I followed the below OpenLDAP guide to create CA issued certificate using OpenSSL and was able to enable SSL in the ldap server and applications can connect via ldaps:// port 636. Now I have some questions from the management where this certificate is as safe as the commercial certificates out there. Can someone clarify this? I would appreciate it.
I followed the same procedures mentioned in the guide. 4.2 CA Issued CertificateIf you have access to a trusted Certificate Authority (CA), then step through the CA process to get a CA certificate, server certificate and server private key. See section 5.0 for info on how to configure your server with these items.However, if a trusted CA is not available, OpenSSL makes the same process quick and easy.The steps: 1. Create any directory for creating and signing your certificates. For example, /var/myca.% mkdir /var/myca2. Change to /var/myca and run the OpenSSL CA script (in /usr/share/ssl/misc/ on my box):% cd /var/myca/ % /usr/share/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) <enter> Making CA certificate ... Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ..........................++++++ .........................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: <ca pass> Verifying password - Enter PEM pass phrase: <ca pass again> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) []:Example Unit Common Name (eg, YOUR name) []:example.com Email Address []:. %This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).3. Make your server certificate signing request (CSR):% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ..............++++++ ..........................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) []:Example Org Unit Common Name (eg, YOUR name) []:myserver.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <pass> An optional company name []:. %The result is newreq.pem.4. Have the CA sign the CSR:% /usr/share/ssl/misc/CA.sh -sign Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: <ca pass> Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Texas' localityName :PRINTABLE:'Austin' organizationName :PRINTABLE:'Example Org' organizationalUnitName:PRINTABLE:'Example Org Unit' commonName :PRINTABLE:'myserver.com' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.com Validity Not Before: Apr 11 18:58:58 2003 GMT Not After : Apr 10 18:58:58 2004 GMT Subject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit, CN=myserver.com/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): < ... > Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61 X509v3 Authority Key Identifier: keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1 DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.com serial:00 Signature Algorithm: md5WithRSAEncryption < ... > -----BEGIN CERTIFICATE----- < ... > -----END CERTIFICATE----- Signed certificate is in newcert.pem %This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.5. Now the certificates can be moved to the desired certificate repository and renamed. I prefer /usr/var/openldap-data as my certificate directory.% cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem % mv newcert.pem /usr/var/openldap-data/servercrt.pem % mv newreq.pem /usr/var/openldap-data/serverkey.pem % chmod 400 /usr/var/openldap-data/serverkey.pem
