Hello Aleksandar,
I followed your hints.
I generated the ca with CA:True, but I run into an error
when coming to the following command
I replaced hostname by oracle and ../server.cnf by /etc/ssl/server.cnf because
I put the files there.
oracle:/usr/share/ssl/myca # openssl ca -policy policy_anything -days 365
-extfile /etc/ssl/server.cnf -infiles reqs/oracle-ldap.req
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /usr/share/ssl/myca/private/cakey.pem:
Check that the request matches the signature
Signature ok
ERROR: adding extensions in section default
11768:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension
name:v3_conf.c:124:
11768:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:93:name=HOME, value=.
Sorry, but I'm not able to interpret this messages, I know to less about
certifikates.
Karsten
Aleksandar Milivojevic schrieb:
>> Hello again,
>>
>> a long time ago (2 month), I tried to set up a ldap-Server on a suse 9.3.
>> It works but not with start_tls
>> I get many useful hints ( special thanks to Dieter) but nothing
>> helps, so I decided to try again after an update to 10.1.
>> It seems to me, that the problem could be Suse 9.3 in combination
>> with a 64 bit amd system.
>
> I've looked at the output of the commands, and there's one thing you might
> want to recheck. Let jump to your CA certificate:
>
>> oracle:/etc/openldap # /usr/share/ssl/misc/CA.sh -newca
>> CA certificate filename (or enter to create)
>
> [ snipety snip ]
>
>> X509v3 extensions:
>> X509v3 Basic Constraints:
>> CA:FALSE
>
> It says "CA:FALSE". For CA certificate it should be CA:TRUE, as in this
> output:
>
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:TRUE
>
> This makes me think your CA setup is really broken. BTW, you don't need
> email address in server certificate. You can simply leave it empty.
>
> Also, do not define subjectAltName and issuerAltName unless you are going
> to put something into them. If your CA cert doesn't have subjetAltName,
> none of the certificates should have issuerAltName. Some SSL
> implementation choke on preset but empty subject and issuerAltName
> attributes (for example Cisco routers). Rule of the thumb, if you are
> issuing certificate to be used by single name, don't use them. If you are
> issueing certificate for several names, define it and make sure the first
> name in subjectAltName is the same as CN.
>
> Instead of using wrapper scripts, and possibly broken openssl.cnf file,
> try setting up your own CA by hand. Start with your own openssl.cnf file.
> This is very close to the default openssl.cnf. Recheck it for line
> breaks (I've attempted to keep all lines bellow 80 chars, but you might
> want to check if some "longer" line got broken into two when posting to
> the list):
>
> ===== 8< Cut Here 8< =====
> #
> # OpenSSL example configuration file.
> # This is mostly being used for generation of certificate requests.
> #
>
> # This definition stops the following lines choking if HOME isn't
> # defined.
> HOME = .
> RANDFILE = $ENV::HOME/.rnd
>
> # Extra OBJECT IDENTIFIER info:
> #oid_file = $ENV::HOME/.oid
> oid_section = new_oids
>
> # To use this configuration file with the "-extfile" option of the
> # "openssl x509" utility, name here the section containing the
> # X.509v3 extensions to use:
> # extensions =
> # (Alternatively, use a configuration file that has only
> # X.509v3 extensions in its main [= default] section.)
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
>
> ####################################################################
> [ ca ]
> # default_ca = CA_default # The default ca section
> default_ca = myca # The default ca section
>
> ####################################################################
> [myca]
>
> dir = /usr/share/ssl/myca # Where everything is kept
> certs = $dir/certs # Where the issued certs are kept
> crl_dir = $dir/crl # Where the issued crl are kept
> database = $dir/index.txt # database index file.
> new_certs_dir = $dir/newcerts # default place for new certs.
>
> certificate = $dir/cacert.pem # The CA certificate
> serial = $dir/serial # The current serial number
> crl = $dir/crl.pem # The current CRL
> private_key = $dir/private/cakey.pem# The private key
> RANDFILE = $dir/private/.rand # private random number file
>
> x509_extensions = default_crt # The extentions to add to the
> cert
>
> # Comment out the following two lines for the "traditional"
> # (and highly broken) format.
> name_opt = ca_default # Subject Name options
> cert_opt = ca_default # Certificate field options
>
> # Extension copying option: use with caution.
> # copy_extensions = copy
>
> # Extensions to add to a CRL. Note: Netscape communicator chokes on V2
> CRLs
> # so this is commented out by default to leave a V1 CRL.
> # crl_extensions = crl_ext
>
> default_days = 365 # how long to certify for (1 year)
> default_crl_days= 30 # how long before next CRL
> default_md = sha1 # which md to use.
> preserve = no # keep passed DN ordering
>
> # A few difference way of specifying how similar the request should look
> # For type CA, the listed attributes must be the same, and the optional
> # and supplied fields are just that :-)
> policy = policy_match
>
> # For the CA policy
> [ policy_match ]
> countryName = match
> stateOrProvinceName = match
> organizationName = match
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> # For the 'anything' policy
> # At this point in time, you must list all acceptable 'object'
> # types.
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> ####################################################################
> [ req ]
> default_bits = 2048
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> # x509_extensions = ca_crt # The extentions to add to the self signed cert
>
> # Passwords for private keys if not present they will be prompted for
> # input_password = secret
> # output_password = secret
>
> # This sets a mask for permitted string types. There are several options.
> # default: PrintableString, T61String, BMPString.
> # pkix : PrintableString, BMPString.
> # utf8only: only UTF8Strings.
> # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
> # MASK:XXXX a literal mask value.
> # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
> # so use this option with caution!
> string_mask = nombstr
>
> req_extensions = v3_req # The extensions to add to a certificate request
>
> [ req_distinguished_name ]
> countryName = Country Name (2 letter code)
> countryName_default = DE
> countryName_min = 2
> countryName_max = 2
>
> stateOrProvinceName = State or Province Name (full name)
> stateOrProvinceName_default = Whatever
>
> localityName = Locality Name (eg, city)
> localityName_default = Wherever
>
> 0.organizationName = Organization Name (eg, company)
> 0.organizationName_default = Your org here
>
> # we can do this but it is not needed normally :-)
> #1.organizationName = Second Organization Name (eg, company)
> #1.organizationName_default = World Wide Web Pty Ltd
>
> 0.organizationalUnitName = Organizational Unit Name (eg, section)
> 0.organizationalUnitName_default= IS-InfoTech
>
> #1.organizationalUnitName = Second Organizational Unit Name or
> Comment
> #1.organizationalUnitName_default=
>
> commonName = Common Name (eg, name or your server)
> commonName_max = 64
>
> emailAddress = Email Address
> emailAddress_max = 64
>
> SET-ex3 = SET extension number 3
>
> [ req_attributes ]
> challengePassword = A challenge password
> challengePassword_min = 4
> challengePassword_max = 20
>
> unstructuredName = An optional company name
>
> [ default_crt ]
> basicConstraints = CA:FALSE
> keyUsage = digitalSignature
> extendedKeyUsage = clientAuth
> nsCertType = client
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> subjectAltName = email:copy
> issuerAltName = issuer:copy
>
> # Extensions for CA certificate
> [ ca_crt ]
> basicConstraints = critical, CA:TRUE
> keyUsage = cRLSign, keyCertSign
> nsCertType = sslCA, emailCA, objCA
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> # If using any of these two, make sure they are not empty!
> #subjectAltName = email:copy
> #issuerAltName = issuer:copy
>
> # Define these later (in all sections?)
> #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
> #nsBaseUrl
> #nsRevocationUrl
> #nsRenewalUrl
> #nsCaPolicyUrl
> #nsSslServerName
>
> [ v3_req ]
> # Extensions to add to a certificate request
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature,
> keyEncipherment
>
> [ crl_ext ]
> # CRL extensions.
> # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
> # Uncomment issuerAltName only if there will be something in it
> # issuerAltName = issuer:copy
> authorityKeyIdentifier = keyid:always,issuer:always
> ===== 8< Cut Here 8< =====
>
> Also, create two additional configuration files to be used for creating
> server and client certificates. Call them client.cnf and server.cnf (you
> may also create third one if you need to issue certificates that can be
> used for both client and server purposes). Yes, these two should have
> CA:FALSE. Only the CA should have CA:TRUE.
>
> server.cnf:
> ===== 8< Cut Here 8< =====
> # Extensions for server certificates
> basicConstraints = CA:FALSE
> # add keyAgreement?
> keyUsage = digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth
> nsCertType = server
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> # Edit and uncomment only if they will be non-empty!
> #subjectAltName = DNS:foo.bar.com,IP:1.2.3.4
> #issuerAltName = issuer:copy
> ===== 8< Cut Here 8< =====
>
> client.cnf:
> ===== 8< Cut Here 8< =====
> # Extensions for client certificates
> basicConstraints = CA:FALSE
> # add dataEncipherment?
> # add nonRepudiation?
> keyUsage = digitalSignature, keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> nsCertType = client, email
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> # Edit and uncomment only if they will be non-empty!
> #subjectAltName = DNS:foo.bar.com,IP:1.2.3.4
> #issuerAltName = issuer:copy
> ===== 8< Cut Here 8< =====
>
> Now create directory structure for your new CA:
>
> # mkdir /usr/share/ssl/myca
> # chmod 700 /usr/share/ssl/myca
> # cd /usr/share/ssl/myca
> # mkdir certs crl newcerts private reqs
> # echo 01 > serial
> # touch index.txt
> # chmod 700 certs crl newcerts private reqs
> # chmod 600 serial index.txt
>
> Create CA key:
> # openssl genrsa -des3 -out private/cakey.pem 2048
> # chmod 600 private/cakey.pem
>
> Create root CA certificate:
> # openssl req -new -x509 -days 9125 -key private/cakey.pem -out cacert.pem
> -extensions ca_crt
>
> You can recheck CA certificate with:
> # openssl x509 -in cacert.pem -noout -text
>
> Generate private key for LDAP server:
> # openssl genrsa -des3 -out private/hostname-ldap.pem 2048
> # chmod 600 private/hostname-ldap.pem
>
> Generate certificate request:
> # openssl req -new -key private/hostname-ldap.pem -out
> reqs/hostname-ldap.req
>
> Now, if you want to use subjectAltName in the certificate, edit server.cnf
> file, uncomment and edit the line for it.
>
> Generate certificate:
> # openssl ca -policy policy_anything -days 365 -extfile ../server.cnf
> -infiles reqs/hostname-ldap.req
>
> Once you are done, you can recheck it with (replace xx with certificate's
> serial number):
> # openssl x509 -in newcerts/xx.pem -noout -text
>
> If all looks good, copy the CA cert, LDAP server cert and private key to
> wherever you want them. Instead of doing plain "cp", I'd suggest
> something like:
>
> # openssl x509 -in newcerts/xx.pem -out /wherever-cert.pem
> # openssl rsa -in private/hostname-ldap.pem /wherever-key.pem
>
> The first command will get rid of the comments and stuff (they shouldn't
> be problem, but you don't really need them). The second command will
> remove the passphrase from the key.
>
> Make sure the permissions are correct (user ldap should be able to read
> all three files).
>
> ---
> You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
> To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as
> the SUBJECT of the message.
>
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
