Hi,
I've been tasked to enable ssl/tls on ldap. The server already has a certificate and key file. After looking at documentation, these are the three files that are needed
In the ldap.conf file:
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSCACertificateFile /etc/openldap/cacert.pem
I already have the TLSCertificateFile and TLSCertificateKeyFile but I don't have the TLSCACertificateFile. Is that something I have to generate?
Rod
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 04/22/2013 09:40 PM, Rodney Simioni wrote: [snip]
I already have the TLSCertificateFile and TLSCertificateKeyFile but I don’t have the TLSCACertificateFile. Is that something I have to generate?
Check the TLSCertificateFile who signed it and download it from them.
Regards, Patrick
On Apr 22, 2013, at 12:40 PM, Rodney Simioni wrote:
Hi, I’ve been tasked to enable ssl/tls on ldap. The server already has a certificate and key file. After looking at documentation, these are the three files that are needed In the ldap.conf file:
TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSCACertificateFile /etc/openldap/cacert.pem
I already have the TLSCertificateFile and TLSCertificateKeyFile but I don’t have the TLSCACertificateFile. Is that something I have to generate?
---- if you're willing to accept any old certificate and in fact, not even bother checking certificates then no (TLS_REQCERT never).
if you've been tasked to enable ssl/tls you might actually want to learn how certificates work as this really is not an OpenLDAP question.
Craig
On 2013-04-22 21:40, Rodney Simioni wrote:
Hi,
I've been tasked to enable ssl/tls on ldap. The server already has a certificate and key file. After looking at documentation, these are the three files that are needed
In the ldap.conf file:
TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSCACertificateFile /etc/openldap/cacert.pem
Those are for slapd.conf (old-style server config), not for ldap.conf (client config). In ldap.conf, use TLS_CACERT or maybe TLS_CACERTDIR. See man ldap.conf.
Do *not* give the keyfile to clients. If anyone gets hold of it, they can impersonate the server. If anyone may have gotten hold of it, revoke the certificate and get a new one. Just like you must switch password if your password gets into the wrong hands.
I already have the TLSCertificateFile and TLSCertificateKeyFile but I don't have the TLSCACertificateFile. Is that something I have to generate?
No. You received it along with your certificate. It's the certificate which signed it. This is the one you put in ldap.conf:TLS_CACERT, so clients can verify your certificate.
Without it, clients can't verify - which means they don't know if they have a connection to your server or to a hostile one.
openldap-technical@openldap.org
-
Craig White -
Hallvard Breien Furuseth -
Patrick Lists -
Rodney Simioni