The SSL roles are _opposite_ the master/slave roles. The master pushes
changes to the slave. So in this instance, the _slave_ is the SSL _server_,
and the _master_ is the SSL _client_.
In order to be an SSL server, the slave must have a server cert/key
and CA
cert.
In order to be an SSL client, the master must have just the CA cert.
Can anyone provide the commands for this, and i'll add it to the SSL howto,
this isn't well explained anywhere. Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting the CA
cert, I import into the slave, how should I generate a server cert on the
slave? I also notice the trusts are different from the CA cert on the
master:
[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate" -t
"CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
How can I generate a server cert on the slave now? Using the following
command fails because it doesn't have the matching private key for the CA:
certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com" -c
"CA
certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
certutil: unable to retrieve key CA certificate: The private key for
this certificate cannot be found in key database