Ryan Braun wrote:
You cannot use the CA cert to generate server certs. You need the CA cert and key. This CA key was created when you created your initial CA cert. The CA key is stored in the key3.db in which you initially created in steps 5 and 6 here - http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_StepsOn Thursday 20 September 2007 21:36, George Holbert wrote:Ok so I managed to create a new certificate using subjectAltName extenstions, and it works as advertised. I can run ldapsearchs on eastldap on both eastldap0.Now my question is for generating certs for the other servers. Now that I have the CA cert on eastldap0, I would assume I need to install the CA on each additional server. Can I just copy and paste the cacert.asc into the manage certificate wizard?
I would suggest you create all of your server certs using this initial CA cert and key.
cd /opt/fedora-ds/alias serialnumber=1002 for server in serverFQDN ; do../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt
# each cert must have a unique serial number serialnumber=`expr $serialnumber + 1` # export the new server cert+key../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k pwdfile.txt -w pwdfile.txt
doneFor all of the commands listed above, you may have to specify -P slapd-instance- if you are not using cert8.db and key3.db.
Then, copy each file $server.p12 to that $server, along with the cacert.asc file
Then, on each server: cd /opt/fedora-ds/alias../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w pwdfile.txt -k pwdfile.txt # the -w argument is the file containing the password used to encrypt the .p12 file # the -k argument is the file containing the password for the new key database # you may use a different password for -k here - this is the same password used
# in your slapd-instance-pin.txt file ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t "CT,," -a -i cacert.asc # this imports your CA cert
Then I would generate new certs for each server. Now do I need to generate the certs all from eastldap0? or once the CA cert is installed on the rest of the boxes, am I able to generate the required certs on each box? Is it generally a good idea to keep all the cert creation in a central location?And for the clients, all they need is the one cacert.asc to be able to encrypt comms with each server?
Yes.
Thanks RyanEach running FDS server instance will have just one SSL certificate. If you want your server to identify with multiple names, you can either: - Do a cert with subjectAltName extensions. - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com). LDAP / SSL client support for these varies, so you will probably want to test both ways and see what works with better with your clients. If it works for you, the subjectAltName method is probably preferable, because you can precisely list the valid names for your server. Also, consider keeping it simple and just doing certs with single names (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'), and installing that same cert on each server which should have that SSL identity. This is actually a pretty common way to do it, though it will limit your ability to make SSL connections to individual nodenames, like eastldap0.test.com (as you noticed). Ryan Braun wrote:Hey guys, installed FDS on a couple debian servers this week and am liking it so far. I have a couple questions regarding SSL/TLS setup with servers setup for IP takeover type HA setup. Keep in mind I have some experience with the LDAP side of things, it's the ssl and all the different certs and whatnot that keeps me up at night. Essentially what I'm looking at is a 4 way multimaster setup, ending up with 2 HA pairs of servers. call them eastldap and westldap. I've implemented the east side in my test lab and have it replicating and can pull any user info I need off the directory no problem. so eastldap0.test.com ip 192.168.0.11 eastldap1.test.com ip 192.168.0.12 and the virtual interface on whichever machine is master would be eastldap.test.com ip 192.168.0.10 and then the exact same setup with the last 2 westldap0.test.com ip 192.168.1.11 westldap1.test.com ip 192.168.1.12 westldap.test.com ip 192.168.1.10 Once everything is setup and running clients would be primarily only connecting to either virtual interface west/eastldap using TLS over port 389 and the 4 masters replicating with encryption (not sure but I imagine this takes place on ldaps port). I followed the instructions on the howto:ssl page and created a cert located on eastldap0. But instead of using the eastldap0.test.com as the cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0 was the HA master and restarted fds. When I copied over the cacert to a linux client, I can run searches using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs confirm everything is coming back encrypted. It seems to be behaving as expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with error 11 additional info: TLS: hostname does not match CN in peer certificate, which is right as the name in the cert is eastldap.test.com. So it would appear I'm on my way, I just am not sure about what certs I need now, and how to add them properly. I would think I need at the very least eastldap0 - eastldap0.test.com cert - eastldap.test.com cert eastldap1 - eastldap1.test.com cert - eastldap.test.com cert westldap0 - westldap0.test.com cert - westldap.test.com cert westldap1 - westldap1.test.com cert - westldap.test.com cert I'm just not sure if that is the proper way to go about it. Also, I would like to have the clients to be able to have all the cacerts to beable to communicate with all virtual and physical address' if need be. Later on, I would be adding probably 5 or 6 consumer read only replicasinbetween the suppliers and the clients, but one must walk before they run I guess :) Long post I know, just trying to make sure I get all the important stuff out there. Be kind if I was using the incorrect terminology for the certs/cacerts :) Ryan PS. anyone have a good SSL for dummies reference that lays out what the heck is going on with SSL (pems,keys,certs,cacerts etc) ---- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
