Re: Using self-signed SSL certificate with 389 DS under CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 23/08/2019 à 16:52, Marc Muehlfeld a écrit :
> According to the "certutil --help" output, use
>>   -v months-valid   Months valid (default is 3)
> when you create the certificate.

OK, indeed. Thanks.

I put together a little shell script to issue a self-signed SSL
certificate for 389 DS under CentOS 7, which works.

--8<------------------------------------------------------------------
#!/bin/bash
#
# 389-ds-cert.sh
#
# Nicolas Kovacs, 2019
#
# Créer un certificat SSL auto-signé pour 389 Directory Server.

HOST=$(hostname -s)

FQDN=$(hostname --fqdn)

openssl rand -out /tmp/noise.bin 4096

certutil -S -x -d /etc/dirsrv/slapd-${HOST} \
  -z /tmp/noise.bin \
  -n "server-cert" \
  -s "CN=${FQDN}" \
  -t "CT,C,C" \
  -m $RANDOM \
  -v 120 \
  --keyUsage
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

echo

exit 0
--8<------------------------------------------------------------------

I also enabled secure connections in the console.

My desktop clients are running OpenSUSE Leap 15.1.

So far I've managed to configure them so they can get user credentials
from ldap://amandine:389.

But when I try to configure them to use the secure connection via
ldaps://amandine:636, it fails.

I *think* it is because my certificate is self-signed and not trusted.

Before I try to do things in a completely different manner, is there a
KISS (Keep It Simple Stupid) approach to use a self-signed certificate
for a secure connection ? Any suggestions for that ?

Don't forget, I only have a small network in our local school, so I
prefer sticking to the KISS principle and not use a sledgehammer to
drive a nail into a wall.

> 
> 
> Instead of using only a self-signed cert, wouldn't it make more sense to
> 1) create your own CA
> 2) create a CSR using certutil (see RHDS docs, section 9.3.2)
> 3) let your CA issue the cert
> 4) import the CA cert (see RHDS docs, section 9.3.3)
> 5) import the server cert (see RHDS docs, section 9.3.4)
> 6) install the CA cert on your clients (not yet in RHDS 10 docs,
>    but I can easily backport the content)

I'll check this out when my more bone-headed approach fails.

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux