> On 24 Aug 2019, at 23:39, Nicolas Kovacs <info@xxxxxxxxxxxxx> wrote:
>
> Le 23/08/2019 à 16:52, Marc Muehlfeld a écrit :
>> According to the "certutil --help" output, use
>>> -v months-valid Months valid (default is 3)
>> when you create the certificate.
>
> OK, indeed. Thanks.
>
> I put together a little shell script to issue a self-signed SSL
> certificate for 389 DS under CentOS 7, which works.
>
> --8<------------------------------------------------------------------
> #!/bin/bash
> #
> # 389-ds-cert.sh
> #
> # Nicolas Kovacs, 2019
> #
> # Créer un certificat SSL auto-signé pour 389 Directory Server.
>
> HOST=$(hostname -s)
>
> FQDN=$(hostname --fqdn)
>
> openssl rand -out /tmp/noise.bin 4096
>
> certutil -S -x -d /etc/dirsrv/slapd-${HOST} \
> -z /tmp/noise.bin \
> -n "server-cert" \
> -s "CN=${FQDN}" \
> -t "CT,C,C" \
> -m $RANDOM \
> -v 120 \
> --keyUsage
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> echo
>
> exit 0
> --8<------------------------------------------------------------------
>
> I also enabled secure connections in the console.
>
> My desktop clients are running OpenSUSE Leap 15.1.
>
> So far I've managed to configure them so they can get user credentials
> from ldap://amandine:389.
>
> But when I try to configure them to use the secure connection via
> ldaps://amandine:636, it fails.
>
> I *think* it is because my certificate is self-signed and not trusted.
>
> Before I try to do things in a completely different manner, is there a
> KISS (Keep It Simple Stupid) approach to use a self-signed certificate
> for a secure connection ? Any suggestions for that ?
>
> Don't forget, I only have a small network in our local school, so I
> prefer sticking to the KISS principle and not use a sledgehammer to
> drive a nail into a wall.
Self signed is fine. I have a few documents to help:
http://www.port389.org/docs/389ds/howto/howto-ssl.html
http://www.port389.org/docs/389ds/howto/quickstart.html#setup-sssd
https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_reference.html
They have a number of different things to help. The how-to ssl is a bit focused on a large deployment, but it should guide you through this. The setup-sssd has tricks on how to setup the ca-cert dirs correctly with rehash. And the final link has a lot of invaluable commands on NSS/TLS management including self-signed CA management.
Hope that helps,
>
>>
>>
>> Instead of using only a self-signed cert, wouldn't it make more sense to
>> 1) create your own CA
>> 2) create a CSR using certutil (see RHDS docs, section 9.3.2)
>> 3) let your CA issue the cert
>> 4) import the CA cert (see RHDS docs, section 9.3.3)
>> 5) import the server cert (see RHDS docs, section 9.3.4)
>> 6) install the CA cert on your clients (not yet in RHDS 10 docs,
>> but I can easily backport the content)
>
> I'll check this out when my more bone-headed approach fails.
>
> Cheers,
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Mail : info@xxxxxxxxxxxxx
> Tél. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
