Webmin version: 1.7
I installed openldap through Webmin modules, when I try to configure the LDAP server to use TLS encryption in Webmin, I got some strange error messages. When I click "Generate SSL Certificate" button in webmin, it generates only the /etc/openldap/certs/ldap.cert file and not generating /etc/openldap/certs/ldap.key file (Assuming you use /etc/openldap/certs for your key and certificate file). Like the picture below:
I changed the destination directories permission, ownershop, ..etc. Just couldn't get the ldap.key file generated. So I generated certificate and key files manually:
1. Generate the key file:
# des means encrypt the generated key with DES in ede cbc mode (168 bit key) # 2048 is the RSA key size # /usr/bin/openssl genrsa -des3 2048 > server.key Generating RSA private key, 2048 bit long modulus ......................................................+++ ..........................................................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: # Remove the passphrase from the key file: # openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key
2. Generate the csr file:
# /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name Organizational Unit Name (eg, section) []:HQ Common Name (e.g. server FQDN or YOUR name) []:Tony Email Address []:tonylixu@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3. Generate a x509 signing request based on an existing certificate:
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 Signature ok subject=/C=US/ST=California/L=San Francisco/O=Your Company name/OU=HQ/CN=Tony/emailAddress=tonylixu@gmail.com Getting Private key
4. Update file permissions:
# chmod 400 server.*
5. Set TLS certificate file and key file in webmin:
If you are not using webmin, you will add the following into your slapd.conf
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
6. Restart LDAP service:
# /etc/init.d/slapd restart
7. Test your SSL Certificate:
# Check certificate: # openssl s_client -host server_domain_name -port 636 -showcerts
8. You can use jxplorer to test as well.
No comments:
Post a Comment