On 09/08/2010 08:45 PM, John Mancuso wrote: > Two questions: > > 1. I have generated self-signed ssl/ca certs trying both the > "certutil" method from the redhat doc and also the standard "openssl > x509 req -new" method. After installing the certs and enabling secure > ldaps replication both result in > > slapi_ldap_bind - Error: could not send bind request for id > [cn=replication manager,cn=config] mech [SIMPLE]: error 81 (Can't > contact LDAP server) -8172 (Peer's certificate issuer has been marked > as not trusted by the user.) 11 (Resource temporarily unavailable) > > Is there a known issue with self-signed certs? > > 2. If there is an issue with the above, we may end up purchasing a > wildcard cert for replicating across subdomains. I know in the HTML > world some web browsers complain about ssl wildcard certs across > subdomains. Any possible issues with this approach? > > ldaps://supplier_ldap.mycompany.com----> ldaps://consumer_ldap.dev.mycompany.com > You need to create your own CA Cert, sign your cert with that CA Cert, and import the CA cert into the certutil store. You also want to put the CA public cert into /etc/openldap/certs so the openldap tools will use it. There are a few guides on the internet for creating your own CA. I know Fedora 13 comes with its own CA tool. I personally use tinyca. -B -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
