>From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni >Sent: Tuesday, 18 June, 2013 15:52
>I'm trying to get LDAP to work with TLS but when I used the >ldapsearch command to verify TLS is working, this error is showstopping me. >TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. >I just created a CA using a openssl.cnf and the openssl command. >Here's my openssl.cnf: <snip> >Here's the command that I used to create the CA. >OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 \ > -newkey rsa:2048 -out mypersonalca/certs/ca.pem \ > -outform PEM -keyout ./mypersonalca/private/ca.key That uses ca.cnf not openssl.cnf. But the config file settings, even if different, probably don't matter to this problem. >Here's the command that created the certificates. >openssl req -newkey rsa:1024 -nodes -sha1 \ > -keyout cert.key -keyform PEM -out cert.req -outform PEM >Here's the command that signed the certificate. >OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem Nit: that created a Certficate Signing Request aka CSR, and then created and signed a cert from the CSR. A CSR is NOT a cert, or even a cert-TBS (cert_info), although it is related. >But when I did ' ldapsearch -d -1 -x -LLL -ZZ' to verify that TLS is working, I got: <snip lots> >TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly >TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. >TLS: skipping 'ca.pem' - filename does not have expected format (certificate hash with numeric suffix) openssl verification (aka trust) logic can use CA certs from a file (concatenated) often referred to as CAFile or a directory (with hashnames) often called CApath or CAdir. 'certdb' suggests either. 'cacerts' without suffix suggests the latter. But in neither case is PKCS#11 involved at all. What actually is, or is in, /etc/openldap/cacerts ? Is it a directory and is ca.pem a file you put there? openssl will ignore 'extra' files in a CApath, but maybe openldap doesn't. If so, the error message is slightly off; the hashname openssl wants is a hash of the *subject* plus a numeric suffix, not a hash of the cert. But that could just be a typo. If that file belongs there try naming it with the value from commandline x509 -subject_hash (or -hash) followed by dot zero. >I also have this in my ldif file: >olcTLSCACertificateFile: /home/rsimioni/mypersonalca/certs/ca.pem >olcTLSCertificateFile: /home/rsimioni/cert.pem >olcTLSCertificateKeyFile: /home/rsimioni/cert.key >olcTLSVerifyClient: allow http://linux.die.net/man/5/slapd-config describes both olcTLSCACertificateFile and olcTLSCACertificatePath with meanings that match openssl's, plus an alternate(?) meaning for MozillaNSS presumably not applicable to you. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
