I'm newbie in mailman list, so I don't know if I'm sending this email
Tranks for your reply, and what I've understood, I have to do the following:
% *cd /var/myca/*
% */usr/share/ssl/misc/CA.sh -newca*
This creates cacert.pem and private/cakey.pem (these files are common for
all the server and clients). In The field of Common Name I have to write the
ldap master server name host (i.e. ldap.dominio.com
Now, I make a singing request for master server, slave server (replica) and
clients. I execute all these command for each one changing the Common Name
for the specific host name (for master server: ldap.dominio.com
, for slave
, for clients:
% *openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem*
% */usr/share/ssl/misc/CA.sh -sign*
Are all OK?
Thank you very much, and if this is correct, you could add this to a FAQ of
the openldap guide, because I haven't seen anything about slave servers.
2008/11/14 Gavin Henry <ghenry(a)openldap.org>
----- "Alberto GD" <darkxer0x(a)esdebian.org> wrote:
> I've followed openldap.org
's guide and ldap works great with TLS/SSL
> with authentication in server and clients. Now I have added a LDAP
> replica (ldap slave server), and I have some questions:
> - In the clients I had to make the certs with the server certificate
> (cacer.pem) of the master, because I check the server certificate, and
> also check the clients in the server. Now that I have a replica, I
> have to make others certs with the server certificate of the slave
> server (and how can I show two certificates to ldap.conf)?? (I
> followed this (
) Or with the
> certificates made from server certificates its sufficient??
> >Step 1 and 2: Do nothing ... the CA does not need to be created
> again. The plan is to use the same CA certificate to sign the client
For all server and clients certs you have created or will create, just sign
all with the CA cert you created and make sure all servers and clients get
of the CA cert. That's all you need to do.
OpenLDAP Engineering Team.
Community developed LDAP software.