On 05/19/2011 11:18 AM, solarflow99 wrote:
The SSL roles are _opposite_ the master/slave roles. The master
pushes changes to the slave. So in this instance, the _slave_ is the
SSL _server_, and the _master_ is the SSL _client_.
In order to be an SSL server, the slave must have a server
cert/key and CA cert.
In order to be an SSL client, the master must have just the CA cert.
Can anyone provide the commands for this, and i'll add it to the SSL
howto, this isn't well explained anywhere. Here's what I ran into:
I create a CA cert and server cert on the master, and after exporting
the CA cert, I import into the slave, how should I generate a server
cert on the slave? I also notice the trusts are different from the
CA cert on the master:
[root@ldapslave slapd-ldapslave]# certutil -A -d . -n "CA certificate"
-t "CTu,u,u" -a -i cacert.asc
[root@ldapslave slapd-ldapslave]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
How can I generate a server cert on the slave now? Using the
following command fails because it doesn't have the matching private
key for the CA:
certutil -S -n "Server-Cert" -s "cn=ldapslave.mydomain.com
<http://ldapslave.mydomain.com>" -c "CA certificate" -t "u,u,u" -m
1002 -v 120 -d . -k rsa
certutil: unable to retrieve key CA certificate: The private key
for this certificate cannot be found in key database
You can use certutil on the master to make a cert for the slave, using
the above command on the master. Then, use pk12util to export the slave
cert/key, then take that pk12 file to the slave and use pk12util to
import it (and use certutil to import the CA cert).
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
