/ Markus Amersdorfer:home / university / about:me /
\ Say NO to Software-Patents! \


SSL Certificates: Introduction

This description is initially based on the mod_ssl FAQ and is thought to be an add-on to my LDAP-HOWTO.

In order to be able to use SSL you need an SSL-certificate first, and in order to create this certificate you'll need a Certification Authority (CA) to sign the actual certificate. This CA can be either one of the big (and expensive) ones out there such as Verisign, or you can create your own self-certified CA.

Creating a Certification Authority (CA)

Explaining how to create your own CA IMHO is beyond the scope of this (LDAP-)HOWTO, so check out the mod_ssl FAQ (CA) for this.

Creating a signed SSL Certificate

Install openssl:
  # apt-get install openssl

Create the Certificate Signing Request:
  # su - slapd
  $ cd /etc/ldap/
  $ openssl req -new > new.cert.csr
   [...]
   Country Name (2 letter code) [AU]:AT 
   State or Province Name (full name) [Some-State]:Austria
   Locality Name (eg, city) []:Your-City
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your-Company-Name
   Organizational Unit Name (eg, section) []:Your-Department-Section
   Common Name (eg, YOUR name) []:ldapserver.yourdomain.net
   Email Address []:contact@yourdomain.net
   [...]
Mind here, that the "Common Name" must be the (LDAP-)Server's FQDN!

Have the CSR be signed by the CA:
  ca# ./sign.sh new.cert.csr
   CA signing: new.cert.csr -> new.cert.crt:
   [...]
   The Subjects Distinguished Name is as follows
   countryName           :PRINTABLE:'AT'
   stateOrProvinceName   :PRINTABLE:'Austria'
   [...]
   Certificate is to be certified until Oct 17 15:20:02 2030 GMT (9999 days)
   Sign the certificate? [y/n]:y
   [...]
   CA verifying: new.cert.crt <-> CA cert
   new.cert.crt: OK

  ca# ll ldap*
   -rw-r--r-- 1 root  root   2713 Jun  2 17:20 new.cert.crt
   -rw-r--r-- 1 root  root    741 Jun  2 17:17 new.cert.csr

Now copy these two files to ldapserver:/etc/ldap/.

On your LDAP server again, as user slapd, create an unencrypted key-file:
  $ openssl rsa -in privkey.pem -out new.cert.key
   writing RSA key

  slapd@yellow:/etc/ldap$ ls -la
  total 32
  drwxrwx---    3 slapd    slapd        4096 Jun  2 17:25 .
  drwxr-xr-x   47 root     root         4096 Jun  2 17:10 ..
  -rw-r--r--    1 slapd    slapd        2713 Jun  2 17:34 new.cert.crt
  -rw-r--r--    1 slapd    slapd         741 Jun  2 17:13 new.cert.csr
  -rw-r--r--    1 slapd    slapd         887 Jun  2 17:25 new.cert.key
  -rw-r--r--    1 slapd    slapd         963 Jun  2 17:13 privkey.pem
  drwxrwx---    2 slapd    slapd        4096 Jun  2 16:20 schema
  -rw-------    1 slapd    slapd         889 Jun  2 16:27 slapd.conf
  -r--r-----    1 slapd    slapd        1928 Jun  2 16:20 slapd.conf_DEB-orig

Mind:
 "new.cert.csr" is the signing-request to be signed by the CA.
 "new.cert.crt" is the CA-signed LDAP-key.
 "privkey.pem"  is the corresponding private-key, encrypted.
 "new.cert.key" is the corresponding private-key, UNencrypted.

Created the file "server.cert" which holds the
following block from the signed "new.cert.crt":
  -----BEGIN CERTIFICATE-----
  abcdefghijklmnopqrstuvwxyz....
  -----END CERTIFICATE-----

  $ cp new.cert.key server.key

  slapd@yellow:/etc/ldap$ ls -la
  total 44
  drwxrwx---    3 slapd    slapd        4096 Jun  2 17:40 .
  drwxr-xr-x   47 root     root         4096 Jun  2 17:10 ..
  -rw-r--r--    1 slapd    slapd        2713 Jun  2 17:34 new.cert.crt
  -rw-r--r--    1 slapd    slapd         741 Jun  2 17:13 new.cert.csr
  -rw-r--r--    1 slapd    slapd         887 Jun  2 17:25 new.cert.key
  -rw-r--r--    1 slapd    slapd         963 Jun  2 17:13 privkey.pem
  drwxrwx---    2 slapd    slapd        4096 Jun  2 16:20 schema
  -rw-r--r--    1 slapd    slapd         964 Jun  2 17:39 server.cert
  -rw-r--r--    1 slapd    slapd         887 Jun  2 17:40 server.key
  -rw-------    1 slapd    slapd         889 Jun  2 16:27 slapd.conf
  -r--r-----    1 slapd    slapd        1928 Jun  2 16:20 slapd.conf_DEB-orig

Mind:                                                                                                   
 "server.cert" is the signed certificate only.
 "server.key"  is the UNencrypted private-key.

Get the CA's certificate and safe it as ldapserver:/etc/ldap/ca.cert
back to the LDAP-HOWTO

Valid HTML 4.01! Valid CSS! Created with Vim [Blue Ribbon Campaign icon]
© Markus Amersdorfer (markus<dott>amersdorfer<att>subnet<dott>at)
last modified: 2010-02-23 15:55:40
18119 hits