|
Certificates to look at a certificate: openssl x509 -text -noout < imap.shadlen.crt | less Debian has decided to switch from openssl to gnutls in its implementation of openldap, which has been truly a pain in the butt for me, and quite a few others. The original instructions on this page (at the bottom) will make certificates that will not work with openldap in lenny. Fortunately, a group of people have decided to start signing certificates for free, and these work splendidly. First, you have to create your key and signing request: certtool –generate-privkey –outfile ldap.key certtool is from the gnutls-bin package. Now that you have your key, use it to create your certificate request: certtool –generate-request –load-privkey ldap.key –outfile ldap.csr The usual questions follow. Most all will be stripped out by cacert.org and don't matter, but the Common Name field is very important, and must be written as the full domain name of the server that you will be using. You can now go to You will need to become a member, and they will verify your email and domain, and then you can submit your certificate request and get your certificate (you will want to request a server certificate, and you will not be given this option until you are logged in). More instructions for using cacert.org are here. You will also need their cacert (at least if you are running openldap), which can be found here: https://www.cacert.org/index.php?id=3 Right-click on Intermediate Certificate (PEM Format) and save the cert to a file. Now you will have your signed cert, your key, and your cacert, so you are in business. A more detailed tutorial is here: http://blog.josefsson.org/2009/04/16/cacert-and-gnutls/ and there is also more info on the cacert website and wiki. old stuffAt the end of this you will have a private key, a csr, a second (ca) key, a ca certificate and a signed certificate. The private key, the ca certificate and the signed certificate need to go on the machine that corresponds to that service (for example, the web server, www.shadlen.org, needs to have www.shadlen.crt shadlen.ca.crt and www.shadlen.key in a place where the web server can find it.
[root@ldap]# openssl genrsa -out ldap.shadlen.key 2048 The genrsa command generates an RSA (Rivest-Shamir-Adelman 1977) private key. In this case the output file is ldap.shadlen.key. The 2048 option is the size, in bits, of the private key to generate. This must be the last option specified. The default is 512. 1024 or 2048 would be appropriate choices. Larger keys are more secure but slower.
The private key is just that - private. It should be readable only by the ldap server process.
[root@ldap]# openssl req -new -key ldap.shadlen.key -out ldap.shadlen.csr Do this for all services (I made, for example both ldap.shadlen.csr smtp.shadlen.csr that need to be signed)
You do not need to fill in all the information for the CSR. If you enter '.', the field will be left blank. For the Common Name field, you should use the exact name that clients will use when contacting the server, usually the Fully Qualified Domain Name (FQDN). So if your LDAP server is ldap.example.com, then put in ldap.example.com for the Common Name. This is NOT the same as the CN you will use (or have already used) for your CA, even if they are created on the same machine; it is the name of the machine that the service is being served from, as they call it.
Now you either need to have a registered Certificate Authority like Verisign sign your CSR or you can create your own CA to sign it.
First generate the key to sign the certificate:
This is the same thing we did in step one, not sure whether you could just use the same key as in step one...
[root@ldap]# openssl genrsa -out shadlen.ca.key 2048 Our CA will be ldap.shadlen.org, which will be the CA for all other certificates, so this is the name that goes in the CN blank.
You will have noticed that you have created another private key (shadlen.ca.key), this time to be used in creating the Certificate Authority's certificate. The -des3 option (not used in this example) encrypts the private key with the triple DES cipher.
Make a certificate using the key we just made:
[root@ldap]# openssl req -new -x509 -days 365 -key shadlen.ca.key -out shadlen.ca.crt ca.cert is the certificate for your certifying authority (in this case you). This is later placed on the client machines so that they recognize the CA as a valid authority (fits with key on server). Fill in the information here identifying yourself (server) as a CA.
Notice the -days 365 option. This means your certificate is valid for 365 days from the date of signing. Not before and not after. This means that if your clients have the wrong date set and it is outside the range of the certificate they will not accept the certificate. If you are trying to work out why a particular client won't accept a certificate that all the other clients accept, check the date on the problem client.
[root@ldap]# openssl x509 -req -CA shadlen.ca.crt -CAkey shadlen.ca.key -CAcreateserial -days 365 < ldap.shadlen.csr > ldap.shadlen.crt We took the certificate we made in step two, signed it using the certificate and key used in step 3 and gave it a new name ldap.shadlen.crt
do this for all services: start with step one to make new keys and csr's for other services. skip step 3. Do step 4 again, use the new csr's plus the cert and key created earlier in step 3, and again give the csr a new name.
You have now created a certificate shadlen.ldap.crt that is signed by the CA. This is the public certificate for the LDAP server. When a secure connection is requested ldap.shadlen.cert is sent from the LDAP server to the client. This identifies the server and contains the signature of the CA. The client already has shadlen.ca.cert (and maybe others) which tells it which CA's it accepts as valid authorities. The client compares its CA(s) with the signature in ldap.shadlen.crt. If they agree then secure communication can begin. Quick Summary: do once (self signed certificate): openssl genrsa -out shadlen.ca.key 2048 openssl req -new -x509 -days 365 -key shadlen.ca.key -out shadlen.ca.cert do for every service (here for www or apache): openssl genrsa -out www.shadlen.key 2048 openssl req -new -key www.shadlen.key -out www.shadlen.req (use the name of the service that the cert will be used for, for the Common Name, ie www.shadlen.org for www cert) sign with the CA key openssl x509 -req -CA shadlen.ca.cert -CAkey shadlen.ca.key -CAcreateserial -days 365 < www.shadlen.req > www.shadlen.crt If you wish to examine the contents of a certificate, you can use: [root@ldap]# openssl x509 -in ldap.shadlen.crt -text -noout ldap refers to certs in
|