John Mancuso wrote: > Two questions: > > 1. I have generated self-signed ssl/ca certs trying both the > "certutil" method from the redhat doc and also the standard "openssl > x509 req -new" method. After installing the certs and enabling secure > ldaps replication both result in > > slapi_ldap_bind - Error: could not send bind request for id > [cn=replication manager,cn=config] mech [SIMPLE]: error 81 (Can't > contact LDAP server) -8172 (Peer's certificate issuer has been marked > as not trusted by the user.) 11 (Resource temporarily unavailable) > > Is there a known issue with self-signed certs? No, they work fine. Did you add the CA certificate that signed the server certificate as well? You can verify that the certificate is ok on the server with: certutil -V -u V -d /etc/dirsrv/slapd-<YOUR_INSTANCE> You are probably just missing the CA certificate. If you have it in PEM format you can add it via the command-line with: certutil -A -d /etc/dirsrv/slapd-<YOUR_INSTANCE> -n 'Your CA' -t CT,, -a < /path/to/ca.pem The 'Your CA' here is the nickname of the CA certificate. It is how it will appear in the DS console and using certutil -L. Pick something meaningful to you. > 2. If there is an issue with the above, we may end up purchasing a > wildcard cert for replicating across subdomains. I know in the HTML > world some web browsers complain about ssl wildcard certs across > subdomains. Any possible issues with this approach? > > ldaps://supplier_ldap.mycompany.com----> ldaps://consumer_ldap.dev.mycompany.com A wildcard cert will work but its probably overkill to buy one just for this purpose. self-signed certificates will work fine. rob
