Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?

----- "Alberto GD" <darkxer0x(a)esdebian.org&gt; wrote: > Hi! > I've followed openldap.org 's guide and ldap works great with TLS/SSL > with authentication in server and clients. Now I have added a LDAP > replica (ldap slave server), and I have some questions: > - In the clients I had to make the certs with the server certificate > (cacer.pem) of the master, because I check the server certificate, and > also check the clients in the server. Now that I have a replica, I > have to make others certs with the server certificate of the slave > server (and how can I show two certificates to ldap.conf)?? (I > followed this ( > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3 ) Or with the > certificates made from server certificates its sufficient?? > > >Step 1 and 2: Do nothing ... the CA does not need to be created > again. The plan is to use the same CA certificate to sign the client > certificate. For all server and clients certs you have created or will create, just sign them all with the CA cert you created and make sure all servers and clients get a copy of the CA cert. That's all you need to do. Gavin. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/