> Hello again,
>
> a long time ago (2 month), I tried to set up a ldap-Server on a suse 9.3.
> It works but not with start_tls
> I get many useful hints ( special thanks to Dieter) but nothing
> helps, so I decided to try again after an update to 10.1.
> It seems to me, that the problem could be Suse 9.3 in combination
> with a 64 bit amd system.
I've looked at the output of the commands, and there's one thing you might
want to recheck. Let jump to your CA certificate:
> oracle:/etc/openldap # /usr/share/ssl/misc/CA.sh -newca
> CA certificate filename (or enter to create)
[ snipety snip ]
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
It says "CA:FALSE". For CA certificate it should be CA:TRUE, as in this
output:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
This makes me think your CA setup is really broken. BTW, you don't need
email address in server certificate. You can simply leave it empty.
Also, do not define subjectAltName and issuerAltName unless you are going
to put something into them. If your CA cert doesn't have subjetAltName,
none of the certificates should have issuerAltName. Some SSL
implementation choke on preset but empty subject and issuerAltName
attributes (for example Cisco routers). Rule of the thumb, if you are
issuing certificate to be used by single name, don't use them. If you are
issueing certificate for several names, define it and make sure the first
name in subjectAltName is the same as CN.
Instead of using wrapper scripts, and possibly broken openssl.cnf file,
try setting up your own CA by hand. Start with your own openssl.cnf file.
This is very close to the default openssl.cnf. Recheck it for line
breaks (I've attempted to keep all lines bellow 80 chars, but you might
want to check if some "longer" line got broken into two when posting to
the list):
===== 8< Cut Here 8< =====
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
# default_ca = CA_default # The default ca section
default_ca = myca # The default ca section
####################################################################
[myca]
dir = /usr/share/ssl/myca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = default_crt # The extentions to add to the
cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2
CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for (1 year)
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
# x509_extensions = ca_crt # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Whatever
localityName = Locality Name (eg, city)
localityName_default = Wherever
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Your org here
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
0.organizationalUnitName = Organizational Unit Name (eg, section)
0.organizationalUnitName_default= IS-InfoTech
#1.organizationalUnitName = Second Organizational Unit Name or
Comment
#1.organizationalUnitName_default=
commonName = Common Name (eg, name or your server)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ default_crt ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
nsCertType = client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
# Extensions for CA certificate
[ ca_crt ]
basicConstraints = critical, CA:TRUE
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# If using any of these two, make sure they are not empty!
#subjectAltName = email:copy
#issuerAltName = issuer:copy
# Define these later (in all sections?)
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature,
keyEncipherment
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# Uncomment issuerAltName only if there will be something in it
# issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always
===== 8< Cut Here 8< =====
Also, create two additional configuration files to be used for creating
server and client certificates. Call them client.cnf and server.cnf (you
may also create third one if you need to issue certificates that can be
used for both client and server purposes). Yes, these two should have
CA:FALSE. Only the CA should have CA:TRUE.
server.cnf:
===== 8< Cut Here 8< =====
# Extensions for server certificates
basicConstraints = CA:FALSE
# add keyAgreement?
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Edit and uncomment only if they will be non-empty!
#subjectAltName = DNS:foo.bar.com,IP:1.2.3.4
#issuerAltName = issuer:copy
===== 8< Cut Here 8< =====
client.cnf:
===== 8< Cut Here 8< =====
# Extensions for client certificates
basicConstraints = CA:FALSE
# add dataEncipherment?
# add nonRepudiation?
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
nsCertType = client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Edit and uncomment only if they will be non-empty!
#subjectAltName = DNS:foo.bar.com,IP:1.2.3.4
#issuerAltName = issuer:copy
===== 8< Cut Here 8< =====
Now create directory structure for your new CA:
# mkdir /usr/share/ssl/myca
# chmod 700 /usr/share/ssl/myca
# cd /usr/share/ssl/myca
# mkdir certs crl newcerts private reqs
# echo 01 > serial
# touch index.txt
# chmod 700 certs crl newcerts private reqs
# chmod 600 serial index.txt
Create CA key:
# openssl genrsa -des3 -out private/cakey.pem 2048
# chmod 600 private/cakey.pem
Create root CA certificate:
# openssl req -new -x509 -days 9125 -key private/cakey.pem -out cacert.pem
-extensions ca_crt
You can recheck CA certificate with:
# openssl x509 -in cacert.pem -noout -text
Generate private key for LDAP server:
# openssl genrsa -des3 -out private/hostname-ldap.pem 2048
# chmod 600 private/hostname-ldap.pem
Generate certificate request:
# openssl req -new -key private/hostname-ldap.pem -out
reqs/hostname-ldap.req
Now, if you want to use subjectAltName in the certificate, edit server.cnf
file, uncomment and edit the line for it.
Generate certificate:
# openssl ca -policy policy_anything -days 365 -extfile ../server.cnf
-infiles reqs/hostname-ldap.req
Once you are done, you can recheck it with (replace xx with certificate's
serial number):
# openssl x509 -in newcerts/xx.pem -noout -text
If all looks good, copy the CA cert, LDAP server cert and private key to
wherever you want them. Instead of doing plain "cp", I'd suggest
something like:
# openssl x509 -in newcerts/xx.pem -out /wherever-cert.pem
# openssl rsa -in private/hostname-ldap.pem /wherever-key.pem
The first command will get rid of the comments and stuff (they shouldn't
be problem, but you don't really need them). The second command will
remove the passphrase from the key.
Make sure the permissions are correct (user ldap should be able to read
all three files).
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
