Comments inline.
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Tuesday, June 18, 2013 10:29 PM
To: openssl-users@openssl.org
Subject: RE: cannot open certdb
>From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni
>Sent: Tuesday, 18 June, 2013 15:52
>I'm trying to get LDAP to work with TLS but when I used the ldapsearch
>command to verify TLS is working, this error is showstopping me.
>TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
>PKCS
#11 error.
>I just created a CA using a openssl.cnf and the openssl command.
>Here's my openssl.cnf: <snip>
>Here's the command that I used to create the CA.
>OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 \
> -newkey rsa:2048 -out mypersonalca/certs/ca.pem \
> -outform PEM -keyout ./mypersonalca/private/ca.key
That uses ca.cnf not openssl.cnf. But the config file settings,
even if different, probably don't matter to this problem.
[[Rod's comment]] Sorry about that, it's a typo.
>Here's the command that created the certificates.
>openssl req -newkey rsa:1024 -nodes -sha1 \
> -keyout cert.key -keyform PEM -out cert.req -outform PEM Here's the
>command that signed the certificate.
>OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out
>cert.pem
Nit: that created a Certficate Signing Request aka CSR, and then created and
signed a cert from the CSR. A CSR is NOT
a cert, or even a cert-TBS (cert_info), although it is related.
[[Rod's comment]] Oh, I thought that created the actual CA file, my bad. So,
what should I do?
>But when I did ' ldapsearch -d -1 -x -LLL -ZZ' to verify that TLS is
working, I got:
<snip lots>
>TLS: certdb config: configDir='/etc/openldap/cacerts'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
>TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
>PKCS
#11 error.
>TLS: skipping 'ca.pem' - filename does not have expected format
(certificate hash with numeric suffix)
openssl verification (aka trust) logic can use CA certs from a file
(concatenated) often referred to as CAFile or a directory (with hashnames)
often called CApath or CAdir.
'certdb' suggests either. 'cacerts' without suffix suggests the latter. But in
neither case is PKCS#11 involved at all.
What actually is, or is in, /etc/openldap/cacerts ?
[[Rod's comment]] The contents of the directory is the ca.pem file I created
above, I copied it over there from the directory where I created the file.
Is it a directory and is ca.pem a file you put there?
[[Rod's comment]] As I said above, it's a file.
openssl will ignore 'extra' files in a CApath, but maybe openldap doesn't. If
so, the error message is slightly off; the hashname openssl wants is a hash of
the *subject* plus a numeric suffix, not a hash of the cert. But that could
just be a typo.
If that file belongs there try naming it with the value from commandline x509
-subject_hash (or -hash) followed by dot zero.
[[Rod's comment]] Could you kindly post the actual command here?
>I also have this in my ldif file:
>olcTLSCACertificateFile: /home/rsimioni/mypersonalca/certs/ca.pem
>olcTLSCertificateFile: /home/rsimioni/cert.pem
>olcTLSCertificateKeyFile: /home/rsimioni/cert.key
>olcTLSVerifyClient: allow
[[Rod's comment]] I actually removed the olcTLS entries from the ldif file and
restarted slapd. I want to concentrate on getting openldap to work with tls/ssl
>From the ldap.conf file in /etc/openldap/.
http://linux.die.net/man/5/slapd-config describes both olcTLSCACertificateFile
and olcTLSCACertificatePath with meanings that match openssl's, plus an
alternate(?) meaning for MozillaNSS presumably not applicable to you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. Verio Inc. makes no
warranty that this email is error or virus free. Thank you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
