[389-users] TinyCA2 & 389-DS

[Jeff Moody]

I'm trying to set up two 389 Directory Services servers in a replication scenario. I can do this quite easily without any SSL/TLS setup.

In an effort to improve the security of our environment, I would like to get TLS configured so that this replication (and all LDAP authentication attempts) are encrypted.

Using the scripts provided at http://directory.fedoraproject.org/wiki/Howto:SSL I can get one server using SSL; however when I try and establish the cross-server communication, the SSL/TLS keys appear to fall apart.
My understanding from the logs on the systems is that the reason why the two servers (FDSMEM1 and FDSMEM2) do not have a common CA and so their server-certs do not trust each other.

So, I have set up TinyCA and created a CA cert from a third server. I have generated manual cert requests on the two LDAP servers (after registering the CA cert) and generated the certificates. Replication appears to be working through TLS.

Now, the problem I am having.

When I run the 'certutil -L -d . -n "CA certificate" -a > cacert.asc' command I get a cacert.asc. When I deploy this cacert.asc to my LDAP clients as the key for TLS to start, though, it appears that something isn't handshaking well and I am never able to query the LDAP server from a client.

Has anyone gotten a 389DS system (or pair of systems) fully working with certs managed & created by TinyCA2? If so, what are the gotchas that I must be missing to get this working? Would anyone be willing to help me write a HOWTO on getting this working so that it would be outlined more effectively for newer users?

Thanks.

--
Jeff Moody
Senior Systems Engineer
Electronic Vaulting Services
5050 Poplar Ave., Suite 1600
Memphis, TN 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 213-5146 - Office
(901) 497-1444 - Mobile