Re: [389-users] ssl replication

[Rich Megginson <rmeggins@xxxxxxxxxx>]

On 05/19/2011 11:18 AM, solarflow99 wrote:

The SSL roles are _opposite_ the master/slave roles.  The master pushes changes to the slave.  So in this instance, the _slave_ is the SSL _server_, and the _master_ is the SSL _client_.

In order to be an SSL server, the slave must have a server cert/key and CA cert.
In order to be an SSL client, the master must have just the CA cert.

Can anyone provide the commands for this, and i'll add it to the SSL howto, this isn't well explained anywhere.  Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting the CA cert, I import into the slave, how should I generate a server cert on the slave?   I also notice the trusts are different from the CA cert on the master:


[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate" -t "CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CT,,
  

How can I generate a server cert on the slave now?  Using the following command fails because it doesn't have the matching private key for the CA:

certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa

     certutil: unable to retrieve key CA certificate: The private key for this certificate cannot be found in key database

You can use certutil on the master to make a cert for the slave, using the above command on the master.  Then, use pk12util to export the slave cert/key, then take that pk12 file to the slave and use pk12util to import it (and use certutil to import the CA cert).

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users