I'm newbie in mailman list, so I don't know if I'm sending this email correctly.
Tranks for your reply, and what I've understood, I have to do the following: % *cd /var/myca/* % */usr/share/ssl/misc/CA.sh -newca* This creates cacert.pem and private/cakey.pem (these files are common for all the server and clients). In The field of Common Name I have to write the ldap master server name host (i.e. ldap.dominio.com).
Now, I make a singing request for master server, slave server (replica) and clients. I execute all these command for each one changing the Common Name for the specific host name (for master server: ldap.dominio.com, for slave server (replica):replica.ldap.dominio.com, for clients: pc1.dominio.com....). % *openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem* % */usr/share/ssl/misc/CA.sh -sign*
Are all OK? Thank you very much, and if this is correct, you could add this to a FAQ of the openldap guide, because I haven't seen anything about slave servers.
2008/11/14 Gavin Henry ghenry@openldap.org
----- "Alberto GD" darkxer0x@esdebian.org wrote:
Hi! I've followed openldap.org 's guide and ldap works great with TLS/SSL with authentication in server and clients. Now I have added a LDAP replica (ldap slave server), and I have some questions:
- In the clients I had to make the certs with the server certificate
(cacer.pem) of the master, because I check the server certificate, and also check the clients in the server. Now that I have a replica, I have to make others certs with the server certificate of the slave server (and how can I show two certificates to ldap.conf)?? (I followed this ( http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3 ) Or with the certificates made from server certificates its sufficient??
Step 1 and 2: Do nothing ... the CA does not need to be created
again. The plan is to use the same CA certificate to sign the client certificate.
For all server and clients certs you have created or will create, just sign them all with the CA cert you created and make sure all servers and clients get a copy of the CA cert. That's all you need to do.
Gavin.
-- Kind Regards,
Gavin Henry. OpenLDAP Engineering Team.
E ghenry@OpenLDAP.org
Community developed LDAP software.