I&#39;m newbie in mailman list, so I don&#39;t know if I&#39;m sending this email correctly.<br><br>Tranks for your reply, and what I&#39;ve understood, I have to do the following:<br><code>% <b>cd /var/myca/</b>
<br>% <b>/usr/share/ssl/misc/CA.sh -newca</b><br></code>This creates cacert.pem and private/cakey.pem (these files are common for all the server and clients). In The field of Common Name I have to write the ldap master server name host (i.e. <a href="http://ldap.dominio.com">ldap.dominio.com</a>).<br>
<br>Now, I make a singing request for master server, slave server (replica) and clients. I execute all these command for each one changing the Common Name for the specific host name (for master server: <a href="http://ldap.dominio.com">ldap.dominio.com</a>, for slave server (replica):<a href="http://replica.ldap.dominio.com">replica.ldap.dominio.com</a>, for clients: pc1.dominio.com....).<br>
<code>% </code><code><b>openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem</b>
</code><br><code>% <b>/usr/share/ssl/misc/CA.sh -sign</b>
</code><br><br>Are all OK?<br>Thank you very much, and if this is correct, you could add this to a FAQ of the openldap guide, because I haven&#39;t seen anything about slave servers.<br><br><br><br><div class="gmail_quote">
2008/11/14 Gavin Henry <span dir="ltr">&lt;<a href="mailto:ghenry@openldap.org">ghenry@openldap.org</a>&gt;</span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c"><br>
----- &quot;Alberto GD&quot; &lt;<a href="mailto:darkxer0x@esdebian.org">darkxer0x@esdebian.org</a>&gt; wrote:<br>
<br>
&gt; Hi!<br>
&gt; I&#39;ve followed <a href="http://openldap.org" target="_blank">openldap.org</a> &#39;s guide and ldap works great with TLS/SSL<br>
&gt; with authentication in server and clients. Now I have added a LDAP<br>
&gt; replica (ldap slave server), and I have some questions:<br>
&gt; - In the clients I had to make the certs with the server certificate<br>
&gt; (cacer.pem) of the master, because I check the server certificate, and<br>
&gt; also check the clients in the server. Now that I have a replica, I<br>
&gt; have to make others certs with the server certificate of the slave<br>
&gt; server (and how can I show two certificates to ldap.conf)?? (I<br>
&gt; followed this (<br>
&gt; <a href="http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3" target="_blank">http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3</a> ) Or with the<br>
&gt; certificates made from server certificates its sufficient??<br>
&gt;<br>
&gt; &gt;Step 1 and 2: Do nothing ... the CA does not need to be created<br>
&gt; again. The plan is to use the same CA certificate to sign the client<br>
&gt; certificate.<br>
<br>
</div></div>For all server and clients certs you have created or will create, just sign them<br>
all with the CA cert you created and make sure all servers and clients get a copy<br>
of the CA cert. That&#39;s all you need to do.<br>
<br>
Gavin.<br>
<br>
--<br>
Kind Regards,<br>
<br>
Gavin Henry.<br>
OpenLDAP Engineering Team.<br>
<br>
E ghenry@OpenLDAP.org<br>
<br>
Community developed LDAP software.<br>
<br>
<a href="http://www.openldap.org/project/" target="_blank">http://www.openldap.org/project/</a><br>
</blockquote></div><br>