Hello,
I would like to swap my self signed certificate including CA, cert and key with a new set of CA, cert and key files on my OpenLDAP 2.4.31 master and replica servers. What would be the best way to achieve that? Can I simply run an ldapmodify with the new values and then restart slapd? Is it as easy as that or are there any pitfalls I should take care of?
Thank you in advance for your comments.
Regards ML
On 18-04-16 23:14, ML mail wrote:
Hello,
I would like to swap my self signed certificate including CA, cert and key with a new set of CA, cert and key files on my OpenLDAP 2.4.31 master and replica servers. What would be the best way to achieve that? Can I simply run an ldapmodify with the new values and then restart slapd? Is it as easy as that or are there any pitfalls I should take care of?
Thank you in advance for your comments.
Regards ML
Don't know if this is the best method but in my OpenLDAP config I have generic filenames for the CA, cert & key and then symlink them to the real certificates. For example:
olsTLSCACertificateFile: /etc/pki/tls/certs/openldap_ca.crt
# ls -l /etc/pki/tls/certs/ ... lrwxrwxrwx. 1 root root 3826 mrt 3 22:24 /etc/pki/tls/certs/openldap_ca.crt -> /etc/pki/tls/certs/my_real_CA.crt ...
If I need to update the certificates I just switch the symlinks over to the new certificates and restart OpenLDAP.
If you have SELinux enabled, make sure that the new certificates have the proper security contexts before switching symlinks and restarting OpenLDAP.
HTH, Patrick
Thanks Patrick for your suggestion about the symlink, I like it as it does not involve messing up my OpenLDAP installation by changing the base config...
Regards ML
On Tuesday, April 19, 2016 10:06 AM, Patrick Laimbock patrick@laimbock.com wrote: On 18-04-16 23:14, ML mail wrote:
Hello,
I would like to swap my self signed certificate including CA, cert and key with a new set of CA, cert and key files on my OpenLDAP 2.4.31 master and replica servers. What would be the best way to achieve that? Can I simply run an ldapmodify with the new values and then restart slapd? Is it as easy as that or are there any pitfalls I should take care of?
Thank you in advance for your comments.
Regards ML
Don't know if this is the best method but in my OpenLDAP config I have generic filenames for the CA, cert & key and then symlink them to the real certificates. For example:
olsTLSCACertificateFile: /etc/pki/tls/certs/openldap_ca.crt
# ls -l /etc/pki/tls/certs/ ... lrwxrwxrwx. 1 root root 3826 mrt 3 22:24 /etc/pki/tls/certs/openldap_ca.crt -> /etc/pki/tls/certs/my_real_CA.crt ...
If I need to update the certificates I just switch the symlinks over to the new certificates and restart OpenLDAP.
If you have SELinux enabled, make sure that the new certificates have the proper security contexts before switching symlinks and restarting
OpenLDAP.
HTH, Patrick
openldap-technical@openldap.org