On Tue, 2005-11-15 at 09:57 -0800, Daniel B. Thurman wrote: > >From: fedora-list-bounces@xxxxxxxxxx > >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Craig White > >Sent: Monday, November 14, 2005 5:52 PM > >To: For users of Fedora Core releases > >Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap)) > > > > > >On Mon, 2005-11-14 at 17:15 -0800, Daniel B. Thurman wrote: > >> >From: fedora-list-bounces@xxxxxxxxxx > >> >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Craig White > >> >Sent: Monday, November 14, 2005 5:10 PM > >> >To: For users of Fedora Core releases > >> >Subject: RE: LDAP SSL Problems (was: service script > >(/etc/init.d/ldap)) > >> > > >> > > > ... snip > > >here is my entire script... (watch for line wrap because of email line > >limits) > > > ># cat /root/scripts/make.certs > >#!/bin/sh > > > >cd /usr/share/ssl/certs > >mkdir /etc/ssl > > > >openssl genrsa -des3 -out ca.key 2048 > >openssl genrsa -des3 -out server.key 1024 > > > >#### generate web server certificate #### > >openssl rsa -in server.key -out server.key.unsecure > >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 - > >key server.key.unsecure -out server.crt > >rm -fr /etc/httpd/conf/ssl.crt/server.crt > >cp server.crt /etc/httpd/conf/ssl.crt/ > >rm -fr /etc/httpd/conf/ssl.key/server.key > >cp server.key.unsecure /etc/httpd/conf/ssl.key/server.key > > > >#### generate cyrus certificate #### > >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes - > >out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem -days > >3650 > >openssl gendh 512 >> /etc/ssl/cyrus-global.pem > > > >#### generate openldap certificate #### > >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 - > >key ca.key -out ca.cert > >openssl genrsa -out ldap.key 1024 > >openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key -out > >ldap.csr > >openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key > >-CAcreateserial -days 3650 > > I am a little confused with the last openssl command above. > > I note that ldap.cert is generated but is not copied to the > /etc/ssl so does ldap need this file? > > Also, does ldap need the ca.key or does it use it's own ldap.key > file? > > >cp ca.cert /etc/ssl > >cp ca.key /etc/ssl > >cp ldap.key /etc/ssl > >cp ldap.csr /etc/ssl > > > >Craig > > > > Thanks for sharing the script. > ---- slapd.conf #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCertificateFile /etc/openldap/ldap.cert #TLSCertificateKeyFile /etc/openldap/ldap.key #TLSCACertificateFile /etc/openldap/ca.crt ca = certificate authority Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
