LDAP geek

To content | To menu | To search

Tag - TLS

Entries feed - Comments feed

Monday 22 January 2007

Enabling TLS on a SUN One Directory Server Using OpenSSL

By François on Monday 22 January 2007, 17:37

I use OpenSSL here for the certificate authority. SUN DS generate a server certificate request, that is to be signed with OpenSSL (in my case).

In SUN One DS administration console, open your LDAP server console, then choose "Manage Certificates". Choose a server if not already done, then generate a server certificate request, using certificate information compatible with your C.A. information (locality, country, etc.).

Save it into a file and copy it in your OpenSSL demoCA directory under the name newreq.pem. Edit the file to remove unexpected lines that the SUN One console often add in the file.

Then, launch:

# /usr/lib/ssl/misc/CA.sh -sign

This creates a file named newcert.pem. Import it in the SUN One console by choosing "Install..." in the "Manage Certificates" tool.

124 comments no trackback

TLS Certificate Authority on Ubuntu Edgy (for OpenLDAP)

By François on Monday 22 January 2007, 09:30

Here are the steps to build a very simple CA with OpenSSL, to be used with OpenLDAP:

Disable private keys ciphering

OpenLDAP (AFAIK) needs private keys to be in cleartext. Copy the OpenSSL CA.sh file in your working directory:

# cp /usr/lib/ssl/misc/CA.sh CA-nodes.sh

then modify it to add -nodes in the -newcert) and -newreq) sections:

-newcert)
   # create a certificate
   $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS
   RET=$?
   echo "Certificate (and private key) is in newreq.pem"
   ;;
-newreq)
   # create a certificate request
   $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
   RET=$?
   echo "Request (and private key) is in newreq.pem"
   ;;

Create the CA

# /usr/lib/ssl/misc/CA.sh -newca

Generate a server certificate request

# ./CA-nodes.sh -newreq

Be sure to choose the FQDN of your server as the common name of the certificate, the one that will be used from client applications.

Sign the certificate request

# ./CA-nodes.sh -sign

Use the newly created certificate files

The certificate authority file is ./demoCA/cacert.pem. The server certificate file is newcert.pem. The server certificate key file is newkey.pem.

# mkdir /etc/ldap/tls
# cp newcert.pem /etc/ldap/tls/slapd-cert.pem
# cp newkey.pem /etc/ldap/tls/slapd-key.pem
# cp ./demoCA/cacert.pem /etc/ldap/tls/

Modify OpenLDAP' slapd.conf file to have the following lines:

TLSCACertificateFile    /etc/ldap/tls/cacert.pem
TLSCertificateFile      /etc/ldap/tls/slapd-cert.pem
TLSCertificateKeyFile   /etc/ldap/tls/slapd-key.pem

You can then test your installation with:

ldapsearch -x -ZZ -h 'your_server_FQDN' -b '' -s base

134 comments no trackback

Friday 18 August 2006

Configuring TLS on IBM Tivoli Directory Server 5.2

By François on Friday 18 August 2006, 01:37

I had diffculties to configure TLS on IBM Tivoli Directory Server, because of the certificate manager provided with GSKit, that did not support .kdb files used by ITDS. Here is some information on how to configure GSKit to handle .kdb files, then how to use your newly created certificate with ITDS.

Continue reading...

63 comments 195 trackbacks