instead of the hash links.
If I switch to using hash links, is it OK to just cat the crt and key file together to create a pem file?
---- Not all who wander are lost.
| ---- ___o | chuck.keagle@boeing.com Chuck Keagle | ------- \ <, | Work: (425) 865-1488 Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
-----Original Message----- From: Keagle, Chuck Sent: Monday, November 19, 2007 10:37 AM To: Quanah Gibson-Mount; openldap-software@openldap.org Subject: RE: Enabling TLS problem on openldap2-2.3.39
Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:
TLSCACertificatePath /etc/ssl/certs
That directory has lots of pem files in it with x509 symbolic links:
ls -C /etc/ssl/certs Password: 052eae11.0 6f5d9899.0 d4e39186.0 ICE-root.pem timCA.pem 18d46017.0 73912336.0 ddc328ff.0 ICE-user.pem tjhCA.pem 1e49180d.0 7651b327.0 dsa-ca.pem ICP-Brasil.pem vsign1.pem 1ef89214.0 8c401b31.0 dsa-pca.pem nortelCA.pem vsign2.pem 1f6c59cd.0 8caad35e.0 Equifax-root1.pem pca-cert.pem vsign3.pem 24867d38.0 91b8190d.0 expired RegTP-4R.pem vsignss.pem 2edf7016.0 a99c5886.0 f3e90025.0 RegTP-5R.pem vsigntca.pem 3ecf89a3.0 adbec561.0 f73e89fd.0 RegTP-6R.pem YaST-CA.pem 594f1775.0 b5f329fa.0 factory.pem rsa-cca.pem 69ea794f.0 c33a80d4.0 ICE-CA.pem thawteCb.pem 6bee6be3.0 ca-cert.pem ICE.crl thawteCp.pem
I think CA certs is set up correctly. Am I wrong about that?
Do I have to move /etc/openldap/server.{crt,key} to
/etc/ssl/certs?
Do I have to create turn /etc/openldap/server.{crt,key}
into a .pem file?
Do I have to create x509 symbolic links from
/etc/openldap/server.{crt,key} to /etc/ssl/certs?
Thanks for your help.
Not all who wander are lost.
| ---- ___o | chuck.keagle@boeing.com
Chuck Keagle | ------- \ <, | Work: (425) 865-1488 Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Friday, November 16, 2007 6:28 PM To: Keagle, Chuck; openldap-software@openldap.org Subject: Re: Enabling TLS problem on openldap2-2.3.39
--On Friday, November 16, 2007 5:01 PM -0800 "Keagle, Chuck" chuck.keagle@boeing.com wrote:
I'm configuring slapd to use TLS. First I just want to
make it work,
then I'll go into requiring encryption.
The system is SLES 9.3 The openldap2 is 2.3.39 Other certifictes are in /etc/ssl/certs as specified by
default in
slapd.conf for openldap2 2.3.39.
The database is currently empty, just getting started.
Generated a self-signed x509 certificate cd /etc/openldap openssl genrsa 1024 >server.key chmod 0440 server.key chown root:ldap server.key openssl req -new -key server.key -x509 -days 100 -out server.crt Entered all the important stuff chmod 0444 server.crt
Checked certificate and it looked acceptable openssl x509 -text -in server.crt
Changed following lines in slapd.conf: TLSCertificateFile /etc/openldap/server.crt TLSCertificateKeyFile /etc/openldap/server.key
You failed to set the CA Cert directive in slapd.conf, so it has no way of presenting its CA cert.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration