On Friday 25 July 2008 01:29:39 John Oliver wrote:
On Thu, Jul 24, 2008 at 04:20:02PM -0700, Quanah Gibson-Mount wrote:
--On Thursday, July 24, 2008 4:13 PM -0700 John Oliver
joliver@john-oliver.net wrote:
On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
Any client will need to know about the CA that signed your self-signed cert.
I created my certificate with:
openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 3650
In slapd.conf I have:
TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem
What do I need to do differently?
Create your own CA first? Then sign your own certs with it.
I don't understand why I must handle certs one way on one server, and another way on the other. The self-signed cert works just fine on the other, and I foresee problems if one is self-signed and the other isn't...
No more than having them both self-singed.
one day, there's going to be some bizzare SSL issue that'll have me tearing my hair out for a week, until someone finally discovers what's going on and says "You fscking dummy, why the hell are you doing this?"
No more likely than someone asking the same questions about actually using self-signed certs at all.
And I'm not particularly keen to break the working server so it can be in the same state of borkenness as the one I'm fighting now.
It would be absolutely fantastic if someone could tell me why one self-signed cert works and the other doesn't.
It would be more fantastic if you could actually provide more details of your environment, up to now we've not known that you have more than one server, and we don't know how your clients are set up.
For example, if you have multiple servers and multiple clients, you really are defeating the point of SSL and increasing your administrative burden by not creating a CA cert.
Now, if you need to re-create a cert, you will have to update the "CA cert" on all clients. If you add another server, you will have to append the new server's cert to the "CA cert".
However, IMHO, this is starting to get off-topic even for this list, almost none of this is specific to OpenLDAP, it would be equally applicable to Apache/Firefox3 or IIS/IE7 (with their new draconian cert validation "features").
Regards, Buchan