OlcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem Your server is now ready to accept the new TLS configuration.Ĭreate the file certinfo.ldif with the following contents (adjust paths and filenames accordingly): dn: cn=config Sudo chmod 0640 /etc/ldap/ldap01_slapd_key.pem outfile /etc/ldap/ldap01_slapd_cert.pemĪdjust permissions and ownership: sudo chgrp openldap /etc/ldap/ldap01_slapd_key.pem load-ca-privkey /etc/ssl/private/mycakey.pem \ load-ca-certificate /etc/ssl/certs/mycacert.pem \ load-privkey /etc/ldap/ldap01_slapd_key.pem \ Adjust accordingly.Ĭreate the server’s certificate: sudo certtool -generate-certificate \
The above certificate is good for 1 year, and it’s valid only for the hostname. Naming the certificate and key for the host and service that will be using them will help keep things clear.Ĭreate the /etc/ssl/ info file containing: organization = Example Company Replace ldap01 in the filename with your server’s hostname. Make a private key for the server: sudo certtool -generate-privkey \ This also creates a /etc/ssl/certs/mycacert.pem symlink pointing to the real file in /usr/local/share/ca-certificates. Running hooks in /etc/ca-certificates/update.d.
Note the one added CA: $ sudo update-ca-certificates Run update-ca-certificates to add the new CA certificate to the list of trusted CAs. To pick up CAs from /usr/share/ca-certificates, a call to dpkg-reconfigure ca-certificates is necessary. This is where update-ca-certificates will pick up trusted local CAs from. Yes, the –outfile path is correct, we are writing the CA certificate to /usr/local/share/ca-certificates. outfile /usr/local/share/ca-certificates/mycacert.crt load-privkey /etc/ssl/private/mycakey.pem \ Install the gnutls-bin and ssl-cert packages: sudo apt install gnutls-bin ssl-certĬreate a private key for the Certificate Authority: sudo certtool -generate-privkey -bits 4096 -outfile /etc/ssl/private/mycakey.pemĬreate the template/file /etc/ssl/ca.info to define the CA: cn = Example CompanyĬreate the self-signed CA certificate: sudo certtool -generate-self-signed \ For simplicity, this is being done on the OpenLDAP server itself, but your real internal CA should be elsewhere. This guide will use the certtool utility to complete these tasks. Here, we will be our own Certificate Authority and then create and sign our LDAP server certificate as that CA.
This can be accomplished using Transport Layer Security (TLS). When authenticating to an OpenLDAP server it is best to do so using an encrypted session. Multi-node configuration with Docker-Composeĭistributed Replicated Block Device (DRBD)
0 kommentar(er)
