I'm newbie in mailman list, so I don't know if I'm sending this email correctly.

Tranks for your reply, and what I've understood, I have to do the following:
% cd /var/myca/
% /usr/share/ssl/misc/CA.sh -newca
This creates cacert.pem and private/cakey.pem (these files are common for all the server and clients). In The field of Common Name I have to write the ldap master server name host (i.e. ldap.dominio.com).

Now, I make a singing request for master server, slave server (replica) and clients. I execute all these command for each one changing the Common Name for the specific host name (for master server: ldap.dominio.com, for slave server (replica):replica.ldap.dominio.com, for clients: pc1.dominio.com....).
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
% /usr/share/ssl/misc/CA.sh -sign

Are all OK?
Thank you very much, and if this is correct, you could add this to a FAQ of the openldap guide, because I haven't seen anything about slave servers.

2008/11/14 Gavin Henry <ghenry@openldap.org>

----- "Alberto GD" <darkxer0x@esdebian.org> wrote:

> Hi!
> I've followed openldap.org 's guide and ldap works great with TLS/SSL
> with authentication in server and clients. Now I have added a LDAP
> replica (ldap slave server), and I have some questions:
> - In the clients I had to make the certs with the server certificate
> (cacer.pem) of the master, because I check the server certificate, and
> also check the clients in the server. Now that I have a replica, I
> have to make others certs with the server certificate of the slave
> server (and how can I show two certificates to ldap.conf)?? (I
> followed this (
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3 ) Or with the
> certificates made from server certificates its sufficient??
> >Step 1 and 2: Do nothing ... the CA does not need to be created
> again. The plan is to use the same CA certificate to sign the client
> certificate.

For all server and clients certs you have created or will create, just sign them
all with the CA cert you created and make sure all servers and clients get a copy
of the CA cert. That's all you need to do.


Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.