Read my comments please. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Wednesday, June 19, 2013 7:50 PM To: openssl-users@openssl.org Subject: Re: Creating certificates
Hi Rodney, First of all, this isn't a CA certificate - the "Basic Constraints CA:FALSE" quite plainly points to this. This is a wildcard certificate for use by authorised representatives of "securesites.com" to be able to use for their own servers. [[Rod's comment]] Precisely, I want to use this CA for blahblah.securesites.com. (ldap server). Therefore, you will never be able to create any further certificates, you'll just be able to use this certificate and keypair to enable "secure" communications with your clients with your servers. [[Rod's comment]] Keypair? Do you mean I can use this CA and the key file it was accompanied with to configure LDAP/TLS/SSL so that my LDAP server will be a authentication provider for services such as shell and ftp? You MAY need to obtain the GeoTrust CA Certificate to assist people to resolve the trust to your Server. [[Rod's comment]] Ah, ok, I'm starting to understand this process....Correct me if I am wrong, my admin basically sent me a cert/key pair and if LDAP requires the CA certificate, I'll need to get that from GeoTrust... >From your previous message, I think that your instance of OpenLDAP is >configured to use the Mozilla LibNSS Security Library, and not OpenSSL - the >reference to certdb / pkcs#11 sounds a lot like a LibNSS error to me. >Therefore, questions regarding the configuration of your server may be more >appropriately directed at the OpenLDAP mailing list, and any Certificate >issues at the Mozilla LibNSS mailing list. [[Rod's comment]] Thanks! Best Regards, Patrick. On 2013-06-19, at 5:58 PM, Rodney Simioni wrote: > Hi, > > There was an email earlier yesterday about LDAP/SSL/TLS but I'm going > to revise my question. Please disregard the email because instead of > creating certificates, > > I'm going to use certs provided by my linux admin to configure SSL/TLS > with LDAP. > > > > My sysadmin gave me 3 wildcard openssl files; with an ext of .cert, > .csr, and .key. > > > > This wildcard.xxxxxxx.cert is suppose to be a CA, below are the > important contents: > > > > > > [root@fl1-lsh99apa007 ~]# openssl x509 -in > wildcard.securesites.com.cert -noout -text > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 69277 (0x10e9d) > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA > > Validity > > Not Before: Dec 1 05:59:42 2011 GMT > > Not After : Dec 2 01:04:06 2016 GMT > > Subject: serialNumber=NwnaG0OQxm/2fIiyWh6NThC40ROOk/KH, C=US, > ST=Colorado, L=Englewood, O=MYNAMESERVER, LLC, OU=Secure Services > Division, CN=*.securesites.com > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > .... > > X509v3 extensions: > > X509v3 Authority Key Identifier: > > > keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A > > > > X509v3 Key Usage: critical > > Digital Signature, Key Encipherment, Data Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web Client > Authentication > > X509v3 Subject Alternative Name: > > DNS:*.securesites.com, DNS:securesites.com > > X509v3 CRL Distribution Points: > > > > Full Name: > > URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl > > > > X509v3 Subject Key Identifier: > > > D9:88:62:C6:90:FE:5D:78:9B:AE:5A:78:AF:DF:30:49:7E:54:D3:83 > > X509v3 Basic Constraints: critical > > CA:FALSE > > Authority Information Access: > > CA Issuers - > URI:http://gtssl-aia.geotrust.com/gtssl.crt > > > > How do I create signed certificates with the CA above and those > wildcard file so that it will be used with LDAP? > > > > Please excuse my ignorance with openssl, I've been working with this > for a few days and there are so many ways to configure LDAP/SSL > searching google but > > they haven't worked for me probably because I lack experience with > SSL, thanks in advance. > > > > Rod > > > > This email message is intended for the use of the person to whom it has been > sent, and may contain information that is confidential or legally protected. > If you are not the intended recipient or have received this message in error, > you are not authorized to copy, distribute, or otherwise use this message or > its attachments. Please notify the sender immediately by return e-mail and > permanently delete this message and any attachments. Verio Inc. makes no > warranty that this email is error or virus free. Thank you. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
