Vijay,
This may help.
Check that each file is properly readable
Best
--- Olivier
---------- Forwarded message ---------- From: Olivier ldap@guillard.nom.fr Date: Thu, Aug 11, 2011 at 2:23 PM Subject: tls extra mini howto To: openldap-technical@openldap.org
Having spent quite some time to make a TLS work I thought this may be usefull to some :
1/ Create a self CA certificate :
a/ create the CA.key private key :
$ openssl genrsa -des3 -out CA.key 1024
b/ create the CA.crt certificate :
$ openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
2/ for each ldap server (if you have more than one) create a certificat :
a/ create the server.key private key :
openssl genrsa -out server.key
b/ create a server.csr certificate request:
openssl req -new -key server.key -out server.csr
c/ create the server.crt certificate signed by your own CA :
openssl x509 -req -days 2000 -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt
3/ configure slapd.conf ( the correct "server.key" and "server.crt" files must be copied on each server):
TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+SSLv2
# personnally, I only check servers from client. # If you do, add this : TLSVerifyClient never
4/ on clients :
copy CA.crt to the right place ( normally should be somewhere in /etc/pki..), and add this in ldap.conf :
TLS_CACERT /etc/openldap/cacerts/CA.crt
If you use sssd, add this in /etc/sssd/sssd.conf :
lldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand
Then you can test using ldapsearch with -Z
Best
--- Olivier
NOTE : I have'nt been able to make it work with mozilla certutil