![[Blue Ribbon Campaign icon]](http://br.eff.org/br.png)
last modified: 2010-02-23 15:55:40
14678 hits
This description is initially based on the mod_ssl FAQ and is thought to be an add-on to my LDAP-HOWTO.
In order to be able to use SSL you need an SSL-certificate first, and in order to create this certificate you'll need a Certification Authority (CA) to sign the actual certificate. This CA can be either one of the big (and expensive) ones out there such as Verisign, or you can create your own self-certified CA.
Explaining how to create your own CA IMHO is beyond the scope of this (LDAP-)HOWTO, so check out the mod_ssl FAQ (CA) for this.
Install openssl: # apt-get install openssl Create the Certificate Signing Request: # su - slapd $ cd /etc/ldap/ $ openssl req -new > new.cert.csr [...] Country Name (2 letter code) [AU]:AT State or Province Name (full name) [Some-State]:Austria Locality Name (eg, city) []:Your-City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your-Company-Name Organizational Unit Name (eg, section) []:Your-Department-Section Common Name (eg, YOUR name) []:ldapserver.yourdomain.net Email Address []:contact@yourdomain.net [...] Mind here, that the "Common Name" must be the (LDAP-)Server's FQDN! Have the CSR be signed by the CA: ca# ./sign.sh new.cert.csr CA signing: new.cert.csr -> new.cert.crt: [...] The Subjects Distinguished Name is as follows countryName :PRINTABLE:'AT' stateOrProvinceName :PRINTABLE:'Austria' [...] Certificate is to be certified until Oct 17 15:20:02 2030 GMT (9999 days) Sign the certificate? [y/n]:y [...] CA verifying: new.cert.crt <-> CA cert new.cert.crt: OK ca# ll ldap* -rw-r--r-- 1 root root 2713 Jun 2 17:20 new.cert.crt -rw-r--r-- 1 root root 741 Jun 2 17:17 new.cert.csr Now copy these two files to ldapserver:/etc/ldap/. On your LDAP server again, as user slapd, create an unencrypted key-file: $ openssl rsa -in privkey.pem -out new.cert.key writing RSA key slapd@yellow:/etc/ldap$ ls -la total 32 drwxrwx--- 3 slapd slapd 4096 Jun 2 17:25 . drwxr-xr-x 47 root root 4096 Jun 2 17:10 .. -rw-r--r-- 1 slapd slapd 2713 Jun 2 17:34 new.cert.crt -rw-r--r-- 1 slapd slapd 741 Jun 2 17:13 new.cert.csr -rw-r--r-- 1 slapd slapd 887 Jun 2 17:25 new.cert.key -rw-r--r-- 1 slapd slapd 963 Jun 2 17:13 privkey.pem drwxrwx--- 2 slapd slapd 4096 Jun 2 16:20 schema -rw------- 1 slapd slapd 889 Jun 2 16:27 slapd.conf -r--r----- 1 slapd slapd 1928 Jun 2 16:20 slapd.conf_DEB-orig Mind: "new.cert.csr" is the signing-request to be signed by the CA. "new.cert.crt" is the CA-signed LDAP-key. "privkey.pem" is the corresponding private-key, encrypted. "new.cert.key" is the corresponding private-key, UNencrypted. Created the file "server.cert" which holds the following block from the signed "new.cert.crt": -----BEGIN CERTIFICATE----- abcdefghijklmnopqrstuvwxyz.... -----END CERTIFICATE----- $ cp new.cert.key server.key slapd@yellow:/etc/ldap$ ls -la total 44 drwxrwx--- 3 slapd slapd 4096 Jun 2 17:40 . drwxr-xr-x 47 root root 4096 Jun 2 17:10 .. -rw-r--r-- 1 slapd slapd 2713 Jun 2 17:34 new.cert.crt -rw-r--r-- 1 slapd slapd 741 Jun 2 17:13 new.cert.csr -rw-r--r-- 1 slapd slapd 887 Jun 2 17:25 new.cert.key -rw-r--r-- 1 slapd slapd 963 Jun 2 17:13 privkey.pem drwxrwx--- 2 slapd slapd 4096 Jun 2 16:20 schema -rw-r--r-- 1 slapd slapd 964 Jun 2 17:39 server.cert -rw-r--r-- 1 slapd slapd 887 Jun 2 17:40 server.key -rw------- 1 slapd slapd 889 Jun 2 16:27 slapd.conf -r--r----- 1 slapd slapd 1928 Jun 2 16:20 slapd.conf_DEB-orig Mind: "server.cert" is the signed certificate only. "server.key" is the UNencrypted private-key. Get the CA's certificate and safe it as ldapserver:/etc/ldap/ca.cert