Vijay,

This may help.

Check that each file is properly readable

Best

--- Olivier

---------- Forwarded message ---------- From: Olivier ldap@guillard.nom.fr Date: Thu, Aug 11, 2011 at 2:23 PM Subject: tls extra mini howto To: openldap-technical@openldap.org

Having spent quite some time to make a TLS work I thought this may be usefull to some :

1/ Create a self CA certificate :

a/ create the CA.key private key :

$ openssl genrsa -des3 -out CA.key 1024

b/ create the CA.crt certificate :

$ openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

2/ for each ldap server (if you have more than one)    create a certificat :

a/ create the server.key private key :

openssl genrsa -out server.key

b/ create a server.csr certificate request:

openssl req -new -key server.key -out server.csr

c/ create the server.crt certificate signed by your own CA :

openssl x509 -req -days 2000 -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt

3/ configure slapd.conf ( the correct "server.key" and "server.crt" files must be copied on each server):

TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+SSLv2

# personnally, I only check servers from client. # If you do, add this : TLSVerifyClient never

4/ on clients :

copy CA.crt to the right place ( normally should be somewhere in /etc/pki..), and add this in ldap.conf :

TLS_CACERT /etc/openldap/cacerts/CA.crt

If you use sssd, add this in /etc/sssd/sssd.conf :

lldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand

Then you can test using ldapsearch with -Z

Best

--- Olivier

NOTE :  I have'nt been able to make it work with mozilla certutil