[Fedora-directory-users] simple ssl replication

Richard Megginson rmeggins at redhat.com
Wed Jan 18 19:26:42 UTC 2006 

Susan wrote:

>--- Richard Megginson <rmeggins at redhat.com> wrote:
>
>  
>
>>The SSL client (in this case, the replication supplier) still needs to 
>>verify the SSL server (in this case, the replication consumer) 
>>certificate in order for SSL to work.  It should be sufficient for the 
>>supplier to have the certificate of the CA that issued the consumer's 
>>certificate in its cert db.
>>    
>>
>
>I understand.  Where is the cert db?
>
/opt/fedora-ds/alias/slapd-yourhost-cert8.db

>Is that controled by /etc/openldap/ldap.conf?
>
No.  It is completely different.  The operating system ldap client code 
is OpenLDAP which uses OpenSSL for crypto.  Fedora DS uses Mozilla NSS 
for crypto.

>Because I
>took *.db from the consumser's /opt/fedora-ds/alias, copied them over to the location specified by
>TLS_CACERTDIR (/etc/openldap/cacerts) and still got the same error.
>  
>
Right.  OpenSSL doesn't use our NSS .db format.  Fedora DS doesn't use 
/etc/ldap* or /etc/openldap* at all.  However, OS clients, such as 
/usr/bin/ldapsearch, PAM, NSS, etc. use /etc/ldap* and /etc/openldap*

>On the supplier:
>[root at cnyldap01 cacerts]# ll
>total 84
>-rw-------  1 root root 65536 Jan 18 13:48 slapd-cnjldap01-cert8.db
>-rw-------  1 root root 16384 Jan 18 13:48 slapd-cnjldap01-key3.db
>
>On the consumer (cnjldap01) still:
>[18/Jan/2006:13:50:21 -0500] conn=22 fd=65 slot=65 SSL connection from 149.85.70.110 to
>149.85.86.65
>[18/Jan/2006:13:50:21 -0500] conn=22 op=-1 fd=65 closed - SSL peer cannot verify your certificate.
>
>
>
>What am I doing wrong?
>  
>
You need to use certutil -L to export the CA certificate and certutil -A 
to import it where needed e.g.
# cd /opt/fedora-ds/alias
# ../shared/bin/certutil -L -d . -P slapd-supplier-
you should see something like
CA certificate                                               CT,,
then you can do
# ../shared/bin/certutil -L -d . -P slapd-supplier- -n "CA certificate" 
-a > cacert.asc
to export the CA certificate in ASCII (RFC 1113) encoding.
Next, import the CA cert into your consumer cert db:
# ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate" 
-t "CT,," -a -i cacert.asc
Note that it may prompt you for the password you used to protect the 
cert db.
You will need to restart your consumer.

You can also take this cacert.asc and use the openssl tool to convert 
this into a .pem file for use with those clients (or is .asc the same as 
.pem?).

>Thank you for your help...
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060118/ebf931f8/attachment.bin>

More information about the Fedora-directory-users mailing list