Le 23/08/2019 à 16:52, Marc Muehlfeld a écrit : > According to the "certutil --help" output, use >> -v months-valid Months valid (default is 3) > when you create the certificate. OK, indeed. Thanks. I put together a little shell script to issue a self-signed SSL certificate for 389 DS under CentOS 7, which works. --8<------------------------------------------------------------------ #!/bin/bash # # 389-ds-cert.sh # # Nicolas Kovacs, 2019 # # Créer un certificat SSL auto-signé pour 389 Directory Server. HOST=$(hostname -s) FQDN=$(hostname --fqdn) openssl rand -out /tmp/noise.bin 4096 certutil -S -x -d /etc/dirsrv/slapd-${HOST} \ -z /tmp/noise.bin \ -n "server-cert" \ -s "CN=${FQDN}" \ -t "CT,C,C" \ -m $RANDOM \ -v 120 \ --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment echo exit 0 --8<------------------------------------------------------------------ I also enabled secure connections in the console. My desktop clients are running OpenSUSE Leap 15.1. So far I've managed to configure them so they can get user credentials from ldap://amandine:389. But when I try to configure them to use the secure connection via ldaps://amandine:636, it fails. I *think* it is because my certificate is self-signed and not trusted. Before I try to do things in a completely different manner, is there a KISS (Keep It Simple Stupid) approach to use a self-signed certificate for a secure connection ? Any suggestions for that ? Don't forget, I only have a small network in our local school, so I prefer sticking to the KISS principle and not use a sledgehammer to drive a nail into a wall. > > > Instead of using only a self-signed cert, wouldn't it make more sense to > 1) create your own CA > 2) create a CSR using certutil (see RHDS docs, section 9.3.2) > 3) let your CA issue the cert > 4) import the CA cert (see RHDS docs, section 9.3.3) > 5) import the server cert (see RHDS docs, section 9.3.4) > 6) install the CA cert on your clients (not yet in RHDS 10 docs, > but I can easily backport the content) I'll check this out when my more bone-headed approach fails. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@xxxxxxxxxxxxx Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx