The SSL roles are _opposite_ the master/slave roles. The master pushes
changes to the slave. So in this instance, the _slave_ is the SSL _server_,
and the _master_ is the SSL _client_.
> In order to be an SSL server, the slave must have a server cert/key and CA
> cert.
> In order to be an SSL client, the master must have just the CA cert.
>
Can anyone provide the commands for this, and i'll add it to the SSL howto,
this isn't well explained anywhere. Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting the CA
cert, I import into the slave, how should I generate a server cert on the
slave? I also notice the trusts are different from the CA cert on the
master:
[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate" -t
"CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
How can I generate a server cert on the slave now? Using the following
command fails because it doesn't have the matching private key for the CA:
certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com" -c "CA
certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
certutil: unable to retrieve key CA certificate: The private key for
this certificate cannot be found in key database
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
