In order to be an SSL server, the slave must have a server cert/key and CA cert.
In order to be an SSL client, the master must have just the CA cert.
Can anyone provide the commands for this, and i'll add it to the SSL howto, this isn't well explained anywhere. Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting the CA cert, I import into the slave, how should I generate a server cert on the slave? I also notice the trusts are different from the CA cert on the master:
[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate" -t "CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
How can I generate a server cert on the slave now? Using the following command fails because it doesn't have the matching private key for the CA:
certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
certutil: unable to retrieve key CA certificate: The private key for this certificate cannot be found in key database
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
