9:56 a.m.
I'm trying to configure replication over SSL using StartTLS, I don't see any
example of how to export/import self signed certs into the slave. Here's
what I did:
created a CA cert and server cert on the master, everything is fine.
exported the CA cert and copied it to the slave:
[root@ldapslave]# certutil -A -d . -n "CA certificate" -t "CT,," -a
-i
cacert.asc
[root@ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
What is next? I tried everything I could think of..
10:04 a.m.
On 05/19/2011 08:56 AM, solarflow99 wrote:
I'm trying to configure replication over SSL using StartTLS, I
don't
see any example of how to export/import self signed certs into the
slave. Here's what I did:
created a CA cert and server cert on the master, everything is fine.
exported the CA cert and copied it to the slave:
[root@ldapslave]# certutil -A -d . -n "CA certificate" -t "CT,," -a
-i
cacert.asc
[root@ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
What is next? I tried everything I could think of..
The SSL roles are _opposite_
the master/slave roles. The master pushes
changes to the slave. So in this instance, the _slave_ is the SSL
_server_, and the _master_ is the SSL _client_.
In order to be an SSL server, the slave must have a server cert/key and
CA cert.
In order to be an SSL client, the master must have just the CA cert.
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
12:18 p.m.
The SSL roles are _opposite_ the master/slave roles. The master pushes
changes to the slave. So in this instance, the _slave_ is the SSL _server_,
and the _master_ is the SSL _client_.
In order to be an SSL server, the slave must have a server cert/key
and CA
cert.
In order to be an SSL client, the master must have just the CA cert.
Can anyone provide the commands for this, and i'll add it to the SSL howto,
this isn't well explained anywhere. Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting the CA
cert, I import into the slave, how should I generate a server cert on the
slave? I also notice the trusts are different from the CA cert on the
master:
[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate" -t
"CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
How can I generate a server cert on the slave now? Using the following
command fails because it doesn't have the matching private key for the CA:
certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com" -c
"CA
certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
certutil: unable to retrieve key CA certificate: The private key for
this certificate cannot be found in key database
1:16 p.m.
On 05/19/2011 11:18 AM, solarflow99 wrote:
The SSL roles are _opposite_ the master/slave roles. The master
pushes changes to the slave. So in this instance, the _slave_ is the
SSL _server_, and the _master_ is the SSL _client_.
In order to be an SSL server, the slave must have a server
cert/key and CA cert.
In order to be an SSL client, the master must have just the CA cert.
Can anyone provide the commands for this, and i'll add it to the SSL
howto, this isn't well explained anywhere. Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting
the CA cert, I import into the slave, how should I generate a server
cert on the slave? I also notice the trusts are different from the
CA cert on the master:
[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate"
-t "CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
How can I generate a server cert on the slave now? Using the
following command fails because it doesn't have the matching private
key for the CA:
certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com
<http://ldapslave.mydomain.com>" -c "CA certificate" -t
"u,u,u" -m
1002 -v 120 -d . -k rsa
certutil: unable to retrieve key CA certificate: The private key
for this certificate cannot be found in key database
You can use certutil on the master to make a cert for the slave, using
the above command on the master. Then, use pk12util to export the slave
cert/key, then take that pk12 file to the slave and use pk12util to
import it (and use certutil to import the CA cert).
2:26 p.m.
You can use certutil on the master to make a cert for the slave,
using
the above command on the master. Then, use pk12util to export the slave
cert/key, then take that pk12 file to the slave and use pk12util to import
it (and use certutil to import the CA cert).
Thanks for this, it worked. I had to disable: check hostname against name
in cerfificate for outbound SSL connections, but its actually working now.
2:35 p.m.
On 05/19/2011 01:26 PM, solarflow99 wrote:
You can use certutil on the master to make a cert for the slave,
using the above command on the master. Then, use pk12util to
export the slave cert/key, then take that pk12 file to the slave
and use pk12util to import it (and use certutil to import the CA
cert).
Thanks for this, it worked. I had to disable: check hostname against
name in cerfificate for outbound SSL connections,
That's not good. That's
your MITM protection.
but its actually working now.
4735
days inactive
4735
days old
389-users@lists.fedoraproject.org
5 comments
2 participants
participants (2)
-
Rich Megginson -
solarflow99