Openstuff Wiki : HowtoCERT

HomePage :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

Génération de certificats pour OpenLDAP


Avant tout, création du répertoire qui contiendra les certificats
# mkdir -p /etc/ldap/certificates


1. Création du certificat pour le CA (Certificate Authority)


On utilisera le script CA.sh
# cd /etc/ldap/certificates/
# locate CA.sh
/usr/lib/ssl/misc/CA.sh
# /usr/lib/ssl/misc/CA.sh -newca
A certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
............++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[...]
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [section]:
Common Name (eg, YOUR name) []:Julien Stankiewicz
Email Address []:julien.stankiewicz@example.com


Cette commande a créé un répertoire (demoCA) contenant notamment le certificat du CA ('cacert.pem') et la clé privée demoCA/private/cakey.pem.

2. Création du certificat du serveur LDAP


# openssl req -new -nodes -keyout newreq.pem -out newreq.pem -days 365
Generating a 1024 bit RSA private key
...........................++++++
.............++++++
writing new private key to 'newreq.pem'
[...]
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [section]:
Common Name (eg, YOUR name) []:ldapserver
Email Address []:julien.stankiewicz@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Note:

Cet appel a généré le fichier newreq.pem qui contient la clé secrète RSA et une requête de signature de certificat par le CA.


3. Signature du certificat du serveur par le CA


# /usr/lib/ssl/misc/CA.sh -sign
Check that the request matches the signature
Signature ok
[...]
Certificate is to be certified until Apr 21 11:12:43 2007 GMT (365 days)
Sign the certificate? [y/n]:
[...]
Signed certificate is in newcert.pem


4. Installation de tous ces certificats


Pour qu'ils soient utilisés par OpenLDAP:
# mv newreq.pem LDAPserver-key.pem
# mv newcert.pem LDAPserver-cert.pem
# ln -s demoCA/cacert.pem CA-cert.pem
# chmod 400 LDAPserver-key.pem
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki
Page was generated in 0.0659 seconds