I'm newbie in mailman list, so I don't know if I'm sending this email correctly.
Tranks for your reply, and what I've understood, I have to do the following: % *cd /var/myca/* % */usr/share/ssl/misc/CA.sh -newca* This creates cacert.pem and private/cakey.pem (these files are common for all the server and clients). In The field of Common Name I have to write the ldap master server name host (i.e. ldap.dominio.com). Now, I make a singing request for master server, slave server (replica) and clients. I execute all these command for each one changing the Common Name for the specific host name (for master server: ldap.dominio.com, for slave server (replica):replica.ldap.dominio.com, for clients: pc1.dominio.com....). % *openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem* % */usr/share/ssl/misc/CA.sh -sign* Are all OK? Thank you very much, and if this is correct, you could add this to a FAQ of the openldap guide, because I haven't seen anything about slave servers. 2008/11/14 Gavin Henry <[EMAIL PROTECTED]> > > ----- "Alberto GD" <[EMAIL PROTECTED]> wrote: > > > Hi! > > I've followed openldap.org 's guide and ldap works great with TLS/SSL > > with authentication in server and clients. Now I have added a LDAP > > replica (ldap slave server), and I have some questions: > > - In the clients I had to make the certs with the server certificate > > (cacer.pem) of the master, because I check the server certificate, and > > also check the clients in the server. Now that I have a replica, I > > have to make others certs with the server certificate of the slave > > server (and how can I show two certificates to ldap.conf)?? (I > > followed this ( > > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3 ) Or with the > > certificates made from server certificates its sufficient?? > > > > >Step 1 and 2: Do nothing ... the CA does not need to be created > > again. The plan is to use the same CA certificate to sign the client > > certificate. > > For all server and clients certs you have created or will create, just sign > them > all with the CA cert you created and make sure all servers and clients get > a copy > of the CA cert. That's all you need to do. > > Gavin. > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E [EMAIL PROTECTED] > > Community developed LDAP software. > > http://www.openldap.org/project/ >
