Le 23/08/2019 à 16:52, Marc Muehlfeld a écrit :
> According to the "certutil --help" output, use
>> -v months-valid Months valid (default is 3)
> when you create the certificate.
OK, indeed. Thanks.
I put together a little shell script to issue a self-signed SSL
certificate for 389 DS under CentOS 7, which works.
--8<------------------------------------------------------------------
#!/bin/bash
#
# 389-ds-cert.sh
#
# Nicolas Kovacs, 2019
#
# Créer un certificat SSL auto-signé pour 389 Directory Server.
HOST=$(hostname -s)
FQDN=$(hostname --fqdn)
openssl rand -out /tmp/noise.bin 4096
certutil -S -x -d /etc/dirsrv/slapd-${HOST} \
-z /tmp/noise.bin \
-n "server-cert" \
-s "CN=${FQDN}" \
-t "CT,C,C" \
-m $RANDOM \
-v 120 \
--keyUsage
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
echo
exit 0
--8<------------------------------------------------------------------
I also enabled secure connections in the console.
My desktop clients are running OpenSUSE Leap 15.1.
So far I've managed to configure them so they can get user credentials
from ldap://amandine:389.
But when I try to configure them to use the secure connection via
ldaps://amandine:636, it fails.
I *think* it is because my certificate is self-signed and not trusted.
Before I try to do things in a completely different manner, is there a
KISS (Keep It Simple Stupid) approach to use a self-signed certificate
for a secure connection ? Any suggestions for that ?
Don't forget, I only have a small network in our local school, so I
prefer sticking to the KISS principle and not use a sledgehammer to
drive a nail into a wall.
>
>
> Instead of using only a self-signed cert, wouldn't it make more sense to
> 1) create your own CA
> 2) create a CSR using certutil (see RHDS docs, section 9.3.2)
> 3) let your CA issue the cert
> 4) import the CA cert (see RHDS docs, section 9.3.3)
> 5) import the server cert (see RHDS docs, section 9.3.4)
> 6) install the CA cert on your clients (not yet in RHDS 10 docs,
> but I can easily backport the content)
I'll check this out when my more bone-headed approach fails.
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
