I'm trying to set up two 389 Directory Services servers in a replication scenario. I can do this quite easily without any SSL/TLS setup. In an effort to improve the security of our environment, I would like to get TLS configured so that this replication (and all LDAP authentication attempts) are encrypted. Using the scripts provided at http://directory.fedoraproject.org/wiki/Howto:SSL I can get one server using SSL; however when I try and establish the cross-server communication, the SSL/TLS keys appear to fall apart. My understanding from the logs on the systems is that the reason why the two servers (FDSMEM1 and FDSMEM2) do not have a common CA and so their server-certs do not trust each other. So, I have set up TinyCA and created a CA cert from a third server. I have generated manual cert requests on the two LDAP servers (after registering the CA cert) and generated the certificates. Replication appears to be working through TLS. Now, the problem I am having. When I run the 'certutil -L -d . -n "CA certificate" -a > cacert.asc' command I get a cacert.asc. When I deploy this cacert.asc to my LDAP clients as the key for TLS to start, though, it appears that something isn't handshaking well and I am never able to query the LDAP server from a client. Has anyone gotten a 389DS system (or pair of systems) fully working with certs managed & created by TinyCA2? If so, what are the gotchas that I must be missing to get this working? Would anyone be willing to help me write a HOWTO on getting this working so that it would be outlined more effectively for newer users? Thanks. -- Jeff Moody Senior Systems Engineer Electronic Vaulting Services 5050 Poplar Ave., Suite 1600 Memphis, TN 38157 (901) 259-2387 - 24x7 Helpdesk (901) 213-5146 - Office (901) 497-1444 - Mobile -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
