Hi Hauke,

I still can't get TLS to work. Here is the error message.

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0          
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_err2string
ldap_start_tls: Connect error (-11)


Thanks


----- Original Message ----
From: Hauke Coltzau <hauke.coltzau@FernUni-Hagen.de>
To: Dat Duong <datduong2000@yahoo.com>
Cc: openldap-technical <openldap-technical@openldap.org>
Sent: Tuesday, October 7, 2008 1:25:37 AM
Subject: AW: StartTLS is not working

Hi Dat,

first of all: Please send your questions to the list so that
other users with the same problem can find the solution, too.

To your problem: Please make sure that you have a correct
value for your ServerCA's private key in your openssl.cnf. It
should read something like this:


[ ServerCA ]

# Where is the base directory for the ServerCA
dir            = /usr/lib/ssl/ServerCA

# Where is the ServerCA's certificate
certificate    = $dir/ServerCA.cert.pem

# and where is the ServerCA's private key
private_key    = $dir/private/ServerCA.key.pem


Without the private key, the ServerCA will not be
able to sign your LDAP certificate. You will find more
configuration hints for openssl.cnf in the tutorial.

Hope this helps,

Hauke

--


----- Ursprüngliche Mail -----
Von: "Dat Duong" <datduong2000@yahoo.com>
An: "hauke coltzau" <hauke.coltzau@FernUni-Hagen.de>
Gesendet: Dienstag, 7. Oktober 2008 09:06:07 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: StartTLS is not working



Hi Hauke,

I read your instruction on how to create Root CA ...I have a hard time understanding the step. I have a question on how to sign the ldap server certificated using Server CA? I get an error message:

bash-3.00# openssl ca -name ServerCA -in afldap01.req.pem -out afldap01.cert.pem

Using configuration from /usr/local/ssl/openssl.cnf
variable lookup failed for ServerCA::private_key
18908:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=ServerCA name=private_key

Thanks
Dat

--
------------------------------------
      Fernuniversität in Hagen
  Lehrgebiet Kommunikationsnetze
  http://www.fernuni-hagen.de/kn

Fon/Fax: +49 2331 987 -1142 / -353
------------------------------------