2012/3/5 Gilbert Martin <gilbert.martin@xxxxxxxxx>
Hi All,I've been trying to get SSL working with my LDAP server, but haven't had success. I'm currently implementing a new test environment. Does anyone have some quick and dirty instruction on setting up a CA and SSL certs for my directory server and clients?
From my cheat sheet
The first thing we need to do is create a new key store.
# cd /etc/dirsrv/slapd-directory/
# mv cert8.db key3.db secmod.db /root/
# certutil -N -d .
Then we create your CA.
# certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.
Next we create your server cert. Make sure your cn is your FQDN of this server.
# certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Then check to make sure it looks ok
certutil -L -d /etc/dirsrv/slapd-directory/
Create your public ca for your clients.
# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL look like the following.
nsSSLPersonalitySSL: directory-Server-Cert
That should be it. You have to restart the directory server after above steps.
After this configure Directory Server to use SSL.
Set the secure port for the server to use for TLS/SSL communications. In the Configuration area, select the Settings tab, and enter the value in the Encrypted Port field.
- The encrypted port number must not be the same port number used for normal LDAP communications. By default, the standard port number is 389, and the secure port is 636.
- Select the Configuration tab, and then select the top entry in the navigation tree in the left pane. Select the Encryption tab in the right pane.
- Select the Enable SSL for this Server checkbox.
- Check the Use this Cipher Family checkbox.
- Select the certificate to use from the drop-down menu.
The first thing we need to do is create a new key store.
# cd /etc/dirsrv/slapd-directory/
# mv cert8.db key3.db secmod.db /root/
# certutil -N -d .
Then we create your CA.
# certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.
Next we create your server cert. Make sure your cn is your FQDN of this server.
# certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Then check to make sure it looks ok
certutil -L -d /etc/dirsrv/slapd-directory/
Create your public ca for your clients.
# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL look like the following.
nsSSLPersonalitySSL: directory-Server-Cert
That should be it. You have to restart the directory server after above steps.
After this configure Directory Server to use SSL.
Set the secure port for the server to use for TLS/SSL communications. In the Configuration area, select the Settings tab, and enter the value in the Encrypted Port field.
- The encrypted port number must not be the same port number used for normal LDAP communications. By default, the standard port number is 389, and the secure port is 636.
- Select the Configuration tab, and then select the top entry in the navigation tree in the left pane. Select the Encryption tab in the right pane.
- Select the Enable SSL for this Server checkbox.
- Check the Use this Cipher Family checkbox.
- Select the certificate to use from the drop-down menu.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Regards
Arpit Tolani
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
